The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Jeremy Plumley <jmplumley AT gtcc.edu>]

Just wanted to give an update on my setup and that I think I got it all 
resolved. I think my root cause was GoDaddy just does not work well with 
Microsoft NPS on 2008 R2 server. I switched to Comodo and androids started to 
work instantly. I did run into an issue that I had to have two roots 
installed for all my devices to work. Windows systems wanted the Comodo RSA 
Certificate Authority root to work and Android wanted the AddTrustExternalCA 
root. Only way I could get it to work was to load AddTrust certificate first 
into eduroam CAT then Comodo RSA Certificate Authority. The intermediate 
Comodo RSA didn't work on Windows systems so I had to download the root one 
from Comodo repository.

Jeremy Plumley
ITS Network Administrator
Ext 50024

-----Original Message-----
From: Stefan Winter 
[mailto:stefan.winter AT restena.lu]
Sent: Monday, February 26, 2018 2:29 AM
To: Jeremy Plumley 
<jmplumley AT gtcc.edu>;
 
cat-users AT lists.geant.org
Subject: Re: [[cat-users]] Android Connectivity using CAT

Hi,

okay, at this point the best thing to do is look at your certificates:
can you send me the roots and the server cert off-list?

I'm also a bit puzzled with what you mean with "leaving the one that I most 
often see in the chain". The chain-building in PKIX is deterministic; your 
server cert takes exactly one path to the one root.

We've added the multi-root feature only as a means of supporting CA rollover 
so you can pre-load a future CA into devices in advance of a change.

If you have a setup where two auth servers have two different certs from two 
different CAs needing two different roots then that would be a likely cause 
of trouble, at least on Android.

Greetings,

Stefan Winter

Am 23.02.2018 um 18:29 schrieb Jeremy Plumley:
> Thank you for all your assistance. I did have two root CA's listed so I 
> removed one, leaving the one that I most often see in the chain. I went to 
> the Check Realm feature and my live login test come back successful. When I 
> look at more details I can see my server certificate details as well with 
> no errors if I'm looking at it correctly.
>
> However I'm still having issues with the Androids I'm testing with. I
> removed the eduroam profile and even cleared the install certificates
> on the devices. After using the eduroam CAT play store tool and
> install my schools profile I get the authentication problem :-(
>
> Jeremy Plumley
> ITS Network Administrator
> Ext 50024
>
> -----Original Message-----
> From: Stefan Winter 
> [mailto:stefan.winter AT restena.lu]
> Sent: Friday, February 23, 2018 2:26 AM
> To: 
> cat-users AT lists.geant.org;
>  Jeremy Plumley 
> <jmplumley AT gtcc.edu>
> Subject: Re: [[cat-users]] Android Connectivity using CAT
>
> Hi,
>
> okay, next up in the list of things Android doesn't like: does your CAT 
> profile have more than one root CA listed? Up until the most recent 
> versions of Android, only one root CA could be installed. So if there is 
> more than one to choose from, you might have gotten the unlucky pick.
>
> The realm check feature is available from the IdP overview page: once you 
> have a profile which is fully configured, the button "Check realm 
> reachability" becomes clickable. It is directly below the "Installer 
> Fine-Tuning ..." button inside the profile box.
>
> Note that you have to entered the actual realm in the profile
> properties
> - the realm is not strictly necessary to enable installer generation, but 
> it is needed if we are supposed to run checks against the realm, obviously.
>
> Greetings,
>
> Stefan Winter
>
> Am 22.02.2018 um 19:22 schrieb Jeremy Plumley:
>> Yes, I have uploaded the root CA and the intermediate CA on our CAT 
>> profile. I'm in the process now of seeing if I can combine the server and 
>> intermediate together before applying it to my radius. How do I use the 
>> realm check feature to see if that is my issue?
>>
>> Jeremy Plumley
>> ITS Network Administrator
>> Ext 50024
>>
>>
>> -----Original Message-----
>> From: Stefan Winter 
>> [mailto:stefan.winter AT restena.lu]
>> Sent: Thursday, February 22, 2018 4:28 AM
>> To: Jeremy Plumley 
>> <jmplumley AT gtcc.edu>;
>>  
>> cat-users AT lists.geant.org
>> Subject: Re: [[cat-users]] Android Connectivity using CAT
>>
>> Hello,
>>
>> Android has an ample selection of shortcomings to choose from :-)
>>
>> Do you by any chance have a setup with an intermediate CA in addition to 
>> the root CA?
>>
>> And you have uploaded that intermediate CA into the CAT profile?
>>
>> That's great and makes all the operating systems you listed above work.
>>
>> Except for Android: it is not possible to install the intermediate CA 
>> together with the root there.
>>
>> For Android, you have to make sure that your RADIUS server sends the 
>> intermediate CA together with the server cert during the EAP conversation; 
>> otherwise Android cannot create the chain up to the root CA.
>>
>> There should be a warning in the realm check feature about intermediate 
>> CAs only being in configuration, but not in the EAP conversation if that 
>> is the cause of the problem. Do you see that warning?
>>
>> Greetings,
>>
>> Stefan Winter
>>
>> --
>> Stefan WINTER
>> Ingenieur de Recherche
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale
>> et de la Recherche 2, avenue de l'Université
>> L-4365 Esch-sur-Alzette
>>
>> Tel: +352 424409 1
>> Fax: +352 422473
>>
>> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
>> recipient's key is known to me
>>
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>> E-Mail correspondence to and from this address may be subject to the
>> North Carolina Public Records Law and shall be disclosed to third
>> parties when required by the statutes (G.S. 132-1.) To unsubscribe,
>> send this message:
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>> Or use the following link:
>> https://lists.geant.org/sympa/sigrequest/cat-users
>>
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale
> et de la Recherche 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> E-Mail correspondence to and from this address may be subject to the
> North Carolina Public Records Law and shall be disclosed to third
> parties when required by the statutes (G.S. 132-1.) To unsubscribe,
> send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
>


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche 2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's 
key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
E-Mail correspondence to and from this address may be subject to the North 
Carolina Public Records Law and shall be disclosed to third parties when 
required by the statutes (G.S. 132-1.)