The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

okay, at this point the best thing to do is look at your certificates:
can you send me the roots and the server cert off-list?

I'm also a bit puzzled with what you mean with "leaving the one that I
most often see in the chain". The chain-building in PKIX is
deterministic; your server cert takes exactly one path to the one root.

We've added the multi-root feature only as a means of supporting CA
rollover so you can pre-load a future CA into devices in advance of a
change.

If you have a setup where two auth servers have two different certs from
two different CAs needing two different roots then that would be a
likely cause of trouble, at least on Android.

Greetings,

Stefan Winter

Am 23.02.2018 um 18:29 schrieb Jeremy Plumley:
> Thank you for all your assistance. I did have two root CA's listed so I 
> removed one, leaving the one that I most often see in the chain. I went to 
> the Check Realm feature and my live login test come back successful. When I 
> look at more details I can see my server certificate details as well with 
> no errors if I'm looking at it correctly.
> 
> However I'm still having issues with the Androids I'm testing with. I 
> removed the eduroam profile and even cleared the install certificates on 
> the devices. After using the eduroam CAT play store tool and install my 
> schools profile I get the authentication problem :-(
> 
> Jeremy Plumley
> ITS Network Administrator
> Ext 50024
> 
> -----Original Message-----
> From: Stefan Winter 
> [mailto:stefan.winter AT restena.lu]
> Sent: Friday, February 23, 2018 2:26 AM
> To: 
> cat-users AT lists.geant.org;
>  Jeremy Plumley 
> <jmplumley AT gtcc.edu>
> Subject: Re: [[cat-users]] Android Connectivity using CAT
> 
> Hi,
> 
> okay, next up in the list of things Android doesn't like: does your CAT 
> profile have more than one root CA listed? Up until the most recent 
> versions of Android, only one root CA could be installed. So if there is 
> more than one to choose from, you might have gotten the unlucky pick.
> 
> The realm check feature is available from the IdP overview page: once you 
> have a profile which is fully configured, the button "Check realm 
> reachability" becomes clickable. It is directly below the "Installer 
> Fine-Tuning ..." button inside the profile box.
> 
> Note that you have to entered the actual realm in the profile properties
> - the realm is not strictly necessary to enable installer generation, but 
> it is needed if we are supposed to run checks against the realm, obviously.
> 
> Greetings,
> 
> Stefan Winter
> 
> Am 22.02.2018 um 19:22 schrieb Jeremy Plumley:
>> Yes, I have uploaded the root CA and the intermediate CA on our CAT 
>> profile. I'm in the process now of seeing if I can combine the server and 
>> intermediate together before applying it to my radius. How do I use the 
>> realm check feature to see if that is my issue?
>>
>> Jeremy Plumley
>> ITS Network Administrator
>> Ext 50024
>>
>>
>> -----Original Message-----
>> From: Stefan Winter 
>> [mailto:stefan.winter AT restena.lu]
>> Sent: Thursday, February 22, 2018 4:28 AM
>> To: Jeremy Plumley 
>> <jmplumley AT gtcc.edu>;
>>  
>> cat-users AT lists.geant.org
>> Subject: Re: [[cat-users]] Android Connectivity using CAT
>>
>> Hello,
>>
>> Android has an ample selection of shortcomings to choose from :-)
>>
>> Do you by any chance have a setup with an intermediate CA in addition to 
>> the root CA?
>>
>> And you have uploaded that intermediate CA into the CAT profile?
>>
>> That's great and makes all the operating systems you listed above work.
>>
>> Except for Android: it is not possible to install the intermediate CA 
>> together with the root there.
>>
>> For Android, you have to make sure that your RADIUS server sends the 
>> intermediate CA together with the server cert during the EAP conversation; 
>> otherwise Android cannot create the chain up to the root CA.
>>
>> There should be a warning in the realm check feature about intermediate 
>> CAs only being in configuration, but not in the EAP conversation if that 
>> is the cause of the problem. Do you see that warning?
>>
>> Greetings,
>>
>> Stefan Winter
>>
>> --
>> Stefan WINTER
>> Ingenieur de Recherche
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale
>> et de la Recherche 2, avenue de l'Université
>> L-4365 Esch-sur-Alzette
>>
>> Tel: +352 424409 1
>> Fax: +352 422473
>>
>> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
>> recipient's key is known to me
>>
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>> E-Mail correspondence to and from this address may be subject to the
>> North Carolina Public Records Law and shall be disclosed to third
>> parties when required by the statutes (G.S. 132-1.) To unsubscribe,
>> send this message:
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>> Or use the following link:
>> https://lists.geant.org/sympa/sigrequest/cat-users
>>
> 
> 
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
> la Recherche 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
> 
> Tel: +352 424409 1
> Fax: +352 422473
> 
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the 
> recipient's key is known to me
> 
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> E-Mail correspondence to and from this address may be subject to the North 
> Carolina Public Records Law and shall be disclosed to third parties when 
> required by the statutes (G.S. 132-1.)
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link: 
> https://lists.geant.org/sympa/sigrequest/cat-users
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature