cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: "Blair T. Sawler" <blair.sawler AT unb.ca>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
- Subject: Re: [[cat-users]] Android CAT Issues
- Date: Mon, 28 Jan 2019 10:21:26 +0100
- Autocrypt: addr=stefan.winter AT restena.lu; prefer-encrypt=mutual; keydata= mQINBFIplEwBEADTSz+DS8nio+RSvfSLLfaOnCGi1nqpn8Pb1laVUyEvnAAzZ5jemiS88Gxf iDH6hUGlWzcaW0hCfUHGiohr485adbjxRksPngWgAt/1bRxpifsW3zObFjgog01WWQV5Sihl wc4zr8zvYbFA5BJZ6YdkR9C5J015riv5OS30WTjA65SSXgYrb7zJWPwmegTFwE093uBFvC39 waz3xYpVu5j87nO6w2MVQt/8sY2/2BFPEq+xfOajl18UEwc7w8SCgnZdlVNcmEK4UBvJuwS/ 1lsR2JeQa8Gu1EDxC7PRgMgNXsDSWnnBe9aVmfG54+6ILe1QH2dwk9sPBQT5w2+vjijrb3Dv 9ur+1kN+TNU2XE436jVpnnY/3OsLdix30STQn4Q/XOm7YoVMeDwwviefilRxzK0dXA+wKj92 T68Od82CFxuZqPAgBCVmWfQM91iK9piqFK+QP+R3vF6+NGDBdwbe68iVKs0v5L8XmbxBQndj pmo+lo2asmBR2TAIfZHaKdgtBw13u3GPVVKlg/Mpko8ki9JOSem2aFyi3kQEVKptWgXT3POl 97DWJzsR5VyKz6GOx9kJAEISRyLZwm0wqh8+9LCza5oeIKW381lzq1b9x30vOh8CBSQQJ+cG 9ko0yPHAj7Suw2TmPXx1qMctmE6Ahq82ZW30SljdZby8WQuR2wARAQABtDxTdGVmYW4gV2lu dGVyIChSRVNURU5BIGtleSAyMDEzKykgPHN0ZWZhbi53aW50ZXJAcmVzdGVuYS5sdT6JAjkE EwECACMFAlIplEwCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDA3mo1ijncZj7/ D/99hVS+mJr8dSPCaDaUFFxBiT2eI1LoR8VKEerTCRw5BsdL6pN2eRJZ9NmsqWo1ynWVHEzO 91bNZ+oZGgyoNohcBAI7p+r0qUTzkyqwdZO4kMm0pqKoM9xkP3tf2mjGujKjOz4Y7S7wnz2Z FokeUsecoRVJF/++/qHnmeWLn44J1HUKLHYCjMu+QXGOgGXgz024jQ5eUrnPwzNp0Z90AFVH lWC+bymty/ToIUUCQqS5Ff0jzdWLd8U695OG9iGvjBQT1LdEjsfbAwuKV5UcnpxNqUpUwKa5 9hdX5/2cMZP07FI1UXwnBlxa8rJfdb13FLjSKX4vUUHedYUZMjMPgcwl1a+zGE22lHiSQWgP 8QLA/W3BLsi22ERCEPZBfexOeOtaWIItDIz18fIaQoMDoRPshzar0JI2CzLYsyeKySAtYJEH FVoLmMvhkwzBmgqA/BEswUA67CfCr1jFHRXdpmWM7YkyAmMa9q6LwquWKS5+MXlUXe/3oZUc gpw/T9Uuy3Jo3RdS7B3jFcWaVr6KsO/A9u1gr/aYn5M+iJTQSj4vzqtkQaJTpSspRZoKa66H Zt3IwSYiDiYZqtM83ynuj9kjnZzGfnuTaNIi996q6Mptr33mOzIE1wmMqnJYwTr3EcNtf483 q/qrJwh5ES8Q9xY7aat/ZcSl8fKubW4TlfVr8bkCDQRSKZRMARAAvBPpn7FQq7LQ5glohtbL 6XIEo1U4X67S0TzUYieENSWSVYuWYIhCBldmWdmH8Bpj/qHeqdon7v+SLtR4WngzMR9toupK cFfHnbP9kpazTSB2ySHxXWGX1gJOpPXdCcg9iveKBHEsDn00ThTcPsvtXpnnzET16pXIvOXO 0bxTmVZ4INIF1SWgvYma/g8kBbgXLpkj8tOywBqFiiYPEZlDeCxDHiMgUDh6olda9K/0TZFT dMPUgjKuubfAeaDNCOrVt4RjmFOaRLikcZocmgJhm3z/j25x7/mnNu+0di1H/S67YGQJ+pqC FInzIXDx7aRW2+JCiqsY2X3xOPWZZzjyis5SNnfOcPH3gt2hYz1fy+thsBGf4NgCN01JRqIJ 2/MOQCgUdwh+9l8xqaJvCkUHM4hVh4W62MAe1u7UEqQbvvNEqxM5034vcvlE+/LRkrDCspw+ 2YJ9QyroLerVRwW5DVleP8Ifi8VB3yD80nqXYs9aqRy0BkDNIQ43ERhESMt8dJqrNkxgC6pe