Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] NPS and Windows 10 through CAT

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] NPS and Windows 10 through CAT


Chronological Thread 
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: Adam Page <Adam.Page AT eisit.uk>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] NPS and Windows 10 through CAT
  • Date: Tue, 27 Jun 2017 08:27:21 +0200
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Hi Adam,

the only problems we are currently aware of are that Window 10 Creators
Update and *TTLS* are broken by the OS vendor. We meanwhile mitigate
that by shipping our own TTLS supplicant implementation to work around this.

We are not aware of any issue with PEAP on Windows 10 (as an extra data
point: are we talking about Creators Update or an older variant?).

I see that your config uses the server name "portal.klz.org.uk" which is
a literal name both in the CN and one of the sAN:DNS. That's played by
the book and you can indeed ignore all the notices about names and
wildcards.

Since the live login tests work, and all OS versions below 10 as well,
this really looks like a client-side problem then. I don't know what to
suggest exactly; maybe Tomasz has an idea where to look.

One funny thing in your report though:

> Serial number:
>
> 263072085046269388575814257217962095932 (0x7FFFFFFFFFFFFFFF)

That hex number looks /very/ lucky to me; you should play the lottery
then :-). Is that really the number you have in the cert? Or maybe our
CAT code doesn't know how to parse very long numbers properly and we
need to fix that. No matter how, this should not be related in any way
to the problem at hand.

Greetings,

Stefan Winter

Am 21.06.2017 um 16:21 schrieb Adam Page:
> Hi,
>
>
>
> I am doing the initial eduroam CAT setup but cannot get Windows 10
> installer to work. It will connect if I manually enter the settings and
> do not use the CAT exe.
>
>
>
> Windows 7, IOS 6 and IOS 9 all connect successfully with CAT installers.
>
>
>
> Radius is Windows NPS on server 2012, using Microsoft: Protected (PEAP)
> – EAP-MSCHAP v2.
>
> In CAT the only supported EAP Type is PEAP-MSCHAPv2
>
>
>
> In the event log is:
>
>
>
> Authentication Type: PEAP
>
> EAP Type: -
>
> Reason Code: 16
>
> Reason: Authentication
> failed due to a user credentials mismatch. Either the user name provided
> does not map to an existing user account or the password was incorrect.
>
>
>
> The credentials I used are correct but why in the log above does it not
> display an EAP type?
>
>
>
> For successful authentications through Windows 7 it does display the eap
> type
>
>
>
> Authentication Type: PEAP
>
> EAP Type:
> Microsoft: Secured password (EAP-MSCHAP v2)
>
>
>
> Within CAT “check realm reachability” Static tests fail
>
>
>
> Testing from: *eduroamTL dk*
>
> https://cat.eduroam.org/resources/images/icons/Quetto/danger-icon.png
>
>
>
>
> elapsed time: 1707 ms.
>
> *Test FAILED*: the request was rejected immediately, without EAP
> conversation. This is not necessarily an error: if the RADIUS server
> enforces that outer identities correspond to an existing username, then
> this result is expected (Note: you could configure a valid outer
> identity in your profile settings to get past this hurdle). In all other
> cases, the server appears misconfigured or it is unreachable.
>
>
>
>
>
> Live Login test completes with warnings about it being a wildcard cert
> and that some SANs do not resolve
>
>
>
> *PEAP-MSCHAPv2 – elapsed time: 2778 ms.*
>
> *Connected to portal.klz.org.uk.*
>
> *Test partially successful*: authentication succeded. Some properties of
> the connection attempt were sub-optimal; the list is below.
>
> https://cat.eduroam.org/resources/images/icons/Quetto/info-icon.png
>
>
>
> The certificate contained a CN or subjectAltName:DNS which contains a
> wildcard ('*'). This can be problematic on some supplicants. If the
> certificate also contains names which are wildcardless, and you only use
> those for your supplicant configuration, then you can safely ignore this
> notice.
>
> https://cat.eduroam.org/resources/images/icons/Quetto/info-icon.png
>
>
>
> The certificate contained a CN or subjectAltName:DNS which does not
> parse as a hostname. This can be problematic on some supplicants. If the
> certificate also contains names which are a proper hostname, and you
> only use those for your supplicant configuration, then you can safely
> ignore this notice.
>
> https://cat.eduroam.org/resources/images/icons/Quetto/info-icon.png
>
>
>
> The certificate contained a CN or subjectAltName:DNS which does not
> parse as a hostname. This can be problematic on some supplicants. If the
> certificate also contains names which are a proper hostname, and you
> only use those for your supplicant configuration, then you can safely
> ignore this notice.
>
> https://cat.eduroam.org/resources/images/icons/Quetto/info-icon.png
>
>
>
> The certificate contained a CN or subjectAltName:DNS which does not
> parse as a hostname. This can be problematic on some supplicants. If the
> certificate also contains names which are a proper hostname, and you
> only use those for your supplicant configuration, then you can safely
> ignore this notice.
>
>
>
>
>
> *Server certificate details:*
>
> Subject:
>
> CN=portal.klz.org.uk,OU=Domain Control Validated,OU=PositiveSSL Multi-Domain
>
> Issuer:
>
> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
> Limited,L=Salford,ST=Greater Manchester,C=GB
>
> Valid from:
>
> Thursday, 23-Jul-2015 00:00:00 GMT
>
> Valid to:
>
> Sunday, 22-Jul-2018 23:59:59 GMT
>
> Serial number:
>
> 263072085046269388575814257217962095932 (0x7FFFFFFFFFFFFFFF)
>
> SHA1 fingerprint:
>
> ccfe331e8f58a39f590c261008ec0e6827cef73e
>
> Extensions
>
> *authorityKeyIdentifier:*keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7
>
> *subjectKeyIdentifier:
> *10:36:17:CA:1B:C6:95:68:A2:3F:06:D0:68:53:6A:B1:A4:58:4C:99
> *keyUsage: *Digital Signature, Key Encipherment
> *basicConstraints: *CA:FALSE
> *extendedKeyUsage: *TLS Web Server Authentication, TLS Web Client
> Authentication
> *certificatePolicies: *Policy: 1.3.6.1.4.1.6449.1.2.2.7 CPS:
> https://secure.comodo.com/CPS Policy: 2.23.140.1.2.1
> *crlDistributionPoints: *Full Name:
> URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
> *authorityInfoAccess: *CA Issuers -
> URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
> OCSP - URI:http://ocsp.comodoca.com
> *subjectAltName: *DNS:portal.klz.org.uk, DNS:*.klz.co.uk,
> DNS:*.klz.org.uk, DNS:*.klz.uk, DNS:klz.co.uk, DNS:klz.org.uk, DNS:klz.uk
>
>
>
> Has anybody encountered this issue before and can advise how to resolve it?
>
>
>
> Many thanks,
>
> *Adam Page*
>
> Senior Network Engineer
>
> cid:image001.png AT 01D1CAD0.6F1A06C0
>
>
>
> Shepway Centre | Oxford Road | Maidstone | Kent | ME15 8AW
>
> Service Desk: 0300 065 8888 | www.eisit.uk <http://www.eisit.uk/>
>
> Sales & Enquiries: 0300 065 8800 | Fax: 01622 663 591
>
> cid:image002.png AT 01D1CAD0.6F1A06C0 <https://twitter.com/EISITUK>
>
>
>
>
>
>
>
>
>
>
>
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page