The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[John Horne <john.horne AT plymouth.ac.uk>]

On Wed, 2017-07-12 at 07:30 +0200, Stefan Winter wrote:
> Hello,
>
> > We have started to look at using CAT for our site, but I am having a
> > problem configuring our main profile. Our setup is that we have 2 
> > front-end
> > RADIUS servers (running freeradius) which act as proxies to back-end
> > Microsoft AD/NPS servers.
> >
> > If I configure CAT with the front-end/proxy servers as the authentication
> > servers, and use the CA certificate from those servers, then our Windows
> > (7) clients fail to connect. The problem is reported that the user is
> > trying to connect to a back-end server, but that server is not listed in
> > our profile.
> >
> > I cannot configure the back-end servers into the profile since Windows 
> > will
> > then try to connect directly to those servers. This is not allowed; users
> > must authenticate via the front-end/proxy servers.
> >
> > So, is it possible to configure CAT to use front-end proxy servers for
> > RADIUS authentication?
>
...
> It sounds like your front-end servers terminate EAP, i.e. present a
> server certificate and decapsulate the inner tunnel authentication
> (which is PEAP? you didn't say which EAP type you use).
>
Yes, PEAP/MSCHAPv2.

> So, it seems like you did the right thing with specifying the front-end
> CA and server names (if that's what you did). It would then be helpful
> to tell us why and with what error message exactly the NPS fails.
>
In fact to get this working I have specified the back-end servers. although 
the
users client will access the front-end servers via the access point, it is the
back-end servers that do the authentication.
I have no access to the NPS servers, but from a Windows 7 client the 'eduroam'
connection profile has a checkbox labelled 'Do not prompt user to authorize 
new
servers or trusted certification authorities.'.
CAT seems to tick this checkbox. But by unticking it, and attempting to 
connect
I get an error message displayed that the (back-end) server I'm connecting to
is unknown/untrusted. Hence I have to put in the back-end servers.

The problem I have now is that one of the back end servers is signed by a
'USERTrust RSA Certification Authority' certificate. The error the client gets
is that  the "UserTrust RSA... is not configured as a trust anchor for this
profile." Although this is in the list of Trusted Root Certification
Authorities for the windows profile, it is not ticked by CAT. If I manually
change the Windows profile and tick the CA, then I can authenticate with no
problems.
The eduroam CAT web page for our profile shows that both the root certificate,
and the intermediate certificates are recognised (they have an 'I' in a blue
circle next to them; the root has 'R'). I'm wondering if because there are 2
intermediates in the certification chain, if that is causing a problem with 
the
CA tickbox.
I'll do a little more testing.





John.

--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
________________________________
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>

This email and any files with it are confidential and intended solely for the 
use of the recipient to whom it is addressed. If you are not the intended 
recipient then copying, distribution or other use of the information 
contained is strictly prohibited and you should not rely on it. If you have 
received this email in error please let the sender know immediately and 
delete it from your system(s). Internet emails are not necessarily secure. 
While we take every care, Plymouth University accepts no responsibility for 
viruses and it is your responsibility to scan emails and their attachments. 
Plymouth University does not accept responsibility for any changes made after 
it was sent. Nothing in this email or its attachments constitutes an order 
for goods or services unless accompanied by an official order form.