The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi Adam,
  as Stefan wrote, your setup "should work".
The event log you have quoted is this form the server or the client side?
The client side log should give you more details.
Tomasz


W dniu 27.06.2017 o 08:27, Stefan Winter pisze:
> Hi Adam,
>
> the only problems we are currently aware of are that Window 10 Creators
> Update and *TTLS* are broken by the OS vendor. We meanwhile mitigate
> that by shipping our own TTLS supplicant implementation to work around this.
>
> We are not aware of any issue with PEAP on Windows 10 (as an extra data
> point: are we talking about Creators Update or an older variant?).
>
> I see that your config uses the server name "portal.klz.org.uk" which is
> a literal name both in the CN and one of the sAN:DNS. That's played by
> the book and you can indeed ignore all the notices about names and
> wildcards.
>
> Since the live login tests work, and all OS versions below 10 as well,
> this really looks like a client-side problem then. I don't know what to
> suggest exactly; maybe Tomasz has an idea where to look.
>
> One funny thing in your report though:
>
>> Serial number:
>>
>> 263072085046269388575814257217962095932 (0x7FFFFFFFFFFFFFFF)
> That hex number looks /very/ lucky to me; you should play the lottery
> then :-). Is that really the number you have in the cert? Or maybe our
> CAT code doesn't know how to parse very long numbers properly and we
> need to fix that. No matter how, this should not be related in any way
> to the problem at hand.
>
> Greetings,
>
> Stefan Winter
>
> Am 21.06.2017 um 16:21 schrieb Adam Page:
>> Hi,
>>
>>  
>>
>> I am doing the initial eduroam CAT setup but cannot get Windows 10
>> installer to work. It will connect if I manually enter the settings and
>> do not use the CAT exe.
>>
>>  
>>
>> Windows 7, IOS 6 and IOS 9 all connect successfully with CAT installers.
>>
>>  
>>
>> Radius is Windows NPS on server 2012, using Microsoft: Protected (PEAP)
>> – EAP-MSCHAP v2.
>>
>> In CAT the only supported EAP Type is PEAP-MSCHAPv2
>>
>>  
>>
>> In the event log is:
>>
>>  
>>
>>                 Authentication Type:                            PEAP
>>
>>                 EAP Type:                                               -
>>
>> Reason Code:                                        16
>>
>> Reason:                                                  Authentication
>> failed due to a user credentials mismatch. Either the user name provided
>> does not map to an existing user account or the password was incorrect.
>>
>>  
>>
>> The credentials I used are correct but why in the log above does it not
>> display an EAP type?
>>
>>  
>>
>> For successful authentications through Windows 7 it does display the eap
>> type
>>
>>  
>>
>>                 Authentication Type:                            PEAP
>>
>>                 EAP Type:                                              
>> Microsoft: Secured password (EAP-MSCHAP v2)
>>
>>  
>>
>> Within CAT “check realm reachability” Static tests fail
>>
>>  
>>
>> Testing from: *eduroamTL dk*
>>
>> https://cat.eduroam.org/resources/images/icons/Quetto/danger-icon.png
>>
>>      
>>
>>
>> elapsed time: 1707 ms.
>>
>> *Test FAILED*: the request was rejected immediately, without EAP
>> conversation. This is not necessarily an error: if the RADIUS server
>> enforces that outer identities correspond to an existing username, then
>> this result is expected (Note: you could configure a valid outer
>> identity in your profile settings to get past this hurdle). In all other
>> cases, the server appears misconfigured or it is unreachable.
>>
>>  
>>
>>  
>>
>> Live Login test completes with warnings about it being a wildcard cert
>> and that some SANs do not resolve
>>
>>  
>>
>> *PEAP-MSCHAPv2 – elapsed time: 2778 ms.*
>>
>> *Connected to portal.klz.org.uk.*
>>
>> *Test partially successful*: authentication succeded. Some properties of
