cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: Lewis Couldwell <LCouldwell AT kirkleescollege.ac.uk>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
- Cc: Chris mathers <CMathers AT kirkleescollege.ac.uk>, Sam Lim <SLim AT KirkleesCollege.ac.uk>
- Subject: Re: [[cat-users]] Certificate Issues
- Date: Thu, 12 Oct 2017 14:03:06 +0200
- Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hello,
> We are currently in the process of configuring the CAT Tool for our
> institution. We have configured the profile using PEAP-MSCHAPv2 and
> added the root & Intermediate Certificates for our Radius Server.
> However, when the profile is installed on the mobile device the Wifi
> will still not connect without manually setting the CA Certificate to
> (Unspecified), see before and after screenshot. Is there any way for the
> tool to set the certificate to (unspecified)? Or is there a way we can
> get our existing certificate to work with this tool?
It is not possible to set it to "Unspecified". This makes the connection
attempt insecure and open to MITM attacks. It is the exact purpose of
the CAT tools to close that loophole.
Your certificate settings look almost good, but not quite:
- when connecting to your server via the realm check tool, I end up at a
server "radius1.kirkleescollege.ac.uk" which is what you configured as
the expected hostname - good
- when connecting another time, this time from command-line eapol_test,
I end up at a server "radius2.kirkleescollege.ac.uk" which is not the
expected server name - the connection fails at the server validation stage
Probably, the connection failures you see are simply because the server
names don't match. Of course, turning off the server-side validation
with "CA unspecified" makes the apparent issue go away because no server
name is being checked any more.
However, the root cause of the problem is that either the config should
be enriched to contain *all* authorised server names, or all RADIUS
servers should get the same EAP server certificate; there is not usually
a reason for two distinct names "radius1" and "radius2"; EAP does not
require any synchronicity with the actual hostname of the RADIUS server.
For best compatibility with exotic devices, choosing the latter option
(one cert for all RADIUS servers) is the best current practice.
Greetings,
Stefan Winter
>
>
>
> Here is the profile configuration for our institution.
>
>
>
>
>
>
>
> Regards
>
>
>
>
>
> cid:image001.png AT 01D31B40.E89FF3D0
>
>
>
>
>
> *Lewis Couldwell
> *Network Engineer
>
> *T:* 7300
> *E:
> *_lcouldwell AT kirkleescollege.ac.uk_
>
> Huddersfield Centre, Waterfront Quarter, Manchester Rd, Huddersfield,
> HD1 3LD
>
> www.kirkleescollege.ac.uk <http://www.kirkleescollege.ac.uk/>
>
> Facebook icon <https://www.facebook.com/kirkleescollege/> Twitter icon
> <https://twitter.com/kirkleescollege?ref_src=twsrc%5egoogle|twcamp%5eserp|twgr%5eauthor>
> Youtube
> icon <https://www.youtube.com/user/KirkleesCollege> LinkedIn icon
> <https://uk.linkedin.com/company/kirklees-college> Instagram icon
> <https://www.instagram.com/kirkleescollege/>
>
>
>
>
>
> This email and any attachments are confidential and should not be used
> by anyone who is not the original intended recipient. If you receive
> this in error, please contact the sender and delete the material from
> your computer. You are not authorised to, and must not, read, copy,
> distribute, use or retain this message or any part of it. Kirklees
> College cannot accept liability for any statements made which are
> clearly the sender's own and not expressly made on behalf of Kirklees
> College or one of its agents.
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Attachment:
0x8A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
- [[cat-users]] Certificate Issues, Lewis Couldwell, 10/12/2017
- Re: [[cat-users]] Certificate Issues, Stefan Winter, 10/12/2017
- Re: [[cat-users]] Certificate Issues, Stefan Winter, 10/12/2017
Archive powered by MHonArc 2.6.19.