The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

happy to do some in-depth troubleshooting offline. From what you write
below, maybe you've already hit the spot already. From our EAP server
certificate recommendations page
(https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations):

"Subject/CN == SubjectAltName:DNS       

Some supplicants only consult the CN when checking the name of an
incoming server certificate (Windows 8 with PEAP); some check either of
the two; some new EAP types such as TEAP, and Linux clients configured
by CAT 1.1.2+ will only check SubjectAltName:DNS. Keeping the desired
name in both fields in sync is a safe bet for futureproofness.

Only use one CN. If you have multiple RADIUS servers, either use the
same certificate for all of them (there is no need for the name to match
the DNS name of the machine it is running on), or generate multiple
certificates, each with one CN/subjectAltName:DNS pair."

What I do not understand though is why the "Check realm reachability"
tests did not bark then. We specifically check for name discrepancies
and display a corresponding warning...

Greetings,

Stefan Winter

Am 01.02.2017 um 13:59 schrieb Aaron Wyatt:
> Alan, Stefan-- thanks for your explanations. 
> 
> So if I'm not getting any errors from the CAT config test, do you know how 
> I might go about troubleshooting this?
> 
> Could it be that we have multiple RADIUS servers that may be responding? 
> The RADIUS cert we use contains the SAN dns name of each server's fqdn, but 
> could this cause "confusion" on the part of the supplicant?
> 
> Aaron
> 
>> On Feb 1, 2017, at 07:06, Stefan Winter 
>> <stefan.winter AT restena.lu>
>>  wrote:
>>
>> Hi,
>>
>>> I'm confused, how can you expect your client supplicants to trust a
>>> RADIUS server they know nothing about? 
>>
>> It is the main purpose of the installer to provision the trust settings
>> in the device.
>>
>> So, the device certainly doesn't "know nothing about" the server - by
>> the time the installer has run, all is set.
>>
>> Stefan
>>
>>>
>>> Aaron
>>>
>>> On Jan 31, 2017, at 15:22, Tomasz Wolniewicz 
>>> <twoln AT umk.pl
>>> <mailto:twoln AT umk.pl>>
>>>  wrote:
>>>
>>>> Hi,
>>>>
>>>>   the option you are mentioning is absolutely crucial for security. I
>>>> understand that with this option disabled, your users are warned about
>>>> unexpected authentication server and you expect them to override this
>>>> warning. This opens the possibility of stealing users' credentials
>>>> trough fake eduroam networks.
>>>>
>>>> There must be a discrepancy between your CAT settings and your server
>>>> settings. I suggest that you use the CAT testing facility "Check realm
>>>> reachability" this will run a connection test and should show all
>>>> possible errors.
>>>>
>>>> Cheers
>>>>
>>>> Tomasz
>>>>
>>>>
>>>>
>>>> W dniu 31.01.2017 o 20:58, Aaron Wyatt pisze:
>>>>> Hello fellow CAT users-
>>>>>
>>>>> I was wondering if anyone can clarify:  Is there a way to specify
>>>>> custom PEAP-MSCHAPv2 configuration settings for the auto-generated
>>>>> Windows CAT config?  Specifically I'm interested in changing the
>>>>> DisableUserPromptForServerValidation option.  In my testing with
>>>>> Windows 10 this must be set to false in order for users to get on the
>>>>> network.
>>>>>
>>>>> Aaron
>>>>>
>>>>> _________________________
>>>>> Aaron Wyatt
>>>>> Collaborative Services
>>>>> Boston College IT Services
>>>>> aaron.wyatt AT bc.edu
>>>>>  
>>>>> <mailto:aaron.wyatt AT bc.edu>
>>>>> 617.552.1278
>>>>> _________________________
>>>>> To unsubscribe, send this message:
>>>>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>>>>> Or use the following link:
>>>>> https://lists.geant.org/sympa/sigrequest/cat-users
>>>>
>>>> -- 
>>>> Tomasz Wolniewicz    
>>>>          
>>>> twoln AT umk.pl
>>>>         http://www.home.umk.pl/~twoln
>>>>
>>>> Uczelniane Centrum Informatyczne       Information&Communication 
>>>> Technology Centre
>>>> Uniwersytet Mikolaja Kopernika         Nicolaus Copernicus University,
>>>> pl. Rapackiego 1, Torun                pl. Rapackiego 1, Torun, Poland
>>>> tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: 
>>>> +48-693-032-576
>>> To unsubscribe, send this message:
>>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>>> Or use the following link:
>>> https://lists.geant.org/sympa/sigrequest/cat-users
>>
>>
>> -- 
>> Stefan WINTER
>> Ingenieur de Recherche
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
>> de la Recherche
>> 2, avenue de l'Université
>> L-4365 Esch-sur-Alzette
>>
>> Tel: +352 424409 1
>> Fax: +352 422473
>>
>> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
>> recipient's key is known to me
>>
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>> <0x8A39DC66.asc>
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link: 
> https://lists.geant.org/sympa/sigrequest/cat-users
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature