The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

["Downton, Sam" <samuel.downton AT metoffice.gov.uk>]

Hi Stefan,

Our Radius Server does send the whole chain during the EAP exchange, and I 
can use the root cert installed by CAT to verify the servers identity when 
manually entering the configuration, the problem seems to be specific to the 
combination of settings applied by CAT.

> I was trying to reach out to your RADIUS server to see if it does send the 
> chain but it looks like your server is not reachable internationally at 
> all. Directly from our Luxembourg primary NRO server using eapol_test, I 
> get: EAPOL test timed out. This is not an issue of wrong usernames, it's 
> basic connectivity on the RADIUS level. You may have more issues than just 
> certificate ones here.

As mentioned by Alan, our firewall will only allow a direct RADIUS connection 
from the UK proxies. I have rasied a call with JISC asking why we are seeing 
errors in their portal while running the connectivity tests from the CAT 
website.

Thanks for the info about ChromeOS. This will be something to consider when 
we next renew our certificate.

Kind regards,
Sam.

Sam Downton  IT Practitioner – Network Services
Met Office   Fitzroy Road   Exeter   EX1 3PB   UK 
Tel: +44(0)330 135 2306 Fax 0870 9005050
E-Mail: samuel.downton AT metoffice.gov.uk  Website: http://www.metoffice.gov.uk

-----Original Message-----
From: Stefan Winter <stefan.winter AT restena.lu> 
Sent: 14 January 2019 09:38
To: Downton, Sam <samuel.downton AT metoffice.gov.uk>; cat-users AT lists.geant.org
Subject: Re: [[cat-users]] TLS Failures from Android

Hello Sam!

Thanks for the server certificate. I have taken a look.

The trusted CA as per your CAT profile is:

Subject: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, 
CN = COMODO RSA Certification Authority

The actual server cert is issued by:

C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = 
COMODO RSA Extended Validation Secure Server CA

=> an intermediate certificate linking "COMODO RSA Extended Validation Secure 
Server CA" to "COMODO RSA Certification Authority" is required.

You have not uploaded that intermediate to CAT. This is okay, but then either 
the devices need to have that intermediate in their cert stores "by chance", 
or your RADIUS server needs to supply it during the EAP exchange.

Since this a commercial, well-known CA, I'm guessing that most operating 
systems have it in their store, so the chain building would just work.

Possibly, Android is a little different and doesn't have or use the 
intermediate CA information during the EAP exchange. Unfortunately, uploading 
it to CAT won't help here, because Android is also the only operating system 
where we cannot install an intermediary; only roots.

So the only option for a complete chain across all operating systems is by 
making sure that the RADIUS server sends not only his own server certificate, 
but also the intermediate CA certificate of "COMODO RSA Extended Validation 
Secure Server CA".

I was trying to reach out to your RADIUS server to see if it does send the 
chain but it looks like your server is not reachable internationally at all. 
Directly from our Luxembourg primary NRO server using eapol_test, I get: 
EAPOL test timed out. This is not an issue of wrong usernames, it's basic 
connectivity on the RADIUS level. You may have more issues than just 
certificate ones here.

As a side note: you are using a certificate from an Extended Validation CA. 
We have received repeated reports that ChromeOS REJECTS EV certificates for 
Wi-Fi server identification purposes. If you care about ChromeOS, you may 
need to switch to a non-EV certificate, naturally with a different validation 
chain. At the very least, this should be subject to testing.

Greetings,

Stefan Winter

Am 14.01.19 um 09:03 schrieb Stefan Winter:
> Hello,
> 
>> The opposite is true unfortunately! The clients we are experiencing the 
>> issue on are Google Pixel 2 phones running Android 9. They have no issue 
>> connecting to our eduroam implementation when configured manually, so it 
>> would appear to be a configuration issue rather than a lack of 
>> compatibility with the infrastructure.
> 
> That's quite interesting. Can you confirm that version /before/ 9 work 
> with the CAT profiles?
> 
> When you write "manual configuration" then that probably means just 
> username and password, without cert validation?
> 
> If it fails with cert validation, but not without, then maybe it's a 
> property of the cert that upsets the newest Android.
> 
> Unfortunately, your IdP server seems to run on a Windows NPS or other 
> RADIUS server configuration that rejects incoming requests if the 
> outer ID does not match a known user - so I can't actually get to see 
> the server cert for manual inspection.
> 
> You could either edit your profile properties to add the "Use special 
> Outer Identity for realm checks" and fill in a valid username - that 
> way the CAT tests could get through to the actual EAP exchange; or 
> just send me the server cert off-list so I can take a look.
> 
> Greetings,
> 
> Stefan Winter
> 


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche 2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's 
key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66