cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: Jeremy Plumley <jmplumley AT gtcc.edu>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
- Subject: Re: [[cat-users]] Android Connectivity using CAT
- Date: Mon, 26 Feb 2018 08:29:25 +0100
- Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hi,
okay, at this point the best thing to do is look at your certificates:
can you send me the roots and the server cert off-list?
I'm also a bit puzzled with what you mean with "leaving the one that I
most often see in the chain". The chain-building in PKIX is
deterministic; your server cert takes exactly one path to the one root.
We've added the multi-root feature only as a means of supporting CA
rollover so you can pre-load a future CA into devices in advance of a
change.
If you have a setup where two auth servers have two different certs from
two different CAs needing two different roots then that would be a
likely cause of trouble, at least on Android.
Greetings,
Stefan Winter
Am 23.02.2018 um 18:29 schrieb Jeremy Plumley:
> Thank you for all your assistance. I did have two root CA's listed so I
> removed one, leaving the one that I most often see in the chain. I went to
> the Check Realm feature and my live login test come back successful. When I
> look at more details I can see my server certificate details as well with
> no errors if I'm looking at it correctly.
>
> However I'm still having issues with the Androids I'm testing with. I
> removed the eduroam profile and even cleared the install certificates on
> the devices. After using the eduroam CAT play store tool and install my
> schools profile I get the authentication problem :-(
>
> Jeremy Plumley
> ITS Network Administrator
> Ext 50024
>
> -----Original Message-----
> From: Stefan Winter
> [mailto:stefan.winter AT restena.lu]
> Sent: Friday, February 23, 2018 2:26 AM
> To:
> cat-users AT lists.geant.org;
> Jeremy Plumley
> <jmplumley AT gtcc.edu>
> Subject: Re: [[cat-users]] Android Connectivity using CAT
>
> Hi,
>
> okay, next up in the list of things Android doesn't like: does your CAT
> profile have more than one root CA listed? Up until the most recent
> versions of Android, only one root CA could be installed. So if there is
> more than one to choose from, you might have gotten the unlucky pick.
>
> The realm check feature is available from the IdP overview page: once you
> have a profile which is fully configured, the button "Check realm
> reachability" becomes clickable. It is directly below the "Installer
> Fine-Tuning ..." button inside the profile box.
>
> Note that you have to entered the actual realm in the profile properties
> - the realm is not strictly necessary to enable installer generation, but
> it is needed if we are supposed to run checks against the realm, obviously.
>
> Greetings,
>
> Stefan Winter
>
> Am 22.02.2018 um 19:22 schrieb Jeremy Plumley:
>> Yes, I have uploaded the root CA and the intermediate CA on our CAT
>> profile. I'm in the process now of seeing if I can combine the server and
>> intermediate together before applying it to my radius. How do I use the
>> realm check feature to see if that is my issue?
>>
>> Jeremy Plumley
>> ITS Network Administrator
>> Ext 50024
>>
>>
>> -----Original Message-----
>> From: Stefan Winter
>> [mailto:stefan.winter AT restena.lu]
>> Sent: Thursday, February 22, 2018 4:28 AM
>> To: Jeremy Plumley
>> <jmplumley AT gtcc.edu>;
>>
>> cat-users AT lists.geant.org
>> Subject: Re: [[cat-users]] Android Connectivity using CAT
>>
>> Hello,
>>
>> Android has an ample selection of shortcomings to choose from :-)
>>
>> Do you by any chance have a setup with an intermediate CA in addition to
>> the root CA?
>>
>> And you have uploaded that intermediate CA into the CAT profile?
>>
>> That's great and makes all the operating systems you listed above work.
>>
>> Except for Android: it is not possible to install the intermediate CA
>> together with the root there.
>>
>> For Android, you have to make sure that your RADIUS server sends the
>> intermediate CA together with the server cert during the EAP conversation;
>> otherwise Android cannot create the chain up to the root CA.
>>
>> There should be a warning in the realm check feature about intermediate
>> CAs only being in configuration, but not in the EAP conversation if that
>> is the cause of the problem. Do you see that warning?
>>
>> Greetings,
>>
>> Stefan Winter
>>
>> --
>> Stefan WINTER
>> Ingenieur de Recherche
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale
>> et de la Recherche 2, avenue de l'Université
>> L-4365 Esch-sur-Alzette
>>
>> Tel: +352 424409 1
>> Fax: +352 422473
>>
>> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
>> recipient's key is known to me
>>
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>> E-Mail correspondence to and from this address may be subject to the
>> North Carolina Public Records Law and shall be disclosed to third
>> parties when required by the statutes (G.S. 132-1.) To unsubscribe,
>> send this message:
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>> Or use the following link:
>> https://lists.geant.org/sympa/sigrequest/cat-users
>>
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
> la Recherche 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> E-Mail correspondence to and from this address may be subject to the North
> Carolina Public Records Law and shall be disclosed to third parties when
> required by the statutes (G.S. 132-1.)
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Attachment:
0x8A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
- [[cat-users]] Android Connectivity using CAT, jmplumley, 02/21/2018
- Re: [[cat-users]] Android Connectivity using CAT, Stefan Winter, 02/22/2018
- RE: [[cat-users]] Android Connectivity using CAT, Jeremy Plumley, 02/22/2018
- RE: [[cat-users]] Android Connectivity using CAT, Jeremy Plumley, 02/22/2018
- Re: [[cat-users]] Android Connectivity using CAT, Stefan Winter, 02/23/2018
- RE: [[cat-users]] Android Connectivity using CAT, Jeremy Plumley, 02/23/2018
- Re: [[cat-users]] Android Connectivity using CAT, Stefan Winter, 02/26/2018
- RE: [[cat-users]] Android Connectivity using CAT, Jeremy Plumley, 02/23/2018
- RE: [[cat-users]] Android Connectivity using CAT, Jeremy Plumley, 02/22/2018
- Re: [[cat-users]] Android Connectivity using CAT, Stefan Winter, 02/22/2018
Archive powered by MHonArc 2.6.19.