The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi,
  Actually this may be a problem indeed. Windows has a strange approach
to regular expressions in certificate names.
We did have a discussion about that on the list a long time ago and I
have even started implementing something but then gave ups as it
generally seems that wildcard certificates are not a great idea and
people do not really use them.

At this point I do not remember more details.
Tomasz



W dniu 2017-02-16 o 12:43, Jose Manuel Macias Luna pisze:
> Hi,
>
>   I'm not sure about this, but surely Tomasz, Alan or Stefan can give an
> appropriate answer.
>
> One of our institutions is using a wildcard certificate for their radius
> server (with CN *.someidp.tld), and that's what they have configured in
> eduroam CAT admin interface. This institution in particular is having
> problems with installers for win8 and win10, and the only thing
> suspicious I see in their profile is the wildcard certificate.
>
> I have been having a look to the admin guide and says nothing about this
> particular case:
>
> «The name of your server as specified in the Common Name (CN) of your
> EAP server certificate»
>
> https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+institution+administrators#AguidetoeduroamCATforinstitutionadministrators-Institution-wideSettings
>
> I do have found some text (I think from Stefan?) in the "EAP Server
> Certificate Considerations" article:
>
> server name   not a wildcard name (e.g "*.someidp.tld")       Some 
> supplicants
> exhibit undefined/buggy behaviour when attempting to parse incoming
> certificates with a wildcard. Windows 8 and 8.1 are known to choke on
> wildcard certificates.
>
> https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
>
> So my question is... is this accepted by all the clients configured by
> CAT, or would some of them only admit somename.someidp.tld?
>
> If so, I think we should maybe issue a warning at the CAT web interface
> for admins, and/or update the admin guide to reflect this.
>
>
> Thanks in advance,
>
> Jose Manuel.
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link: 
> https://lists.geant.org/sympa/sigrequest/cat-users

-- 
Tomasz Wolniewicz    
          
twoln AT umk.pl
        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576

Attachment: smime.p7s
Description: Kryptograficzna sygnatura S/MIME