cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Trouble with CAT installation

From: Tomasz Wolniewicz <twoln AT umk.pl>
To: Dave Flynn <dflynn AT carleton.edu>, Jason Duerstock <jason.duerstock AT gallaudet.edu>
Cc: cat-users AT lists.geant.org
Subject: Re: [[cat-users]] Trouble with CAT installation
Date: Mon, 21 Aug 2017 21:29:21 +0200

Hi,

If kept the root the same and the server name in the certificate as well, and you have added your new intermediates into the server configuration then CAT installers for Windows should work correctly even without changing the intermediates in the CAT setup. In principle replacing the server cert should not have any consequences for users. For Apple I would not be so sure as we have experienced it to work not quite as expected with intermediate certs.

Tomasz

W dniu 21.08.2017 o 19:19, Dave Flynn pisze:

Hi Jason,

Yes; there are two intermediate certificates in the chain which differ from the prior (single) intermediate certificate. The root CA is the same in both cases. I modified our CAT configuration to remove the original intermediates and add the new ones.

Thanks,

Dave Flynn

Manager of Systems and Infrastructure

Carleton College

507 222 7836 - office

651 331 6323 - cell

On Mon, Aug 21, 2017 at 12:04 PM, Jason Duerstock <jason.duerstock AT gallaudet.edu> wrote:

Have any of the intermediate CAs changed?

On Mon, Aug 21, 2017 at 12:58 PM, Dave Flynn <dflynn AT carleton.edu> wrote:

Hi folks,

I have recently taken over management of our Eduroam environment following the departure of another staff member. Coincidentally, the SSL certificate for our radius server expired on 13-8-17. I replaced that certificate the same afternoon and thought things were fine, but later discovered that the CAT installer results in a non-functional connection.

On my windows 10 machine, I see the following events in the event log:

---

Wireless 802.1x authentication failed.

Network Adapter: Intel(R) Dual Band Wireless-AC 8260

Interface GUID: {23a1c9ab-a939-428d-8792-183e13accade}

Local MAC Address: 44:85:00:F4:EA:07

Network SSID: eduroam

BSS Type: Infrastructure

Peer MAC Address: 9C:1C:12:02:24:B0

Identity: dflynn AT carleton.edu

User: dflynn

Domain: ADS

Reason: Explicit Eap failure received

Error: 0x40420110

EAP Reason: 0x40420110

EAP Root cause String: Network authentication failed due to a problem with the user account

---

and the corresponding logs from our radius server:

---

Mon Aug 21 11:45:24 2017 : Auth: (2302756) Login incorrect (eap_peap: TLS Alert read:fatal:access denied): [dflynn AT carleton.edu] (from client pf port 0 cli 44:85:00:f4:ea:07)

Mon Aug 21 11:45:24 2017 : [mac:44:85:00:f4:ea:07] Rejected user: dflynn AT carleton.edu

---

I've done a fair amount of searching for related errors, and most sources agree that it must be a certificate-related issue, but I can't get any further than this. The root CA has not changed; connection tests run through the CAT website (including with legitimate test account credentials) succeed. I've verified that the SHA1 hash of the root CA, which is embedded in the XML profile installed by the CAT, is correct.

One final bit of information: if I delete the profile created by the CAT and connect to the eduroam SSID manually, I am prompted to accept the certificate presented by our radius server, and can verify that it is correct. It seems clear that the certificate chain is broken in some way, but I can't figure out why. Does the CAT install the intermediate and root certificates into the relevant Windows stores, or do we need to do that ourselves via group policy or similar?

Anyone have any ideas? If this is not an appropriate venue for such questions, please let me know and I'll try elsewhere.