The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

> Using the 'Check realm reachability' feature and Live login tests with the 
> 'Real (inner) username' and password completed with valid credentials and 
> the ' Anonymous outer ID (optional)' left blank the test apparently 
> succeeds and the NPS logs show PEAP in phase 1 and 'Microsoft: Secured 
> password (EAP-MSCHAP v2)' in phase 2.  The test does note that we are using 
> a wildcard server certificate and "This can be problematic on some 
> supplicants" so I did a bit more Googling and found a reference stating 
> "The downside of wildcard certificate is that they are not currently 
> supported by Microsoft Windows 802.1X supplicants", I haven't yet been able 
> to verify that but it would fit with your idea that it is actually the 
> phase 1 server certificate validation that is the problem. I'll try to get 
> the server manager to replace the certificate and have another go then.

Ah, yes, that is a known problem for Windows 8+ (I haven't verified it
for Winodws 10 yet though; does Windows 10 work for you in this setup?).
We have recorded this as a possible pitfall under

https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations

(Consideration 2, server name, third item)

We can update it with Windows 10 if that one also has this problem.

Greetings,

Stefan Winter

> 
> Thanks,
> 
> Tim
> -----Original Message-----
> From: Stefan Winter 
> [mailto:stefan.winter AT restena.lu]
> Sent: 29 April 2016 10:03
> To: Hadlow, Tim; 
> 'cat-users AT lists.geant.org'
> Subject: Re: [[cat-users]] CAT admin login through social networks
> 
> Hi,
> 
>> Using a CAT installer eduroam profile for Windows 8 against our ORPS
>> authentication fails. Our ORPS is Microsoft NPS so local
>> authentications require what on Android is described as “EAP method:
>> PEAP” and “Phase 2
>> authentication: MSCHAPV2”. When successful authentications go through
>> they how in the event logs as “Authentication Type: PEAP” and “EAP Type:
>> Microsoft Secured Password (EAP-MSCHAP v2)”
>>
>> Using CAT with the profile setting “Supported EAP types for this
>> profile” set to only “PEAP-MSCHAPv2”, the Windows 8 and Windows 10
>> installers it generated run quite happily but eduroam connections fail
>> with the NPS event log messages showing “Authentication Type: PEAP”
>> and “EAP Type: - ”, i.e. the Phase 2 authentication method appears not
>> to be being configured.
>>
>> Can anyone who uses or knows about NPS offer guidance or suggestions
>> on the CAT configuration of a profile to work with a Microsoft NPS
>> Radius server?
> 
> I am by no means a NPS user, for from it. But I think I recall something on 
> the list in that direction.
> 
> I believe the trick is to understand that the log message is quite 
> misleadingly formulated: the "EAP Type: - " does not mean that a second 
> phase is not configured; it's rather that the EAP conversation never 
> proceeded to phase 2, so EAP didn't take place at all.
> 
> And that would mean the authentication attempt was aborted in phase 1 - 
> which is server certificate validation and TLS tunnel setup.
> 
> Did you run the "Check realm reachability" with a valid outer ID yet 
> (Profile -> Realm and Profile -> anonymous outer ID set)? It would fetch 
> the server certificate and tell you if there's something odd in the 
> certificate; that would be the most likely reason for failures at that 
> stage.
> 
> Or, I'm completely wrong and am sending you onto the wrong track :-)
> 
> Greetings,
> 
> Stefan
> 
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
> la Recherche 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
> 
> Tel: +352 424409 1
> Fax: +352 422473
> 
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the 
> recipient's key is known to me
> 
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> 
> 
> ******************************************************************************************************************
> Experience the British Library online at www.bl.uk<http://www.bl.uk/>
> The British Library’s latest Annual Report and Accounts : 
> www.bl.uk/aboutus/annrep/index.html<http://www.bl.uk/aboutus/annrep/index.html>
> Help the British Library conserve the world's knowledge. Adopt a Book. 
> www.bl.uk/adoptabook<http://www.bl.uk/adoptabook>
> The Library's St Pancras site is WiFi - enabled
> *****************************************************************************************************************
> The information contained in this e-mail is confidential and may be legally 
> privileged. It is intended for the addressee(s) only. If you are not the 
> intended recipient, please delete this e-mail and notify the 
> postmaster AT bl.uk<mailto:postmaster AT bl.uk>
>  : The contents of this e-mail must not be disclosed or copied without the 
> sender's consent.
> The statements and opinions expressed in this message are those of the 
> author and do not necessarily reflect those of the British Library. The 
> British Library does not take any responsibility for the views of the 
> author.
> *****************************************************************************************************************
> Think before you print
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link: 
> https://lists.geant.org/sympa/sigrequest/cat-users
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature