The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[IAM David Bantz <dabantz AT alaska.edu>]

We've now tried CAT installer on 3 different physical Windows 10 devices, and we've done a number of experiments in attempting to isolate source of failures.

As previously reported, CAT installed profile generates the message "cannot connect to the network"; a Windows "event logger" provides slightly more information: 778 error code, text "there was a problem with the server certificate" and refers us to our "network technician". Error 778 has myriad possible causes. The Cisco ISE logs reflect client rejection of the server's certificate and dropped connection,

In all cases, the client is able to join the wireless network by the expedient of deleting the profile and entering credentials when prompted.

We tried the following experiments: removing the AddTrust certificates from the trusted cert store, the reinstalling the CAT profile; removing the certificates CAT installs and manually adding the root CA directly; and manually adding the entire cert chain; adding the intermediate certs to the CAT installer. In all cases results were identical.

I thought belatedly to Re-read The Fine Manual at https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations

which does provide some recommended "non-standard" server certificate properties, specifically including SubjectAltName (or "SAN") in addition to CN, and certificate extension "TLS Web Server Authentication" - neither of which our current server certificate has. 

So my working hypothesis is now that we need to get a new server cert with those "non-standard" properties added. 

Sanity check solicited!

David Bantz

U Alaska