Skip to Content.

cat-users - Re: [[cat-users]] CAT 1.1.3 Release - Windows 7 Issues

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


Re: [[cat-users]] CAT 1.1.3 Release - Windows 7 Issues


Chronological Thread 
    < Chronological >      < Thread >
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: Mike Rindom <mrindom AT ruc.dk>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Cc: net@ruc dk <net AT ruc.dk>
  • Subject: Re: [[cat-users]] CAT 1.1.3 Release - Windows 7 Issues
  • Date: Fri, 30 Sep 2016 15:41:07 +0200
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hello Mike,

> We have used Eduroam CAT for many years at Roskilde University. We are
> using Eduroam as our default Wireless LAN.
>
> We now an issue with CAT tool. We have downloaded CAT 1.1.3 and
> installed it on Windows 7. We have looked in the event monitor, and
> getting an error. (see attachment)
>
> (We have skipped the first four lines in the eventlog)

Thanks for the error log, this is really helpful.

Version 1.1.3 enabled support for TTLS-PAP and TTLS-MSCHAPv2 with the
new GEANTlink supplicant.

Your profile has support for TTLS-MSCHAPv2 and PEAP, with a preference
for TTLS-MSCHAPv2. So from now on, you get a TTLS-MSCHAPv2 GEANTlink
installer.

Up until 1.1.3, TTLS-MSCHAPv2 was not an option and you were served with
the PEAP installers (which apparently worked).

For an immediate workaround, you could edit your profile preferences and
make PEAP preferred over TTLS-MSCHAPv2 and you should get a working
installer back (which would then not include the GEANTlink software).

As to why GEANTlink produced the error message: your self-signed
certificate is malformed. Many supplicants ignore the subtle
malformedness and take the certificate as a trust anchor == server
certificate as-is; the current version of GEANTlink does a more strict
certificate check and does not let your cert pass.

The issue is that your certificate is not a valid trust anchor: it marks
basicConstraints = CA:TRUE but it does not mark the extension as
critical (which is required by RFC).

We are working on a new version of GEANTlink which is slightly more
gentle in that it will accept the server certificate if that certificate
is bitwise identical to the configured trust root, disregarding
anomalies in that "trust root".

This will make more self-signed certificates work; even if the root
cause is that those certs are not in the shape they should be. It is
what all other supplicants seem to be doing anyway.

As the weekend is coming up, please bear with us that this will take a
few days. Please do make use of the workaround above in the meantime if
time is pressing.

Greetings,

Stefan Winter

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature


Archive powered by MHonArc 2.6.19.

Top of Page