The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

> Thnx for the analysis and further taken actions!
> 
> I just asked my collegue for testing the RESTENA profile. Result wil come 
> afterwards.
> 
> Your question about the CA cert upload: I have created personally the 
> profile beginning of this year. 
> So it's after the applied hotfix of 30th of August.

Okay, so that's not it. We're dialling up the mysteriousness level then :-)

Please let me know if the import of the RESTENA profile is any different
in terms of config behaviour.

Stefan

> 
> Best regards,
> 
> Ramon
> 
> Ramon Visser .  Virtueel Security Cluster Coordinator, Dienst IT . Fontys 
> Hogescholen
> Het Eeuwsel 2, 5612 AS . Gebouw S1, kamer /flex . Postbus 347, 5600 AH 
> Eindhoven
> r.visser AT fontys.nl
>  +31618390398
> Info: Vrijdag 1 september niet aanwezig
> 
> 
> 
> -----Oorspronkelijk bericht-----
> Van: Stefan Winter 
> [mailto:stefan.winter AT restena.lu]
>  
> Verzonden: maandag 4 september 2017 11:48
> Aan: Visser,Ramon R.D. 
> <r.visser AT fontys.nl>;
>  
> cat-users AT lists.geant.org
> Onderwerp: Re: [[cat-users]] ChromeOS eduroam CAT config
> 
> Hello,
> 
>> Unfortunaltly I do not have an ChromeBook at the moment so hopefully 
>> next week.
> 
> I brushed the dust off my lab Chromebook, updated it from 55 to 60 (not 
> powered on in a while...), and ran a quick test:
> 
> - Fontys profile indeed is getting installed, but the relevant fields are 
> not pre-filled on first connection attempt despite this being a "proper" 
> eduroam network (so, I can reproduce your error).
> 
> - RESTENA profiles is also getting installed, and does what it should
> 
> Since the installer generation comes from the same site, using the same 
> code paths, this makes it *look* like there's a problem with your 
> certificate indeed.
> 
> May I ask a strange question: for how long did you not change the CA 
> certificate in the CAT system?
> 
> I'm asking because there was a really weirdo bug/misunderstanding between 
> CAT and ChromeOS a while back: when the PEM file of the upload contained 
> some invisible control characters which *are allowed per spec* then we'd 
> save the PEM file as-is and serve it to Chromebooks (and of course all 
> other OSes). But while all other OSes consumed that file like they should, 
> ChromeOS took offence on the control characters and refused the CA cert. Or 
> maybe our code did the wrong thing and sent a wrongly-mangled version of it 
> to the installer. I really don't remember any more.
> 
> Our fix was some extra careful re-encoding of the cert without control 
> characters. This fixes the issue *for all new uploads*. But if you've 
> uploaded the CA file longer than that ago, you might still be affected.
> 
> I believe we've applied the hotfix for that on 30 August 2016. So if your 
> upload of the CA file is older than that, you could simply try to delete 
> and re-add the CA file in the admin interface.
> 
> Greetings,
> 
> Stefan Winter
> 
>>
>>  
>>
>> Best regards,
>>
>>  
>>
>> Ramon Visser
>>
>>  
>>
>> cid:image001.jpg AT 01D15E6A.34F41210 <http://www.fontys.nl/>
>>
>>      
>>
>> *Ramon Visser **.*  Virtueel Security Cluster Coordinator, Dienst IT 
>> *.*Fontys Hogescholen Het Eeuwsel 2, 5612 AS 
>> <http://www.fontys.nl/over.fontys/plattegrond.aspx?idgebouw=59>*.*Gebo
>> uw S1, kamer /flex *.*Postbus 347, 5600 AH Eindhoven 
>> r.visser AT fontys.nl
>>  
>> <mailto:r.visser AT fontys.nl>+31618390398
>>
>> *Info: Vrijdag 1 september niet aanwezig*
>>
>>  
>>
>>  
>>
>> *Van:*Visser,Ramon R.D.
>> *Verzonden:* donderdag 31 augustus 2017 16:11
>> *Aan:* Stefan Winter 
>> <stefan.winter AT restena.lu>;
>>  
>> cat-users AT lists.geant.org
>> *Onderwerp:* RE: [[cat-users]] ChromeOS eduroam CAT config
>>
>>  
>>
