cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: "Visser,Ramon R.D." <r.visser AT fontys.nl>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
- Subject: Re: [[cat-users]] ChromeOS eduroam CAT config
- Date: Mon, 4 Sep 2017 13:27:14 +0200
- Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hi,
> Thnx for the analysis and further taken actions!
>
> I just asked my collegue for testing the RESTENA profile. Result wil come
> afterwards.
>
> Your question about the CA cert upload: I have created personally the
> profile beginning of this year.
> So it's after the applied hotfix of 30th of August.
Okay, so that's not it. We're dialling up the mysteriousness level then :-)
Please let me know if the import of the RESTENA profile is any different
in terms of config behaviour.
Stefan
>
> Best regards,
>
> Ramon
>
> Ramon Visser . Virtueel Security Cluster Coordinator, Dienst IT . Fontys
> Hogescholen
> Het Eeuwsel 2, 5612 AS . Gebouw S1, kamer /flex . Postbus 347, 5600 AH
> Eindhoven
> r.visser AT fontys.nl
> +31618390398
> Info: Vrijdag 1 september niet aanwezig
>
>
>
> -----Oorspronkelijk bericht-----
> Van: Stefan Winter
> [mailto:stefan.winter AT restena.lu]
>
> Verzonden: maandag 4 september 2017 11:48
> Aan: Visser,Ramon R.D.
> <r.visser AT fontys.nl>;
>
> cat-users AT lists.geant.org
> Onderwerp: Re: [[cat-users]] ChromeOS eduroam CAT config
>
> Hello,
>
>> Unfortunaltly I do not have an ChromeBook at the moment so hopefully
>> next week.
>
> I brushed the dust off my lab Chromebook, updated it from 55 to 60 (not
> powered on in a while...), and ran a quick test:
>
> - Fontys profile indeed is getting installed, but the relevant fields are
> not pre-filled on first connection attempt despite this being a "proper"
> eduroam network (so, I can reproduce your error).
>
> - RESTENA profiles is also getting installed, and does what it should
>
> Since the installer generation comes from the same site, using the same
> code paths, this makes it *look* like there's a problem with your
> certificate indeed.
>
> May I ask a strange question: for how long did you not change the CA
> certificate in the CAT system?
>
> I'm asking because there was a really weirdo bug/misunderstanding between
> CAT and ChromeOS a while back: when the PEM file of the upload contained
> some invisible control characters which *are allowed per spec* then we'd
> save the PEM file as-is and serve it to Chromebooks (and of course all
> other OSes). But while all other OSes consumed that file like they should,
> ChromeOS took offence on the control characters and refused the CA cert. Or
> maybe our code did the wrong thing and sent a wrongly-mangled version of it
> to the installer. I really don't remember any more.
>
> Our fix was some extra careful re-encoding of the cert without control
> characters. This fixes the issue *for all new uploads*. But if you've
> uploaded the CA file longer than that ago, you might still be affected.
>
> I believe we've applied the hotfix for that on 30 August 2016. So if your
> upload of the CA file is older than that, you could simply try to delete
> and re-add the CA file in the admin interface.
>
> Greetings,
>
> Stefan Winter
>
>>
>>
>>
>> Best regards,
>>
>>
>>
>> Ramon Visser
>>
>>
>>
>> cid:image001.jpg AT 01D15E6A.34F41210 <http://www.fontys.nl/>
>>
>>
>>
>> *Ramon Visser **.* Virtueel Security Cluster Coordinator, Dienst IT
>> *.*Fontys Hogescholen Het Eeuwsel 2, 5612 AS
>> <http://www.fontys.nl/over.fontys/plattegrond.aspx?idgebouw=59>*.*Gebo
>> uw S1, kamer /flex *.*Postbus 347, 5600 AH Eindhoven
>> r.visser AT fontys.nl
>>
>> <mailto:r.visser AT fontys.nl>+31618390398
>>
>> *Info: Vrijdag 1 september niet aanwezig*
>>
>>
>>
>>
>>
>> *Van:*Visser,Ramon R.D.
>> *Verzonden:* donderdag 31 augustus 2017 16:11
>> *Aan:* Stefan Winter
>> <stefan.winter AT restena.lu>;
>>
>> cat-users AT lists.geant.org
>> *Onderwerp:* RE: [[cat-users]] ChromeOS eduroam CAT config
>>
>>
>>
>> Hi Stefan,
>>
>>
>>
>> in the attachment the requested certs.
