Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Custom EAP Settings for Windows 7/10 CAT

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Custom EAP Settings for Windows 7/10 CAT


Chronological Thread 
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: Aaron Wyatt <wyattaa AT bc.edu>
  • Cc: Tomasz Wolniewicz <twoln AT umk.pl>, Aaron Wyatt <aaron.wyatt AT bc.edu>, cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] Custom EAP Settings for Windows 7/10 CAT
  • Date: Wed, 1 Feb 2017 14:20:02 +0100
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Hi,

happy to do some in-depth troubleshooting offline. From what you write
below, maybe you've already hit the spot already. From our EAP server
certificate recommendations page
(https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations):

"Subject/CN == SubjectAltName:DNS

Some supplicants only consult the CN when checking the name of an
incoming server certificate (Windows 8 with PEAP); some check either of
the two; some new EAP types such as TEAP, and Linux clients configured
by CAT 1.1.2+ will only check SubjectAltName:DNS. Keeping the desired
name in both fields in sync is a safe bet for futureproofness.

Only use one CN. If you have multiple RADIUS servers, either use the
same certificate for all of them (there is no need for the name to match
the DNS name of the machine it is running on), or generate multiple
certificates, each with one CN/subjectAltName:DNS pair."

What I do not understand though is why the "Check realm reachability"
tests did not bark then. We specifically check for name discrepancies
and display a corresponding warning...

Greetings,

Stefan Winter

Am 01.02.2017 um 13:59 schrieb Aaron Wyatt:
> Alan, Stefan-- thanks for your explanations.
>
> So if I'm not getting any errors from the CAT config test, do you know how
> I might go about troubleshooting this?
>
> Could it be that we have multiple RADIUS servers that may be responding?
> The RADIUS cert we use contains the SAN dns name of each server's fqdn, but
> could this cause "confusion" on the part of the supplicant?
>
> Aaron
>
>> On Feb 1, 2017, at 07:06, Stefan Winter
>> <stefan.winter AT restena.lu>
>> wrote:
>>
>> Hi,
>>
>>> I'm confused, how can you expect your client supplicants to trust a
>>> RADIUS server they know nothing about?
>>
>> It is the main purpose of the installer to provision the trust settings
>> in the device.
>>
>> So, the device certainly doesn't "know nothing about" the server - by
>> the time the installer has run, all is set.
>>
>> Stefan
>>
>>>
>>> Aaron
>>>
>>> On Jan 31, 2017, at 15:22, Tomasz Wolniewicz
>>> <twoln AT umk.pl
>>> <mailto:twoln AT umk.pl>>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> the option you are mentioning is absolutely crucial for security. I
>>>> understand that with this option disabled, your users are warned about
>>>> unexpected authentication server and you expect them to override this
>>>> warning. This opens the possibility of stealing users' credentials
>>>> trough fake eduroam networks.
>>>>
>>>> There must be a discrepancy between your CAT settings and your server
>>>> settings. I suggest that you use the CAT testing facility "Check realm
>>>> reachability" this will run a connection test and should show all
>>>> possible errors.
>>>>
>>>> Cheers
>>>>
>>>> Tomasz
>>>>
>>>>
>>>>
>>>> W dniu 31.01.2017 o 20:58, Aaron Wyatt pisze:
>>>>> Hello fellow CAT users-
>>>>>
>>>>> I was wondering if anyone can clarify: Is there a way to specify
>>>>> custom PEAP-MSCHAPv2 configuration settings for the auto-generated
>>>>> Windows CAT config? Specifically I'm interested in changing the
>>>>> DisableUserPromptForServerValidation option. In my testing with
>>>>> Windows 10 this must be set to false in order for users to get on the
>>>>> network.
>>>>>
>>>>> Aaron
>>>>>
>>>>> _________________________
>>>>> Aaron Wyatt
>>>>> Collaborative Services
>>>>> Boston College IT Services
>>>>> aaron.wyatt AT bc.edu
>>>>>
>>>>> <mailto:aaron.wyatt AT bc.edu>
>>>>> 617.552.1278
>>>>> _________________________
>>>>> To unsubscribe, send this message:
>>>>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>>>>> Or use the following link:
>>>>> https://lists.geant.org/sympa/sigrequest/cat-users
>>>>
>>>> --
>>>> Tomasz Wolniewicz
>>>>
>>>> twoln AT umk.pl
>>>> http://www.home.umk.pl/~twoln
>>>>
>>>> Uczelniane Centrum Informatyczne Information&Communication
>>>> Technology Centre
>>>> Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
>>>> pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
>>>> tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.:
>>>> +48-693-032-576
>>> To unsubscribe, send this message:
>>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>>> Or use the following link:
>>> https://lists.geant.org/sympa/sigrequest/cat-users
>>
>>
>> --
>> Stefan WINTER
>> Ingenieur de Recherche
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
>> de la Recherche
>> 2, avenue de l'Université
>> L-4365 Esch-sur-Alzette
>>
>> Tel: +352 424409 1
>> Fax: +352 422473
>>
>> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
>> recipient's key is known to me
>>
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>> <0x8A39DC66.asc>
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
>


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page