The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

["Visser,Ramon R.D." <r.visser AT fontys.nl>]

Hi Stefan,

The RESTENA profile is working here as well, see attachment.
chromeOS version is 60.0.x

I also included the rootCA cert.

Best regards,


Ramon Visser .  Virtueel Security Cluster Coordinator, Dienst IT . Fontys 
Hogescholen
Het Eeuwsel 2, 5612 AS . Gebouw S1, kamer /flex . Postbus 347, 5600 AH 
Eindhoven
r.visser AT fontys.nl
 +31618390398
Info: Vrijdag 1 september niet aanwezig



-----Oorspronkelijk bericht-----
Van: Visser,Ramon R.D. 
Verzonden: maandag 4 september 2017 12:48
Aan: 'Stefan Winter' 
<stefan.winter AT restena.lu>;
 
cat-users AT lists.geant.org
Onderwerp: RE: [[cat-users]] ChromeOS eduroam CAT config

Hi Stefan,

Thnx for the analysis and further taken actions!

I just asked my collegue for testing the RESTENA profile. Result wil come 
afterwards.

Your question about the CA cert upload: I have created personally the profile 
beginning of this year. 
So it's after the applied hotfix of 30th of August.

Best regards,

Ramon

Ramon Visser .  Virtueel Security Cluster Coordinator, Dienst IT . Fontys 
Hogescholen Het Eeuwsel 2, 5612 AS . Gebouw S1, kamer /flex . Postbus 347, 
5600 AH Eindhoven 
r.visser AT fontys.nl
 +31618390398
Info: Vrijdag 1 september niet aanwezig



-----Oorspronkelijk bericht-----
Van: Stefan Winter 
[mailto:stefan.winter AT restena.lu]
Verzonden: maandag 4 september 2017 11:48
Aan: Visser,Ramon R.D. 
<r.visser AT fontys.nl>;
 
cat-users AT lists.geant.org
Onderwerp: Re: [[cat-users]] ChromeOS eduroam CAT config

Hello,

> Unfortunaltly I do not have an ChromeBook at the moment so hopefully 
> next week.

I brushed the dust off my lab Chromebook, updated it from 55 to 60 (not 
powered on in a while...), and ran a quick test:

- Fontys profile indeed is getting installed, but the relevant fields are not 
pre-filled on first connection attempt despite this being a "proper" eduroam 
network (so, I can reproduce your error).

- RESTENA profiles is also getting installed, and does what it should

Since the installer generation comes from the same site, using the same code 
paths, this makes it *look* like there's a problem with your certificate 
indeed.

May I ask a strange question: for how long did you not change the CA 
certificate in the CAT system?

I'm asking because there was a really weirdo bug/misunderstanding between CAT 
and ChromeOS a while back: when the PEM file of the upload contained some 
invisible control characters which *are allowed per spec* then we'd save the 
PEM file as-is and serve it to Chromebooks (and of course all other OSes). 
But while all other OSes consumed that file like they should, ChromeOS took 
offence on the control characters and refused the CA cert. Or maybe our code 
did the wrong thing and sent a wrongly-mangled version of it to the 
installer. I really don't remember any more.

Our fix was some extra careful re-encoding of the cert without control 
characters. This fixes the issue *for all new uploads*. But if you've 
uploaded the CA file longer than that ago, you might still be affected.

I believe we've applied the hotfix for that on 30 August 2016. So if your 
upload of the CA file is older than that, you could simply try to delete and 
re-add the CA file in the admin interface.

