cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

[[cat-users]] NPS and Windows 10 through CAT

From: Adam Page <Adam.Page AT eisit.uk>
To: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
Subject: [[cat-users]] NPS and Windows 10 through CAT
Date: Wed, 21 Jun 2017 14:21:04 +0000
Accept-language: en-GB, en-US
Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (1024-bit key) header.d=klz.onmicrosoft.com
Authentication-results: spf=softfail (sender IP is 194.80.20.108) smtp.mailfrom=eisit.uk; lists.geant.org; dkim=none (message not signed) header.d=none;lists.geant.org; dmarc=none action=none header.from=eisit.uk;
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99

Hi,

I am doing the initial eduroam CAT setup but cannot get Windows 10 installer to work. It will connect if I manually enter the settings and do not use the CAT exe.

Windows 7, IOS 6 and IOS 9 all connect successfully with CAT installers.

Radius is Windows NPS on server 2012, using Microsoft: Protected (PEAP) – EAP-MSCHAP v2.

In CAT the only supported EAP Type is PEAP-MSCHAPv2

In the event log is:

Authentication Type: PEAP

EAP Type: -

Reason Code: 16

Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

The credentials I used are correct but why in the log above does it not display an EAP type?

For successful authentications through Windows 7 it does display the eap type

Authentication Type: PEAP

EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)

Within CAT “check realm reachability” Static tests fail

Testing from: eduroamTL dk

elapsed time: 1707 ms.

Test FAILED: the request was rejected immediately, without EAP conversation. This is not necessarily an error: if the RADIUS server enforces that outer identities correspond to an existing username, then this result is expected (Note: you could configure a valid outer identity in your profile settings to get past this hurdle). In all other cases, the server appears misconfigured or it is unreachable.

Live Login test completes with warnings about it being a wildcard cert and that some SANs do not resolve

PEAP-MSCHAPv2 – elapsed time: 2778 ms.

Connected to portal.klz.org.uk. Test partially successful: authentication succeded. Some properties of the connection attempt were sub-optimal; the list is below.
	The certificate contained a CN or subjectAltName:DNS which contains a wildcard ('*'). This can be problematic on some supplicants. If the certificate also contains names which are wildcardless, and you only use those for your supplicant configuration, then you can safely ignore this notice.
	The certificate contained a CN or subjectAltName:DNS which does not parse as a hostname. This can be problematic on some supplicants. If the certificate also contains names which are a proper hostname, and you only use those for your supplicant configuration, then you can safely ignore this notice.
	The certificate contained a CN or subjectAltName:DNS which does not parse as a hostname. This can be problematic on some supplicants. If the certificate also contains names which are a proper hostname, and you only use those for your supplicant configuration, then you can safely ignore this notice.
	The certificate contained a CN or subjectAltName:DNS which does not parse as a hostname. This can be problematic on some supplicants. If the certificate also contains names which are a proper hostname, and you only use those for your supplicant configuration, then you can safely ignore this notice.
	Server certificate details: Subject: CN=portal.klz.org.uk,OU=Domain Control Validated,OU=PositiveSSL Multi-Domain Issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid from: Thursday, 23-Jul-2015 00:00:00 GMT Valid to: Sunday, 22-Jul-2018 23:59:59 GMT Serial number: 263072085046269388575814257217962095932 (0x7FFFFFFFFFFFFFFF) SHA1 fingerprint: ccfe331e8f58a39f590c261008ec0e6827cef73e Extensions authorityKeyIdentifier:keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 subjectKeyIdentifier: 10:36:17:CA:1B:C6:95:68:A2:3F:06:D0:68:53:6A:B1:A4:58:4C:99 keyUsage: Digital Signature, Key Encipherment basicConstraints: CA:FALSE extendedKeyUsage: TLS Web Server Authentication, TLS Web Client Authentication certificatePolicies: Policy: 1.3.6.1.4.1.6449.1.2.2.7 CPS: https://secure.comodo.com/CPS Policy: 2.23.140.1.2.1 crlDistributionPoints: Full Name: URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl authorityInfoAccess: CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt OCSP - URI:http://ocsp.comodoca.com subjectAltName: DNS:portal.klz.org.uk, DNS:.klz.co.uk, DNS:.klz.org.uk, DNS:*.klz.uk, DNS:klz.co.uk, DNS:klz.org.uk, DNS:klz.uk

Has anybody encountered this issue before and can advise how to resolve it?

Many thanks,

Adam Page

Senior Network Engineer

cid:image001.png@01D1CAD0.6F1A06C0

Shepway Centre | Oxford Road | Maidstone | Kent | ME15 8AW

Service Desk: 0300 065 8888 | www.eisit.uk

Sales & Enquiries: 0300 065 8800 | Fax: 01622 663 591

[[cat-users]] NPS and Windows 10 through CAT, Adam Page, 06/21/2017
- Re: [[cat-users]] NPS and Windows 10 through CAT, Stefan Winter, 06/27/2017
  - Re: [[cat-users]] NPS and Windows 10 through CAT, Tomasz Wolniewicz, 06/27/2017