Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] CAT admin login through social networks

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] CAT admin login through social networks


Chronological Thread 
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: "Hadlow, Tim" <Tim.Hadlow AT bl.uk>, "'cat-users AT lists.geant.org'" <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] CAT admin login through social networks
  • Date: Fri, 29 Apr 2016 12:41:47 +0200
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Hi,

> Using the 'Check realm reachability' feature and Live login tests with the
> 'Real (inner) username' and password completed with valid credentials and
> the ' Anonymous outer ID (optional)' left blank the test apparently
> succeeds and the NPS logs show PEAP in phase 1 and 'Microsoft: Secured
> password (EAP-MSCHAP v2)' in phase 2. The test does note that we are using
> a wildcard server certificate and "This can be problematic on some
> supplicants" so I did a bit more Googling and found a reference stating
> "The downside of wildcard certificate is that they are not currently
> supported by Microsoft Windows 802.1X supplicants", I haven't yet been able
> to verify that but it would fit with your idea that it is actually the
> phase 1 server certificate validation that is the problem. I'll try to get
> the server manager to replace the certificate and have another go then.

Ah, yes, that is a known problem for Windows 8+ (I haven't verified it
for Winodws 10 yet though; does Windows 10 work for you in this setup?).
We have recorded this as a possible pitfall under

https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations

(Consideration 2, server name, third item)

We can update it with Windows 10 if that one also has this problem.

Greetings,

Stefan Winter

>
> Thanks,
>
> Tim
> -----Original Message-----
> From: Stefan Winter
> [mailto:stefan.winter AT restena.lu]
> Sent: 29 April 2016 10:03
> To: Hadlow, Tim;
> 'cat-users AT lists.geant.org'
> Subject: Re: [[cat-users]] CAT admin login through social networks
>
> Hi,
>
>> Using a CAT installer eduroam profile for Windows 8 against our ORPS
>> authentication fails. Our ORPS is Microsoft NPS so local
>> authentications require what on Android is described as “EAP method:
>> PEAP” and “Phase 2
>> authentication: MSCHAPV2”. When successful authentications go through
>> they how in the event logs as “Authentication Type: PEAP” and “EAP Type:
>> Microsoft Secured Password (EAP-MSCHAP v2)”
>>
>> Using CAT with the profile setting “Supported EAP types for this
>> profile” set to only “PEAP-MSCHAPv2”, the Windows 8 and Windows 10
>> installers it generated run quite happily but eduroam connections fail
>> with the NPS event log messages showing “Authentication Type: PEAP”
>> and “EAP Type: - ”, i.e. the Phase 2 authentication method appears not
>> to be being configured.
>>
>> Can anyone who uses or knows about NPS offer guidance or suggestions
>> on the CAT configuration of a profile to work with a Microsoft NPS
>> Radius server?
>
> I am by no means a NPS user, for from it. But I think I recall something on
> the list in that direction.
>
> I believe the trick is to understand that the log message is quite
> misleadingly formulated: the "EAP Type: - " does not mean that a second
> phase is not configured; it's rather that the EAP conversation never
> proceeded to phase 2, so EAP didn't take place at all.
>
> And that would mean the authentication attempt was aborted in phase 1 -
> which is server certificate validation and TLS tunnel setup.
>
> Did you run the "Check realm reachability" with a valid outer ID yet
> (Profile -> Realm and Profile -> anonymous outer ID set)? It would fetch
> the server certificate and tell you if there's something odd in the
> certificate; that would be the most likely reason for failures at that
> stage.
>
> Or, I'm completely wrong and am sending you onto the wrong track :-)
>
> Greetings,
>
> Stefan
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
> la Recherche 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>
>
> ******************************************************************************************************************
> Experience the British Library online at www.bl.uk<http://www.bl.uk/>
> The British Library’s latest Annual Report and Accounts :
> www.bl.uk/aboutus/annrep/index.html<http://www.bl.uk/aboutus/annrep/index.html>
> Help the British Library conserve the world's knowledge. Adopt a Book.
> www.bl.uk/adoptabook<http://www.bl.uk/adoptabook>
> The Library's St Pancras site is WiFi - enabled
> *****************************************************************************************************************
> The information contained in this e-mail is confidential and may be legally
> privileged. It is intended for the addressee(s) only. If you are not the
> intended recipient, please delete this e-mail and notify the
> postmaster AT bl.uk<mailto:postmaster AT bl.uk>
> : The contents of this e-mail must not be disclosed or copied without the
> sender's consent.
> The statements and opinions expressed in this message are those of the
> author and do not necessarily reflect those of the British Library. The
> British Library does not take any responsibility for the views of the
> author.
> *****************************************************************************************************************
> Think before you print
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
>


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page