The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Jeremy Plumley <jmplumley AT gtcc.edu>]

Thank you for all your assistance. I did have two root CA's listed so I 
removed one, leaving the one that I most often see in the chain. I went to 
the Check Realm feature and my live login test come back successful. When I 
look at more details I can see my server certificate details as well with no 
errors if I'm looking at it correctly.

However I'm still having issues with the Androids I'm testing with. I removed 
the eduroam profile and even cleared the install certificates on the devices. 
After using the eduroam CAT play store tool and install my schools profile I 
get the authentication problem :-(

Jeremy Plumley
ITS Network Administrator
Ext 50024

-----Original Message-----
From: Stefan Winter 
[mailto:stefan.winter AT restena.lu]
Sent: Friday, February 23, 2018 2:26 AM
To: 
cat-users AT lists.geant.org;
 Jeremy Plumley 
<jmplumley AT gtcc.edu>
Subject: Re: [[cat-users]] Android Connectivity using CAT

Hi,

okay, next up in the list of things Android doesn't like: does your CAT 
profile have more than one root CA listed? Up until the most recent versions 
of Android, only one root CA could be installed. So if there is more than one 
to choose from, you might have gotten the unlucky pick.

The realm check feature is available from the IdP overview page: once you 
have a profile which is fully configured, the button "Check realm 
reachability" becomes clickable. It is directly below the "Installer 
Fine-Tuning ..." button inside the profile box.

Note that you have to entered the actual realm in the profile properties
- the realm is not strictly necessary to enable installer generation, but it 
is needed if we are supposed to run checks against the realm, obviously.

Greetings,

Stefan Winter

Am 22.02.2018 um 19:22 schrieb Jeremy Plumley:
> Yes, I have uploaded the root CA and the intermediate CA on our CAT 
> profile. I'm in the process now of seeing if I can combine the server and 
> intermediate together before applying it to my radius. How do I use the 
> realm check feature to see if that is my issue?
>
> Jeremy Plumley
> ITS Network Administrator
> Ext 50024
>
>
> -----Original Message-----
> From: Stefan Winter 
> [mailto:stefan.winter AT restena.lu]
> Sent: Thursday, February 22, 2018 4:28 AM
> To: Jeremy Plumley 
> <jmplumley AT gtcc.edu>;
>  
> cat-users AT lists.geant.org
> Subject: Re: [[cat-users]] Android Connectivity using CAT
>
> Hello,
>
> Android has an ample selection of shortcomings to choose from :-)
>
> Do you by any chance have a setup with an intermediate CA in addition to 
> the root CA?
>
> And you have uploaded that intermediate CA into the CAT profile?
>
> That's great and makes all the operating systems you listed above work.
>
> Except for Android: it is not possible to install the intermediate CA 
> together with the root there.
>
> For Android, you have to make sure that your RADIUS server sends the 
> intermediate CA together with the server cert during the EAP conversation; 
> otherwise Android cannot create the chain up to the root CA.
>
> There should be a warning in the realm check feature about intermediate CAs 
> only being in configuration, but not in the EAP conversation if that is the 
> cause of the problem. Do you see that warning?
>
> Greetings,
>
> Stefan Winter
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale
> et de la Recherche 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> E-Mail correspondence to and from this address may be subject to the
> North Carolina Public Records Law and shall be disclosed to third
> parties when required by the statutes (G.S. 132-1.) To unsubscribe,
> send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
>


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche 2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's 
key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
E-Mail correspondence to and from this address may be subject to the North 
Carolina Public Records Law and shall be disclosed to third parties when 
required by the statutes (G.S. 132-1.)