cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: "Downton, Sam" <samuel.downton AT metoffice.gov.uk>
- To: Stefan Winter <stefan.winter AT restena.lu>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
- Subject: RE: [[cat-users]] TLS Failures from Android
- Date: Mon, 14 Jan 2019 13:36:36 +0000
- Accept-language: en-GB, en-US
- Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (1024-bit key) header.d=metoffice.onmicrosoft.com
- Authentication-results: spf=none (sender IP is ) smtp.mailfrom=samuel.downton AT metoffice.gov.uk;
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Hi Stefan,
Our Radius Server does send the whole chain during the EAP exchange, and I
can use the root cert installed by CAT to verify the servers identity when
manually entering the configuration, the problem seems to be specific to the
combination of settings applied by CAT.
> I was trying to reach out to your RADIUS server to see if it does send the
> chain but it looks like your server is not reachable internationally at
> all. Directly from our Luxembourg primary NRO server using eapol_test, I
> get: EAPOL test timed out. This is not an issue of wrong usernames, it's
> basic connectivity on the RADIUS level. You may have more issues than just
> certificate ones here.
As mentioned by Alan, our firewall will only allow a direct RADIUS connection
from the UK proxies. I have rasied a call with JISC asking why we are seeing
errors in their portal while running the connectivity tests from the CAT
website.
Thanks for the info about ChromeOS. This will be something to consider when
we next renew our certificate.
Kind regards,
Sam.
Sam Downton IT Practitioner – Network Services
Met Office Fitzroy Road Exeter EX1 3PB UK
Tel: +44(0)330 135 2306 Fax 0870 9005050
E-Mail: samuel.downton AT metoffice.gov.uk Website: http://www.metoffice.gov.uk
-----Original Message-----
From: Stefan Winter <stefan.winter AT restena.lu>
Sent: 14 January 2019 09:38
To: Downton, Sam <samuel.downton AT metoffice.gov.uk>; cat-users AT lists.geant.org
Subject: Re: [[cat-users]] TLS Failures from Android
Hello Sam!
Thanks for the server certificate. I have taken a look.
The trusted CA as per your CAT profile is:
Subject: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited,
CN = COMODO RSA Certification Authority
The actual server cert is issued by:
C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN =
COMODO RSA Extended Validation Secure Server CA
=> an intermediate certificate linking "COMODO RSA Extended Validation Secure
Server CA" to "COMODO RSA Certification Authority" is required.
You have not uploaded that intermediate to CAT. This is okay, but then either
the devices need to have that intermediate in their cert stores "by chance",
or your RADIUS server needs to supply it during the EAP exchange.
Since this a commercial, well-known CA, I'm guessing that most operating
systems have it in their store, so the chain building would just work.
Possibly, Android is a little different and doesn't have or use the
intermediate CA information during the EAP exchange. Unfortunately, uploading
it to CAT won't help here, because Android is also the only operating system
where we cannot install an intermediary; only roots.
So the only option for a complete chain across all operating systems is by
making sure that the RADIUS server sends not only his own server certificate,
but also the intermediate CA certificate of "COMODO RSA Extended Validation
Secure Server CA".
I was trying to reach out to your RADIUS server to see if it does send the
chain but it looks like your server is not reachable internationally at all.
Directly from our Luxembourg primary NRO server using eapol_test, I get:
EAPOL test timed out. This is not an issue of wrong usernames, it's basic
connectivity on the RADIUS level. You may have more issues than just
certificate ones here.
As a side note: you are using a certificate from an Extended Validation CA.
We have received repeated reports that ChromeOS REJECTS EV certificates for
Wi-Fi server identification purposes. If you care about ChromeOS, you may
need to switch to a non-EV certificate, naturally with a different validation
chain. At the very least, this should be subject to testing.
Greetings,
Stefan Winter
Am 14.01.19 um 09:03 schrieb Stefan Winter:
> Hello,
>
>> The opposite is true unfortunately! The clients we are experiencing the
>> issue on are Google Pixel 2 phones running Android 9. They have no issue
>> connecting to our eduroam implementation when configured manually, so it
>> would appear to be a configuration issue rather than a lack of
>> compatibility with the infrastructure.
>
> That's quite interesting. Can you confirm that version /before/ 9 work
> with the CAT profiles?
>
> When you write "manual configuration" then that probably means just
> username and password, without cert validation?
>
> If it fails with cert validation, but not without, then maybe it's a
> property of the cert that upsets the newest Android.
>
> Unfortunately, your IdP server seems to run on a Windows NPS or other
> RADIUS server configuration that rejects incoming requests if the
> outer ID does not match a known user - so I can't actually get to see
> the server cert for manual inspection.
>
> You could either edit your profile properties to add the "Use special
> Outer Identity for realm checks" and fill in a valid username - that
> way the CAT tests could get through to the actual EAP exchange; or
> just send me the server cert off-list so I can take a look.
>
> Greetings,
>
> Stefan Winter
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche 2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's
key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
- [[cat-users]] TLS Failures from Android, Downton, Sam, 01/11/2019
- Re: [[cat-users]] TLS Failures from Android, Stefan Winter, 01/14/2019
- RE: [[cat-users]] TLS Failures from Android, Downton, Sam, 01/14/2019
- Re: [[cat-users]] TLS Failures from Android, Stefan Winter, 01/14/2019
- Re: [[cat-users]] TLS Failures from Android, Stefan Winter, 01/14/2019
- Re: [[cat-users]] TLS Failures from Android, Alan Buxey, 01/14/2019
- RE: [[cat-users]] TLS Failures from Android, Downton, Sam, 01/14/2019
- Re: [[cat-users]] TLS Failures from Android, Stefan Winter, 01/14/2019
- Re: [[cat-users]] TLS Failures from Android, Stefan Winter, 01/14/2019
- Re: [[cat-users]] TLS Failures from Android, Stefan Winter, 01/14/2019
- RE: [[cat-users]] TLS Failures from Android, Downton, Sam, 01/14/2019
- Re: [[cat-users]] TLS Failures from Android, Stefan Winter, 01/14/2019
Archive powered by MHonArc 2.6.19.