The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

OK, so this explains a lot.

However let me point out that if your users find your University on the production CAT they may want to download the eduroam installers which will just fail for them. I suggest that while you are just experimenting, you  delete the production-read flag from your profile, and do the experiments via the admin interface download installers. Doing that will hide your University from standard users and save the frustration.

Tomasz

W dniu 30.10.2018 o 20:47, IAM David Bantz pisze:

Thank you for your response Tomaz.

Our University of Alaska CAT installers are for a new eduroam deployment with completely new infrastructure - not existing eduroam deployment.

The new Cisco ISEs do use InCommon certificates with the AddTrust root CA at the top of the chain.
We're testing on a temporary eduroam-test SSID, which is included as secondary SSID in the CAT installers.

As a result, the CAT installers are not expected to provide a working configuration for our existing eduroam deployment
(which uses private CA and EAP-TLS) but only the new eduroam-test SSID. (We have not previously used CAT; there

are no CAT installers for our currently-deployed eduroam - that current infrastructure uses on aging home-brew tools and private CA certificates 

for both server and user authentication, which is why we are excited to move to CAT).

Sorry, I should have made that clear in my post. 

And yes, iOS, MacOS and Android devices (at least the very few we've tested) do connect (and automatically re-connect) to our eduroam-test SSID, using EAP-PEAP MSCHAPv2 and the Cisco ISE with AddTrust as the root CA as configured by their respective CAT installers.

On Tue, Oct 30, 2018 at 11:31 AM Tomasz Wolniewicz <twoln AT umk.pl> wrote:

Hi David,

  as far as I can tell, your server certificate has been issued by CN=University of Alaska eduroam CA Root but your profile ships the AddTrust External CA Root so these two do not match. It is therefore great that Windows does not connect but it would be really surprising if Apple devices and Android do.

  I will contact you off-list and perhaps we could do some more testing.

Tomasz

W dniu 30.10.2018 o 19:14, IAM David Bantz pisze:

CAT installers indicate successful installation, but attempts to connect to wireless generate "Can't connect to network". Logs on the Cisco ISE indicate the supplicant declined to connect to authentication service; ISE discussion lists suggest supplicant not trusting the root CA may be the cause; the root CA is, however, listed as trusted in the certificate store on the Windows client. *Manual* configuration (just entering username AT alaska.edu and password) *does* connect.

CAT installers for Android, iOS and MacOS do not trigger anything similar; clients successfully join network.

I would appreciate suggestions of where to look / what to check next.

David Bantz

UAlaska

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576

-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576