>> the connection attempt were sub-optimal; the list is below.
>>
>> https://cat.eduroam.org/resources/images/icons/Quetto/info-icon.png
>>
>>      
>>
>> The certificate contained a CN or subjectAltName:DNS which contains a
>> wildcard ('*'). This can be problematic on some supplicants. If the
>> certificate also contains names which are wildcardless, and you only use
>> those for your supplicant configuration, then you can safely ignore this
>> notice.
>>
>> https://cat.eduroam.org/resources/images/icons/Quetto/info-icon.png
>>
>>      
>>
>> The certificate contained a CN or subjectAltName:DNS which does not
>> parse as a hostname. This can be problematic on some supplicants. If the
>> certificate also contains names which are a proper hostname, and you
>> only use those for your supplicant configuration, then you can safely
>> ignore this notice.
>>
>> https://cat.eduroam.org/resources/images/icons/Quetto/info-icon.png
>>
>>      
>>
>> The certificate contained a CN or subjectAltName:DNS which does not
>> parse as a hostname. This can be problematic on some supplicants. If the
>> certificate also contains names which are a proper hostname, and you
>> only use those for your supplicant configuration, then you can safely
>> ignore this notice.
>>
>> https://cat.eduroam.org/resources/images/icons/Quetto/info-icon.png
>>
>>      
>>
>> The certificate contained a CN or subjectAltName:DNS which does not
>> parse as a hostname. This can be problematic on some supplicants. If the
>> certificate also contains names which are a proper hostname, and you
>> only use those for your supplicant configuration, then you can safely
>> ignore this notice.
>>
>>  
>>
>>      
>>
>> *Server certificate details:*
>>
>> Subject:
>>
>> CN=portal.klz.org.uk,OU=Domain Control Validated,OU=PositiveSSL 
>> Multi-Domain
>>
>> Issuer:
>>
>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>> Limited,L=Salford,ST=Greater Manchester,C=GB
>>
>> Valid from:
>>
>> Thursday, 23-Jul-2015 00:00:00 GMT
>>
>> Valid to:
>>
>> Sunday, 22-Jul-2018 23:59:59 GMT
>>
>> Serial number:
>>
>> 263072085046269388575814257217962095932 (0x7FFFFFFFFFFFFFFF)
>>
>> SHA1 fingerprint:
>>
>> ccfe331e8f58a39f590c261008ec0e6827cef73e
>>
>> Extensions
>>
>> *authorityKeyIdentifier:*keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7
>>  
>> *subjectKeyIdentifier: 
>> *10:36:17:CA:1B:C6:95:68:A2:3F:06:D0:68:53:6A:B1:A4:58:4C:99
>> *keyUsage: *Digital Signature, Key Encipherment
>> *basicConstraints: *CA:FALSE
>> *extendedKeyUsage: *TLS Web Server Authentication, TLS Web Client
>> Authentication
>> *certificatePolicies: *Policy: 1.3.6.1.4.1.6449.1.2.2.7 CPS:
>> https://secure.comodo.com/CPS Policy: 2.23.140.1.2.1 
>> *crlDistributionPoints: *Full Name:
>> URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl 
>> *authorityInfoAccess: *CA Issuers -
>> URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
>> OCSP - URI:http://ocsp.comodoca.com 
>> *subjectAltName: *DNS:portal.klz.org.uk, DNS:*.klz.co.uk,
>> DNS:*.klz.org.uk, DNS:*.klz.uk, DNS:klz.co.uk, DNS:klz.org.uk, DNS:klz.uk
>>
>>  
>>
>> Has anybody encountered this issue before and can advise how to resolve it?
>>
>>  
>>
>> Many thanks,
>>
>> *Adam Page*
>>
>> Senior Network Engineer
>>
>> cid:image001.png AT 01D1CAD0.6F1A06C0
>>
>>      
>>
>> Shepway Centre | Oxford Road | Maidstone | Kent | ME15 8AW
>>
>> Service Desk: 0300 065 8888 | www.eisit.uk <http://www.eisit.uk/>
>>
>> Sales & Enquiries: 0300 065 8800 | Fax: 01622 663 591
>>
>> cid:image002.png AT 01D1CAD0.6F1A06C0 <https://twitter.com/EISITUK>
>>
>>      
>>
>>  
>>
>>  
>>
>>  
>>
>>  
>>
>> To unsubscribe, send this message:
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>> Or use the following link:
>> https://lists.geant.org/sympa/sigrequest/cat-users
>

-- 
Tomasz Wolniewicz    
          
twoln AT umk.pl
        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576

Attachment: smime.p7s
Description: Kryptograficzna sygnatura S/MIME