The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Dave Flynn <dflynn AT carleton.edu>]

Hi everyone,

I'm reaching out again regarding my message below. I've spent a lot of time on this and I'm no closer to a resolution. Would someone familiar with the CAT installer be able to give me more information about exactly what it does on a Windows machine (e.g. where it installs the certificates we provide it)? If there's documentation to this effect, a link to same would be just fine.

Additionally, is anyone willing to try logging into our eduroam environment with a test account I provide? The same account would let you download the proper installer from cat.eduroam.org. I'm trying to isolate our own radio environment from the problem, even though I don't think it can possibly be related. Please reply privately to me if you're interested in helping out.

Thanks,

Dave Flynn

Manager of Systems and Infrastructure

Carleton College

507 222 7836 - office

651 331 6323 - cell

---------- Forwarded message ----------
From: Dave Flynn <dflynn AT carleton.edu>
Date: Mon, Aug 21, 2017 at 11:58 AM
Subject: Trouble with CAT installation
To: cat-users AT lists.geant.org

Hi folks,

I have recently taken over management of our Eduroam environment following the departure of another staff member. Coincidentally, the SSL certificate for our radius server expired on 13-8-17. I replaced that certificate the same afternoon and thought things were fine, but later discovered that the CAT installer results in a non-functional connection on some, but not all, Windows machines.

On my windows 10 machine, I see the following events in the event log:

---

Wireless 802.1x authentication failed.

Network Adapter: Intel(R) Dual Band Wireless-AC 8260

Interface GUID: {23a1c9ab-a939-428d-8792-183e13accade}

Local MAC Address: 44:85:00:F4:EA:07

Network SSID: eduroam

BSS Type: Infrastructure

Peer MAC Address: 9C:1C:12:02:24:B0

Identity: dflynn AT carleton.edu

User: dflynn

Domain: ADS

Reason: Explicit Eap failure received

Error: 0x40420110

EAP Reason: 0x40420110

EAP Root cause String: Network authentication failed due to a problem with the user account

---

and the corresponding logs from our radius server:

---

Mon Aug 21 11:45:24 2017 : Auth: (2302756) Login incorrect (eap_peap: TLS Alert read:fatal:access denied): [dflynn AT carleton.edu] (from client pf port 0 cli 44:85:00:f4:ea:07)

Mon Aug 21 11:45:24 2017 : [mac:44:85:00:f4:ea:07] Rejected user: dflynn AT carleton.edu

---

I also see the following in the CAPI2 operational log:

---

+ System 

  - Provider 

   [ Name]  Microsoft-Windows-CAPI2 

   [ Guid]  {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb} 

 

   EventID 30 

 

   Version 0 

 

   Level 2 

 

   Task 30 

 

   Opcode 0 

 

   Keywords 0x4000000000000001 

 

  - TimeCreated 

   [ SystemTime]  2017-09-01T14:01:25.800614500Z 

 

   EventRecordID 779 

 

   Correlation 

 

  - Execution 

   [ ProcessID]  12112 

   [ ThreadID]  8168 

 

   Channel Microsoft-Windows-CAPI2/Operational 

 

   Computer DFLYNN62320 

 

  - Security 

   [ UserID]  S-1-5-21-1489318479-843726199-1338259680-10680 

 

- UserData 

  - CertVerifyCertificateChainPolicy 

  - Policy 

   [ type]  CERT_CHAIN_POLICY_NT_AUTH 

   [ constant]  6 

 

  - Certificate 

   [ fileRef]  C64B77FA0BA9DF7D7980653D3D22021E1845FA17.cer 

   [ subjectName]  eduroam.carleton.edu 

 

  - CertificateChain 

   [ chainRef]  {341DC015-F39D-4389-8680-80F238EAD1F3} 

 

  - Flags 

   [ value]  40000000 

   [ BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_END_ENTITY_FLAG]  true 

 

  - Status 

   [ chainIndex]  0 

   [ elementIndex]  1 

 

  - EventAuxInfo 

   [ ProcessName]  svchost.exe 

   [ impersonateToken]  S-1-5-21-1489318479-843726199-1338259680-10680 

 

  - CorrelationAuxInfo 

   [ TaskId]  {5F49660F-4FC5-4533-8810-3C1EF9258EF8} 

   [ SeqNumber]  1 

 

  - Result A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 

   [ value]  800B0112  

---

I've done a fair amount of searching for related errors, and most sources agree that it must be a certificate-related issue, but I can't get any further than this. The root CA has not changed; connection tests run through the CAT website (including with legitimate test account credentials) succeed. I've verified that the SHA1 hash of the root CA, which is embedded in the XML profile installed by the CAT, is correct.

One final bit of information: if I delete the profile created by the CAT and connect to the eduroam SSID manually, I am prompted to accept the certificate presented by our radius server, and can verify that it is correct. It seems clear that the certificate chain is broken in some way, but I can't figure out why. Does the CAT install the intermediate and root certificates into the relevant Windows stores, or do we need to do that ourselves via group policy or similar?

Anyone have any ideas? If this is not an appropriate venue for such questions, please let me know and I'll try elsewhere.

Thanks,

Dave Flynn

Manager of Systems and Infrastructure

Carleton College

507 222 7836 - office

651 331 6323 - cell