cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Jason Duerstock <jason.duerstock AT gallaudet.edu>
- To: Dave Flynn <dflynn AT carleton.edu>
- Cc: cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] Trouble with CAT installation
- Date: Mon, 21 Aug 2017 13:04:41 -0400
- Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (1024-bit key) header.d=gallaudet.edu
Have any of the intermediate CAs changed?
On Mon, Aug 21, 2017 at 12:58 PM, Dave Flynn <dflynn AT carleton.edu> wrote:
Hi folks,I have recently taken over management of our Eduroam environment following the departure of another staff member. Coincidentally, the SSL certificate for our radius server expired on 13-8-17. I replaced that certificate the same afternoon and thought things were fine, but later discovered that the CAT installer results in a non-functional connection.On my windows 10 machine, I see the following events in the event log:---Wireless 802.1x authentication failed.Network Adapter: Intel(R) Dual Band Wireless-AC 8260Interface GUID: {23a1c9ab-a939-428d-8792-183e13accade}Local MAC Address: 44:85:00:F4:EA:07Network SSID: eduroamBSS Type: InfrastructurePeer MAC Address: 9C:1C:12:02:24:B0Identity: dflynn AT carleton.eduUser: dflynnDomain: ADSReason: Explicit Eap failure receivedError: 0x40420110EAP Reason: 0x40420110EAP Root cause String: Network authentication failed due to a problem with the user account---and the corresponding logs from our radius server:---Mon Aug 21 11:45:24 2017 : Auth: (2302756) Login incorrect (eap_peap: TLS Alert read:fatal:access denied): [dflynn AT carleton.edu] (from client pf port 0 cli 44:85:00:f4:ea:07)Mon Aug 21 11:45:24 2017 : [mac:44:85:00:f4:ea:07] Rejected user: dflynn AT carleton.edu---I've done a fair amount of searching for related errors, and most sources agree that it must be a certificate-related issue, but I can't get any further than this. The root CA has not changed; connection tests run through the CAT website (including with legitimate test account credentials) succeed. I've verified that the SHA1 hash of the root CA, which is embedded in the XML profile installed by the CAT, is correct.One final bit of information: if I delete the profile created by the CAT and connect to the eduroam SSID manually, I am prompted to accept the certificate presented by our radius server, and can verify that it is correct. It seems clear that the certificate chain is broken in some way, but I can't figure out why. Does the CAT install the intermediate and root certificates into the relevant Windows stores, or do we need to do that ourselves via group policy or similar?Anyone have any ideas? If this is not an appropriate venue for such questions, please let me know and I'll try elsewhere.
Thanks,Dave FlynnManager of Systems and InfrastructureCarleton College507 222 7836 - office651 331 6323 - cellTo unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
- [[cat-users]] Trouble with CAT installation, Dave Flynn, 08/21/2017
- Re: [[cat-users]] Trouble with CAT installation, Jason Duerstock, 08/21/2017
- Re: [[cat-users]] Trouble with CAT installation, Dave Flynn, 08/21/2017
- Re: [[cat-users]] Trouble with CAT installation, Tomasz Wolniewicz, 08/21/2017
- Re: [[cat-users]] Trouble with CAT installation, Dave Flynn, 08/21/2017
- Re: [[cat-users]] Trouble with CAT installation, Jason Duerstock, 08/21/2017
Archive powered by MHonArc 2.6.19.