>> Hi Stefan,
>>
>>  
>>
>> in the attachment the requested certs.
>>
>>  
>>
>> I have to find an ChromeBook to give you the exact details.
>>
>>  
>>
>>  
>>
>>  
>>
>> Ramon Visser . Virtueel Security Cluster Coördinator, Dienst IT . 
>> Fontys Hogescholen
>>
>> Het Eeuwsel 2, 5612 AS . Gebouw S1, kamer /flex . Postbus 347, 5600 AH 
>> Eindhoven
>>
>> r.visser AT fontys.nl<mailto:r.visser AT fontys.nl>+31618390398
>>
>>  
>>
>>  
>>
>> -----Oorspronkelijk bericht-----
>> Van: Stefan Winter 
>> [mailto:stefan.winter AT restena.lu]
>> Verzonden: donderdag 31 augustus 2017 15:51
>> Aan: Visser,Ramon R.D. 
>> <r.visser AT fontys.nl
>>  
>> <mailto:r.visser AT fontys.nl>>;
>>  
>> cat-users AT lists.geant.org
>>  
>> <mailto:cat-users AT lists.geant.org>
>> Onderwerp: Re: [[cat-users]] ChromeOS eduroam CAT config
>>
>>  
>>
>> Hello,
>>
>>  
>>
>>> We have an question about de configuration file for ChromeOS
>>
>>> devices.>> In the IdP we configured the EAP details for this 
>>> profile:>
>>
>>> Although after downloading and importing the .ONC (see attachment)
>>
>>> into an ChromeOS device the CA fields are empty and not containing 
>>> the
>>
>>> specific information about the publisher of our radius wifi.fontys.nl
>>
>>> certificate:
>>
>>>  
>>
>>> Is this correct?
>>
>>  
>>
>> No, it's not: after installing the ONC file and clicking on the 
>> network for the first time, you should see a pre-filled form which 
>> only misses username/password settings.
>>
>>  
>>
>> It looks like the ONC file was either not imported correctly (you can 
>> verify by looking at the list of "Preferred Networks" - eduroam should 
>> be in that list once you installed the ONC file), or for some reason 
>> ChromeOS thinks that the network you are connecting to does not match 
>> the one configured (e.g. we install eduroam as WPA2 network - if the 
>> network is a, shudder, WEP network, it is too different to be 
>> considered a config match).
>>
>>  
>>
>> So, can you please find out if eduroam is in the list of preferred 
>> networks after installation?
>>
>>  
>>
>> Also, independently of the issue at hand, are you sure that this CA is 
>> really the one that has issued your server certificate? I believe the 
>> "Assured ID Root CA" issues client certificates for email signing 
>> (S/MIME), but no server certificates. If you want to, you can send me 
>> the server cert off-list (NOT the key of course). I tried to grab it 
>> via EAP from the @fontys.nl eduroam server, but it seems to be an MS 
>> IAS which rejects me before it even sends a certificate.
>>
>>  
>>
>> Greetings,
>>
>>  
>>
>> Stefan Winter
>>
>>  
>>
>> --
>>
>> Stefan WINTER
>>
>> Ingenieur de Recherche
>>
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale 
>> et de la Recherche 2, avenue de l'Université
>>
>> L-4365 Esch-sur-Alzette
>>
>>  
>>
>> Tel: +352 424409 1
>>
>> Fax: +352 422473
>>
>>  
>>
>> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the 
>> recipient's key is known to me
>>
>>  
>>
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>>
>> ========================================================== Op deze 
>> e-mail zijn de volgende voorwaarden van toepassing:
>> http://www.fontys.nl/disclaimer The above disclaimer applies to this 
>> e-mail message.
>> To unsubscribe, send this message:
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>> Or use the following link:
>> https://lists.geant.org/sympa/sigrequest/cat-users
> 
> 
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
> la Recherche 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
> 
> Tel: +352 424409 1
> Fax: +352 422473
> 
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the 
> recipient's key is known to me
> 
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature