cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: Daniele Albrizio <daniele AT albrizio.it>, Michele de Varda <michele.devarda AT unimi.it>
- Cc: Claudio Lori <claudio.lori AT unimi.it>, cat-users AT geant.net
- Subject: Re: [[cat-users]] Problems with Android Client after certificate update
- Date: Tue, 14 Feb 2017 09:02:39 +0100
- Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hello,
> Android without CAT connects to Eduroam no matter what certificates
> Radius server presented them and this is very unsecure.
That's correct. "It works if I turn off all security" only demonstrates
flawed thinking, not proper operation.
> What about clients using eduroam CAT? Did you insert the server
> certificate too, in old eduroam CAT configuration for your institution?
> If yes, this may be the problem: clients may not trust the new
> certificate because they are clamped to the old. Suggestion for the
> future is trying to use only the trust anchor needed. That is the
> intermediate ca certificate.
Here Daniele is slightly wrong: the trust anchor is always the /root/
certificate.
The screenshot of the OP shows that all is correct in that regards - the
CA certificate "CN=VeriSign Class 3 Public Primary Certification
Authority - G5"
is indeed a self-signed root and the correct trust anchor to use.
I believe I may know the source of your problem: maybe the root and
intermediate did not /change/ - but does your RADIUS server actually
*send* the intermediate cert during the EAP authentication exchange still?
Take a look at the old server cert PEM file vs. the new one (in your
RADIUS server). If you are not sending the intermediate (any more),
Android connection attempts will fail: Android does not allow the app to
install the intermediate together with the root and relies on getting
the intermediate during authentication time.
For all other operating systems, we install the intermediate together
with the root if you (optionally) upload that intermediate to CAT.
However, there is a "Check realm reachability" check which would warn
you about missing intermediates during the EAP exchange. Do you see any
such warning when running the check?
Greetings,
Stefan Winter
>
> Daniele Albrizio
> University of Trieste.
>
> Il 13 feb 2017 17:35, "Michele de Varda"
> <michele.devarda AT unimi.it
> <mailto:michele.devarda AT unimi.it>>
> ha scritto:
>
> Dear CAT Developers,
>
> the last Thursday we updated the RADIUS servers certificate for
> Eduroam users. The Root CA cert and the Intermediate cert are still
> the same so we didn't change the CAT configuration.
>
> All seems work fine with Apple, Linux and Windows devices but we
> have problems with Android clients:
>
> * Android devices without CAT config work fine but the "CA
> certificate" field is empty
> * Android devices with CAT config don't work and for each
> authentication attempt in the RADIUS server we find this log
> "Auth: Login incorrect (TLS Alert read:fatal:unknown CA)".
>
> In attach 2 screenshots, in the second screenshot there is the
> message "No CA Certificate found", is this a normal behaviour?
>
> There is something wrong in our config?
>
> Thank you for your help,
>
>
> Michele de Varda
>
> --
> Università degli Studi di Milano
> Divisione Telecomunicazioni
> tel. 02 503-15306
> via Giuseppe Colombo 46
> 20133 Milano
>
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org
>
> <mailto:sympa AT lists.geant.org>?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
> <https://lists.geant.org/sympa/sigrequest/cat-users>
>
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Attachment:
0x8A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
- [[cat-users]] Problems with Android Client after certificate update, Michele de Varda, 02/13/2017
- Re: [[cat-users]] Problems with Android Client after certificate update, Daniele Albrizio, 02/13/2017
- Re: [[cat-users]] Problems with Android Client after certificate update, Stefan Winter, 02/14/2017
- Re: [[cat-users]] Problems with Android Client after certificate update, Daniele Albrizio, 02/14/2017
- Re: [[cat-users]] Problems with Android Client after certificate update, Daniele Albrizio, 02/14/2017
- Re: [[cat-users]] Problems with Android Client after certificate update, Michele de Varda, 02/14/2017
- Re: [[cat-users]] Problems with Android Client after certificate update, Stefan Winter, 02/14/2017
- Re: [[cat-users]] Problems with Android Client after certificate update, Stefan Winter, 02/14/2017
- Re: [[cat-users]] Problems with Android Client after certificate update, Daniele Albrizio, 02/13/2017
Archive powered by MHonArc 2.6.19.