The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Jason Duerstock <jason.duerstock AT gallaudet.edu>]

Have any of the intermediate CAs changed?

On Mon, Aug 21, 2017 at 12:58 PM, Dave Flynn <dflynn AT carleton.edu> wrote:

Hi folks,

I have recently taken over management of our Eduroam environment following the departure of another staff member. Coincidentally, the SSL certificate for our radius server expired on 13-8-17. I replaced that certificate the same afternoon and thought things were fine, but later discovered that the CAT installer results in a non-functional connection.

On my windows 10 machine, I see the following events in the event log:

---

Wireless 802.1x authentication failed.

Network Adapter: Intel(R) Dual Band Wireless-AC 8260

Interface GUID: {23a1c9ab-a939-428d-8792-183e13accade}

Local MAC Address: 44:85:00:F4:EA:07

Network SSID: eduroam

BSS Type: Infrastructure

Peer MAC Address: 9C:1C:12:02:24:B0

Identity: dflynn AT carleton.edu

User: dflynn

Domain: ADS

Reason: Explicit Eap failure received

Error: 0x40420110

EAP Reason: 0x40420110

EAP Root cause String: Network authentication failed due to a problem with the user account

---

and the corresponding logs from our radius server:

---

Mon Aug 21 11:45:24 2017 : Auth: (2302756) Login incorrect (eap_peap: TLS Alert read:fatal:access denied): [dflynn AT carleton.edu] (from client pf port 0 cli 44:85:00:f4:ea:07)

Mon Aug 21 11:45:24 2017 : [mac:44:85:00:f4:ea:07] Rejected user: dflynn AT carleton.edu

---

I've done a fair amount of searching for related errors, and most sources agree that it must be a certificate-related issue, but I can't get any further than this. The root CA has not changed; connection tests run through the CAT website (including with legitimate test account credentials) succeed. I've verified that the SHA1 hash of the root CA, which is embedded in the XML profile installed by the CAT, is correct.

One final bit of information: if I delete the profile created by the CAT and connect to the eduroam SSID manually, I am prompted to accept the certificate presented by our radius server, and can verify that it is correct. It seems clear that the certificate chain is broken in some way, but I can't figure out why. Does the CAT install the intermediate and root certificates into the relevant Windows stores, or do we need to do that ourselves via group policy or similar?

Anyone have any ideas? If this is not an appropriate venue for such questions, please let me know and I'll try elsewhere.

Thanks,

Dave Flynn

Manager of Systems and Infrastructure

Carleton College

507 222 7836 - office

651 331 6323 - cell

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users