>>
>>
>>
>> I have to find an ChromeBook to give you the exact details.
>>
>>
>>
>>
>>
>>
>>
>> Ramon Visser . Virtueel Security Cluster Coördinator, Dienst IT .
>> Fontys Hogescholen
>>
>> Het Eeuwsel 2, 5612 AS . Gebouw S1, kamer /flex . Postbus 347, 5600 AH
>> Eindhoven
>>
>> r.visser AT fontys.nl<mailto:r.visser AT fontys.nl>+31618390398
>>
>>
>>
>>
>>
>> -----Oorspronkelijk bericht-----
>> Van: Stefan Winter
>> [mailto:stefan.winter AT restena.lu]
>> Verzonden: donderdag 31 augustus 2017 15:51
>> Aan: Visser,Ramon R.D.
>> <r.visser AT fontys.nl
>>
>> <mailto:r.visser AT fontys.nl>>;
>>
>> cat-users AT lists.geant.org
>>
>> <mailto:cat-users AT lists.geant.org>
>> Onderwerp: Re: [[cat-users]] ChromeOS eduroam CAT config
>>
>>
>>
>> Hello,
>>
>>
>>
>>> We have an question about de configuration file for ChromeOS
>>
>>> devices.>> In the IdP we configured the EAP details for this
>>> profile:>
>>
>>> Although after downloading and importing the .ONC (see attachment)
>>
>>> into an ChromeOS device the CA fields are empty and not containing
>>> the
>>
>>> specific information about the publisher of our radius wifi.fontys.nl
>>
>>> certificate:
>>
>>>
>>
>>> Is this correct?
>>
>>
>>
>> No, it's not: after installing the ONC file and clicking on the
>> network for the first time, you should see a pre-filled form which
>> only misses username/password settings.
>>
>>
>>
>> It looks like the ONC file was either not imported correctly (you can
>> verify by looking at the list of "Preferred Networks" - eduroam should
>> be in that list once you installed the ONC file), or for some reason
>> ChromeOS thinks that the network you are connecting to does not match
>> the one configured (e.g. we install eduroam as WPA2 network - if the
>> network is a, shudder, WEP network, it is too different to be
>> considered a config match).
>>
>>
>>
>> So, can you please find out if eduroam is in the list of preferred
>> networks after installation?
>>
>>
>>
>> Also, independently of the issue at hand, are you sure that this CA is
>> really the one that has issued your server certificate? I believe the
>> "Assured ID Root CA" issues client certificates for email signing
>> (S/MIME), but no server certificates. If you want to, you can send me
>> the server cert off-list (NOT the key of course). I tried to grab it
>> via EAP from the @fontys.nl eduroam server, but it seems to be an MS
>> IAS which rejects me before it even sends a certificate.
>>
>>
>>
>> Greetings,
>>
>>
>>
>> Stefan Winter
>>
>>
>>
>> --
>>
>> Stefan WINTER
>>
>> Ingenieur de Recherche
>>
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale
>> et de la Recherche 2, avenue de l'Université
>>
>> L-4365 Esch-sur-Alzette
>>
>>
>>
>> Tel: +352 424409 1
>>
>> Fax: +352 422473
>>
>>
>>
>> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
>> recipient's key is known to me
>>
>>
>>
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>>
>> ========================================================== Op deze
>> e-mail zijn de volgende voorwaarden van toepassing:
>> http://www.fontys.nl/disclaimer The above disclaimer applies to this
>> e-mail message.
>> To unsubscribe, send this message:
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>> Or use the following link:
>> https://lists.geant.org/sympa/sigrequest/cat-users
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
> la Recherche 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Attachment:
0x8A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
- Re: [[cat-users]] ChromeOS eduroam CAT config, Stefan Winter, 09/04/2017
- RE: [[cat-users]] ChromeOS eduroam CAT config, Visser,Ramon R.D., 09/04/2017
- Re: [[cat-users]] ChromeOS eduroam CAT config, Stefan Winter, 09/04/2017
- RE: [[cat-users]] ChromeOS eduroam CAT config, Visser,Ramon R.D., 09/04/2017
- RE: [[cat-users]] ChromeOS eduroam CAT config, Visser,Ramon R.D., 09/04/2017
Archive powered by MHonArc 2.6.19.