cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Martin Pauly <pauly AT hrz.uni-marburg.de>
- To: cat-users AT lists.geant.org
- Cc: Johannes Schuh <schuh AT hrz.uni-marburg.de>, Carsten Ruckelshausen <carsten.ruckelshausen AT hrz.uni-marburg.de>
- Subject: [[cat-users]] Windows installer issues with outer id
- Date: Mon, 13 Aug 2018 15:11:56 +0200
Hi,
I'm having trouble with the Windows installers when it comes to configuring
a special outer identity for PEAP (I want it to be
"eduroam AT staff.uni-marburg.de").
AFAIU, MS calls this feature "Identity Privacy":
https://blogs.technet.microsoft.com/wsnetdoc/2010/01/19/peap-identity-privacy-support-in-windows-7-and-windows-server-2008-r2/
First the good news: Windows 10 with WiFi does work. On the server side I get
Tue Aug 7 18:07:30 2018 : Auth: (39944008) Login OK:
[eduroam AT staff.uni-marburg.de]
(from client wlc3 port 13 cli 4c:34:88:e0:aa:42)
Mon Aug 6 10:42:52 2018 : Auth: (36014268) Login OK:
[pauly1 AT staff.uni-marburg.de]
(from client wlc3 port 13 cli 4c:34:88:e0:aa:42)
which is exactly as it's supposed to be.
All other cases (wired connection, Win 7, Win 8) fail.
Most varieties will not show up at all in the Freeradius line log (not tried
FR debug yet). With Windows8 + WIFI, I get:
Mon Aug 13 11:33:09 2018 : Auth: (49960342) Login incorrect (eap_peap: TLS
Alert read:fatal:access denied): [eduroam] (from client wlc3 port 13 cli
00:26:c6:1d:1e:92)
Mon Aug 13 11:43:49 2018 : Auth: (49993692) Login incorrect (eap_peap: TLS
Alert read:fatal:access denied): [eduroam] (from client wlc3 port 13 cli
00:26:c6:1d:1e:92)
The TLS failure is not surprising, but rather a consequence of the outer
identity lacking a realm
(we also need the realm for internal RADIUS forwarding).
The background to this is: In July 2019, all German eduroam participants will
face a PKI/root cert change.
We, like many other German institutions aim at a soft migration by means of a
processing fork
inside the RADIUS server:
Those who use
"eduroam AT staff.uni-marburg.de"
as their outer id are presented with the new cert,
everone else keeps getting the old one. For the time remaining, we distribute
as many new
configurations as possible. This already works well with Android, MacOS, iOS
and Linux (only tried manual config so far).
Two more questions:
1. Could the Windows installer kindly display a version number on startup?
2. The source code is at
https://github.com/GEANT/CAT/tree/master/devices/ms
right?
Cheers, Martin
--
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail:
pauly AT HRZ.Uni-Marburg.DE
D-35032 Marburg
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- [[cat-users]] Windows installer issues with outer id, Martin Pauly, 08/13/2018
- Re: [[cat-users]] Windows installer issues with outer id, Tomasz Wolniewicz, 08/13/2018
- Re: [[cat-users]] Windows installer issues with outer id, Martin Pauly, 08/13/2018
- Re: [[cat-users]] Windows installer issues with outer id, Tomasz Wolniewicz, 08/13/2018
- Re: [[cat-users]] Windows installer issues with outer id, Martin Pauly, 08/13/2018
- Re: [[cat-users]] Windows installer issues with outer id, Tomasz Wolniewicz, 08/13/2018
Archive powered by MHonArc 2.6.19.