Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Configure CAT with RADIUS proxy servers?

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Configure CAT with RADIUS proxy servers?


Chronological Thread 
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: John Horne <john.horne AT plymouth.ac.uk>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] Configure CAT with RADIUS proxy servers?
  • Date: Wed, 12 Jul 2017 07:30:45 +0200
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Hello,

> We have started to look at using CAT for our site, but I am having a problem
> configuring our main profile. Our setup is that we have 2 front-end RADIUS
> servers (running freeradius) which act as proxies to back-end Microsoft
> AD/NPS
> servers.
>
> If I configure CAT with the front-end/proxy servers as the authentication
> servers, and use the CA certificate from those servers, then our Windows (7)
> clients fail to connect. The problem is reported that the user is trying to
> connect to a back-end server, but that server is not listed in our profile.
>
> I cannot configure the back-end servers into the profile since Windows will
> then try to connect directly to those servers. This is not allowed; users
> must
> authenticate via the front-end/proxy servers.
>
> So, is it possible to configure CAT to use front-end proxy servers for
> RADIUS
> authentication?

CAT allows to configure the parameters that the EAP standards provide. I
don't think I understand your setup enough to say much more. Speculation
below...

It sounds like your front-end servers terminate EAP, i.e. present a
server certificate and decapsulate the inner tunnel authentication
(which is PEAP? you didn't say which EAP type you use).

In that case, the CAT config needs to specify the issuing (root) CA of
those front-end servers and the server names which those front-end
server certificates contain.

An inner PEAP or PAP does not validate any server certificates, and in
fact the PEAP or PAP server (NPS) does not present any.

So, it seems like you did the right thing with specifying the front-end
CA and server names (if that's what you did). It would then be helpful
to tell us why and with what error message exactly the NPS fails.

In short, there's only one place where CA and server names play a role.
That is the one thing you configure in CAT. Any other errors are
unrelated to the CAT server trust configuration.

Greetings,

Stefan Winter

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page