Greetings,

Stefan Winter

> 
>  
> 
> Best regards,
> 
>  
> 
> Ramon Visser
> 
>  
> 
> cid:image001.jpg AT 01D15E6A.34F41210 <http://www.fontys.nl/>
> 
>       
> 
> *Ramon Visser **.*  Virtueel Security Cluster Coordinator, Dienst IT 
> *.*Fontys Hogescholen Het Eeuwsel 2, 5612 AS 
> <http://www.fontys.nl/over.fontys/plattegrond.aspx?idgebouw=59>*.*Gebo
> uw S1, kamer /flex *.*Postbus 347, 5600 AH Eindhoven 
> r.visser AT fontys.nl
>  
> <mailto:r.visser AT fontys.nl>+31618390398
> 
> *Info: Vrijdag 1 september niet aanwezig*
> 
>  
> 
>  
> 
> *Van:*Visser,Ramon R.D.
> *Verzonden:* donderdag 31 augustus 2017 16:11
> *Aan:* Stefan Winter 
> <stefan.winter AT restena.lu>;
>  
> cat-users AT lists.geant.org
> *Onderwerp:* RE: [[cat-users]] ChromeOS eduroam CAT config
> 
>  
> 
> Hi Stefan,
> 
>  
> 
> in the attachment the requested certs.
> 
>  
> 
> I have to find an ChromeBook to give you the exact details.
> 
>  
> 
>  
> 
>  
> 
> Ramon Visser . Virtueel Security Cluster Coördinator, Dienst IT . 
> Fontys Hogescholen
> 
> Het Eeuwsel 2, 5612 AS . Gebouw S1, kamer /flex . Postbus 347, 5600 AH 
> Eindhoven
> 
> r.visser AT fontys.nl<mailto:r.visser AT fontys.nl>+31618390398
> 
>  
> 
>  
> 
> -----Oorspronkelijk bericht-----
> Van: Stefan Winter 
> [mailto:stefan.winter AT restena.lu]
> Verzonden: donderdag 31 augustus 2017 15:51
> Aan: Visser,Ramon R.D. 
> <r.visser AT fontys.nl
>  
> <mailto:r.visser AT fontys.nl>>;
>  
> cat-users AT lists.geant.org
>  
> <mailto:cat-users AT lists.geant.org>
> Onderwerp: Re: [[cat-users]] ChromeOS eduroam CAT config
> 
>  
> 
> Hello,
> 
>  
> 
>> We have an question about de configuration file for ChromeOS
> 
>> devices.>> In the IdP we configured the EAP details for this 
>> profile:>
> 
>> Although after downloading and importing the .ONC (see attachment)
> 
>> into an ChromeOS device the CA fields are empty and not containing 
>> the
> 
>> specific information about the publisher of our radius wifi.fontys.nl
> 
>> certificate:
> 
>> 
> 
>> Is this correct?
> 
>  
> 
> No, it's not: after installing the ONC file and clicking on the 
> network for the first time, you should see a pre-filled form which 
> only misses username/password settings.
> 
>  
> 
> It looks like the ONC file was either not imported correctly (you can 
> verify by looking at the list of "Preferred Networks" - eduroam should 
> be in that list once you installed the ONC file), or for some reason 
> ChromeOS thinks that the network you are connecting to does not match 
> the one configured (e.g. we install eduroam as WPA2 network - if the 
> network is a, shudder, WEP network, it is too different to be 
> considered a config match).
> 
>  
> 
> So, can you please find out if eduroam is in the list of preferred 
> networks after installation?
> 
>  
> 
> Also, independently of the issue at hand, are you sure that this CA is 
> really the one that has issued your server certificate? I believe the 
> "Assured ID Root CA" issues client certificates for email signing 
> (S/MIME), but no server certificates. If you want to, you can send me 
> the server cert off-list (NOT the key of course). I tried to grab it 
> via EAP from the @fontys.nl eduroam server, but it seems to be an MS 
> IAS which rejects me before it even sends a certificate.
> 
>  
> 
> Greetings,
> 
>  
> 
> Stefan Winter
> 
>  
> 
> --
> 
> Stefan WINTER
> 
> Ingenieur de Recherche
> 
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale 
> et de la Recherche 2, avenue de l'Université
> 
> L-4365 Esch-sur-Alzette
> 
>  
> 
> Tel: +352 424409 1
> 
> Fax: +352 422473
> 
>  
> 
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the 
> recipient's key is known to me
> 
>  
> 
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> 
> ========================================================== Op deze 
> e-mail zijn de volgende voorwaarden van toepassing:
> http://www.fontys.nl/disclaimer The above disclaimer applies to this 
> e-mail message.
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche 2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's 
key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: RESTENA chromeOS.jpg
Description: RESTENA chromeOS.jpg

Attachment: DigiCert Assured ID Root CA.cer
Description: DigiCert Assured ID Root CA.cer