The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi Martin,
   what you are describing sounds really strange. The MS PEAP
implementation only allows for setting the user part of the username,
the realm part is taken from the username supplied by the user. My guess
would be that while configuring Windows 10 the whole username
pauly1 AT staff.uni-marburg.de
 was entered, but in other cases only the
user part. If we really had such a big bug in CAT we would have heard
about that a long time before.

Are you using the installers provided by the DFN CAT installation or are
you testing the new version 2.0 that is available form github?

I will add the version number of the installer to be visible to the
user. Now you can only see it if you abort the installation.
 
Tomasz


W dniu 13.08.2018 o 15:11, Martin Pauly pisze:
> Hi,
>
> I'm having trouble with the Windows installers when it comes to
> configuring
> a special outer identity for PEAP (I want it to be
> "eduroam AT staff.uni-marburg.de").
> AFAIU, MS calls this feature "Identity Privacy":
> https://blogs.technet.microsoft.com/wsnetdoc/2010/01/19/peap-identity-privacy-support-in-windows-7-and-windows-server-2008-r2/
>
>
> First the good news: Windows 10 with WiFi does work. On the server
> side I get
> Tue Aug  7 18:07:30 2018 : Auth: (39944008) Login OK:
> [eduroam AT staff.uni-marburg.de]
>  (from client wlc3 port 13 cli
> 4c:34:88:e0:aa:42)
> Mon Aug  6 10:42:52 2018 : Auth: (36014268) Login OK:
> [pauly1 AT staff.uni-marburg.de]
>  (from client wlc3 port 13 cli
> 4c:34:88:e0:aa:42)
> which is exactly as it's supposed to be.
>
> All other cases (wired connection, Win 7, Win 8) fail.
> Most varieties will not show up at all in the Freeradius line log (not
> tried FR debug yet). With Windows8 + WIFI, I get:
> Mon Aug 13 11:33:09 2018 : Auth: (49960342) Login incorrect (eap_peap:
> TLS Alert read:fatal:access denied): [eduroam] (from client wlc3 port
> 13 cli 00:26:c6:1d:1e:92)
> Mon Aug 13 11:43:49 2018 : Auth: (49993692) Login incorrect (eap_peap:
> TLS Alert read:fatal:access denied): [eduroam] (from client wlc3 port
> 13 cli 00:26:c6:1d:1e:92)
>
> The TLS failure is not surprising, but rather a consequence of the
> outer identity lacking a realm
> (we also need the realm for internal RADIUS forwarding).
>
> The background to this is: In July 2019, all German eduroam
> participants will face a PKI/root cert change.
> We, like many other German institutions aim at a soft migration by
> means of a processing fork
> inside the RADIUS server:
> Those who use 
> "eduroam AT staff.uni-marburg.de"
>  as their outer id are
> presented with the new cert,
> everone else keeps getting the old one. For the time remaining, we
> distribute as many new
> configurations as possible. This already works well with Android,
> MacOS, iOS and Linux (only tried manual config so far).
>
> Two more questions:
> 1. Could the Windows installer kindly display a version number on
> startup?
> 2. The source code is at
> https://github.com/GEANT/CAT/tree/master/devices/ms
> right?
>
> Cheers, Martin
>

-- 
Tomasz Wolniewicz    
          
twoln AT umk.pl
        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576

Attachment: smime.p7s
Description: Kryptograficzna sygnatura S/MIME