cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: John Horne <john.horne AT plymouth.ac.uk>
- To: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
- Subject: Re: [[cat-users]] Configure CAT with RADIUS proxy servers?
- Date: Wed, 12 Jul 2017 15:29:22 +0000
- Accept-language: en-GB, en-US
- Authentication-results: lists.geant.org; dkim=none (message not signed) header.d=none;lists.geant.org; dmarc=none action=none header.from=plymouth.ac.uk;
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
On Wed, 2017-07-12 at 07:30 +0200, Stefan Winter wrote:
> Hello,
>
> > We have started to look at using CAT for our site, but I am having a
> > problem configuring our main profile. Our setup is that we have 2
> > front-end
> > RADIUS servers (running freeradius) which act as proxies to back-end
> > Microsoft AD/NPS servers.
> >
> > If I configure CAT with the front-end/proxy servers as the authentication
> > servers, and use the CA certificate from those servers, then our Windows
> > (7) clients fail to connect. The problem is reported that the user is
> > trying to connect to a back-end server, but that server is not listed in
> > our profile.
> >
> > I cannot configure the back-end servers into the profile since Windows
> > will
> > then try to connect directly to those servers. This is not allowed; users
> > must authenticate via the front-end/proxy servers.
> >
> > So, is it possible to configure CAT to use front-end proxy servers for
> > RADIUS authentication?
>
...
> It sounds like your front-end servers terminate EAP, i.e. present a
> server certificate and decapsulate the inner tunnel authentication
> (which is PEAP? you didn't say which EAP type you use).
>
Yes, PEAP/MSCHAPv2.
> So, it seems like you did the right thing with specifying the front-end
> CA and server names (if that's what you did). It would then be helpful
> to tell us why and with what error message exactly the NPS fails.
>
In fact to get this working I have specified the back-end servers. although
the
users client will access the front-end servers via the access point, it is the
back-end servers that do the authentication.
I have no access to the NPS servers, but from a Windows 7 client the 'eduroam'
connection profile has a checkbox labelled 'Do not prompt user to authorize
new
servers or trusted certification authorities.'.
CAT seems to tick this checkbox. But by unticking it, and attempting to
connect
I get an error message displayed that the (back-end) server I'm connecting to
is unknown/untrusted. Hence I have to put in the back-end servers.
The problem I have now is that one of the back end servers is signed by a
'USERTrust RSA Certification Authority' certificate. The error the client gets
is that the "UserTrust RSA... is not configured as a trust anchor for this
profile." Although this is in the list of Trusted Root Certification
Authorities for the windows profile, it is not ticked by CAT. If I manually
change the Windows profile and tick the CA, then I can authenticate with no
problems.
The eduroam CAT web page for our profile shows that both the root certificate,
and the intermediate certificates are recognised (they have an 'I' in a blue
circle next to them; the root has 'R'). I'm wondering if because there are 2
intermediates in the certification chain, if that is causing a problem with
the
CA tickbox.
I'll do a little more testing.
John.
--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
________________________________
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>
This email and any files with it are confidential and intended solely for the
use of the recipient to whom it is addressed. If you are not the intended
recipient then copying, distribution or other use of the information
contained is strictly prohibited and you should not rely on it. If you have
received this email in error please let the sender know immediately and
delete it from your system(s). Internet emails are not necessarily secure.
While we take every care, Plymouth University accepts no responsibility for
viruses and it is your responsibility to scan emails and their attachments.
Plymouth University does not accept responsibility for any changes made after
it was sent. Nothing in this email or its attachments constitutes an order
for goods or services unless accompanied by an official order form.
- [[cat-users]] Configure CAT with RADIUS proxy servers?, John Horne, 07/11/2017
- Re: [[cat-users]] Configure CAT with RADIUS proxy servers?, Stefan Winter, 07/12/2017
- Re: [[cat-users]] Configure CAT with RADIUS proxy servers?, John Horne, 07/12/2017
- Re: [[cat-users]] Configure CAT with RADIUS proxy servers?, Tomasz Wolniewicz, 07/12/2017
- Re: [[cat-users]] Configure CAT with RADIUS proxy servers?, John Horne, 07/12/2017
- Re: [[cat-users]] Configure CAT with RADIUS proxy servers?, John Horne, 07/13/2017
- Re: [[cat-users]] Configure CAT with RADIUS proxy servers?, Tomasz Wolniewicz, 07/13/2017
- Re: [[cat-users]] Configure CAT with RADIUS proxy servers?, John Horne, 07/13/2017
- Re: [[cat-users]] Configure CAT with RADIUS proxy servers?, John Horne, 07/12/2017
- Re: [[cat-users]] Configure CAT with RADIUS proxy servers?, Tomasz Wolniewicz, 07/12/2017
- Re: [[cat-users]] Configure CAT with RADIUS proxy servers?, John Horne, 07/12/2017
- Re: [[cat-users]] Configure CAT with RADIUS proxy servers?, Stefan Winter, 07/12/2017
Archive powered by MHonArc 2.6.19.