The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi John,

   you need to add the UserTrust root to CAT CAs, CAT will then set the
tick in the trusted CAs in the Windows profile. I have just used the
University of Plymouth installer and see that you probably changes the
settings as the connection seems to be set correctly.

I suggest that you use the CAT realm reachability tool available from
the IdP configuration page. This will show you if CAT settings match
what is found in the connection. You will probably need to use the "Live
tests", your server seems to drop connections from unknown users so the
standard blind test cannot go far enough to show anything reasonable.

Tomasz




W dniu 12.07.2017 o 17:29, John Horne pisze:
> On Wed, 2017-07-12 at 07:30 +0200, Stefan Winter wrote:
>
>> Hello,
>>> We have started to look at using CAT for our site, but I am having a
>>> problem configuring our main profile. Our setup is that we have 2 
>>> front-end
>>> RADIUS servers (running freeradius) which act as proxies to back-end
>>> Microsoft AD/NPS servers.
>>> If I configure CAT with the front-end/proxy servers as the authentication
>>> servers, and use the CA certificate from those servers, then our Windows
>>> (7) clients fail to connect. The problem is reported that the user is
>>> trying to connect to a back-end server, but that server is not listed in
>>> our profile.
>>> I cannot configure the back-end servers into the profile since Windows 
>>> will
>>> then try to connect directly to those servers. This is not allowed; users
>>> must authenticate via the front-end/proxy servers.
>>> So, is it possible to configure CAT to use front-end proxy servers for
>>> RADIUS authentication?
> ...
>
>> It sounds like your front-end servers terminate EAP, i.e. present a
>> server certificate and decapsulate the inner tunnel authentication
>> (which is PEAP? you didn't say which EAP type you use).
> Yes, PEAP/MSCHAPv2.
>
>
>
>> So, it seems like you did the right thing with specifying the front-end
>> CA and server names (if that's what you did). It would then be helpful
>> to tell us why and with what error message exactly the NPS fails.
> In fact to get this working I have specified the back-end servers. although 
> the
>
> users client will access the front-end servers via the access point, it is 
> the
>
> back-end servers that do the authentication.
>
> I have no access to the NPS servers, but from a Windows 7 client the 
> 'eduroam'
>
> connection profile has a checkbox labelled 'Do not prompt user to authorize 
> new
>
> servers or trusted certification authorities.'.
>
> CAT seems to tick this checkbox. But by unticking it, and attempting to 
> connect
>
> I get an error message displayed that the (back-end) server I'm connecting 
> to
>
> is unknown/untrusted. Hence I have to put in the back-end servers.
>
>
>
> The problem I have now is that one of the back end servers is signed by a
>
> 'USERTrust RSA Certification Authority' certificate. The error the client 
> gets
>
> is that  the "UserTrust RSA... is not configured as a trust anchor for this
>
> profile." Although this is in the list of Trusted Root Certification
>
> Authorities for the windows profile, it is not ticked by CAT. If I manually
>
> change the Windows profile and tick the CA, then I can authenticate with no
>
> problems.
>
> The eduroam CAT web page for our profile shows that both the root 
> certificate,
>
> and the intermediate certificates are recognised (they have an 'I' in a blue
>
> circle next to them; the root has 'R'). I'm wondering if because there are 2
>
> intermediates in the certification chain, if that is causing a problem with 
> the
>
> CA tickbox.
>
> I'll do a little more testing.
>
>
>
>
>
>
>
>
>
>
>
> John.
>
>
>
> --
>
> John Horne | Senior Operations Analyst | Technology and Information Services
>
> University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
>
> ________________________________
>
> [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>
>
>
>
> This email and any files with it are confidential and intended solely for 
> the use of the recipient to whom it is addressed. If you are not the 
> intended recipient then copying, distribution or other use of the 
> information contained is strictly prohibited and you should not rely on it. 
> If you have received this email in error please let the sender know 
> immediately and delete it from your system(s). Internet emails are not 
> necessarily secure. While we take every care, Plymouth University accepts 
> no responsibility for viruses and it is your responsibility to scan emails 
> and their attachments. Plymouth University does not accept responsibility 
> for any changes made after it was sent. Nothing in this email or its 
> attachments constitutes an order for goods or services unless accompanied 
> by an official order form.
>
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>
> Or use the following link: 
> https://lists.geant.org/sympa/sigrequest/cat-users
>

-- 
Tomasz Wolniewicz    
          
twoln AT umk.pl
        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576