mZrhNwyDh+hy2kPNGQh/iBpdKuH1o3E24TIZoV2v3YHvzob7aAYHddE/PofAXhJW7I9mAs+H dWDmnI8ckuPDFpFH+Y/BFGvEXgcnJAJ1wEvf+4LuiIi0MHjR4EWFn9vvoFDAIqD10h3FSd3D 59HGtdSsNn4XaCsAEQEAAYkCHwQYAQIACQUCUimUTAIbDAAKCRDA3mo1ijncZhBtEACL036d djc5pFoYIdoUY1vT8SMXJNquewCnL1quDADzqDZFU5GNlQEy10krSfBwlTb9ahTtE0JFrOdZ wUZtoa1Pgfr8nU6KOgrXPHbNjS/9dyc5CwGVVIpOavIm2CsMVDJ9LCF/NT+u/t1k6eGfHhPV l3dUQyDa/lzc1chKUIVQYQkFmr0A/iXP+29lFCaI+IeyU0bSdZhezDwUROn5vEx+fiPZyHDS hCb+BxJv/o2LQp9JHenCiSbO+ioRZdxgbWfoKBuXOfmSStqMWXas/gZ5vS3xq72LNtKPRxgp jX3P8Zml1XDqpcBau7eK75VKE0Yd06YxnUIsbcEzInUc3uzW/u0DFpXYkMJb0XIvJyUt5yYP KfV13N8kSkPi5pLxm8yuftXMzfgeFMR7nafY3glTVj/TxElzg6xeZNqfC2ZjIbBtZg9ylHU8 u8wwB+dX282crs0R3N9A064C71/cXlBqcjzjlKH2NUIWGxr+od3TXFIFjszSU3NgMPKrWNhF LLwS81MpbkOe73s6aDhS8RDyNucoxtKXriLR+4Xiu4+pyj5ukYP1JqpB3ZobY/XZgCnJMye+ 7xeTpIDJ1LPORxM3NNAElyb26lxAK2P+km+EpI0Zzz6rNSCfg5jYQ474+e/GBgaSG4MlaPoZ +XAfN46u1Xjjv1/AkkA4IA6m5zP5og==
- Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hi,
> The analysts found a disparity between the internal and external radius
> servers. The profile has been updated, but we’re still having the same
> issues with Android not connecting. Any suggestions would be very helpful.
That looks a lot better now, indeed.
With this change in effect, can you now run the "Check Realm
Reachability" again and see if it has any warnings or advice regarding
intermediate CAs?
Greetings,
Stefan Winter
>
> Thanks
>
> -Blair
>
>
>
> ------------------------------------------------------------------------
>
> *From:*Blair T. Sawler
> *Sent:* Friday, January 18, 2019 2:21:28 PM
> *To:* Stefan Winter; cat-users AT lists.geant.org
> <mailto:cat-users AT lists.geant.org>
> *Subject:* RE: [[cat-users]] Android CAT Issues
>
>
>
> Hi
>
> Thanks for the replies, I've passed it on to the network and systems
> teams, I'll let you know.
>
> -Blair
>
> -----Original Message-----
> From: Stefan Winter <stefan.winter AT restena.lu
> <mailto:stefan.winter AT restena.lu>>
> Sent: January 18, 2019 10:39 AM
> To: Blair T. Sawler <blair.sawler AT unb.ca <mailto:blair.sawler AT unb.ca>>;
> cat-users AT lists.geant.org <mailto:cat-users AT lists.geant.org>
> Subject: Re: [[cat-users]] Android CAT Issues
>
> Hello,
>
> my bad for giving you a canned answer without getting to the bottom of
> things first, sorry.
>
> The issue is a different one.
>
> In CAT, you configured the following two CAs:
>
> 1) root CA
>
> Subject: C = US, O = DigiCert Inc, OU = www.digicert.com
> <http://www.digicert.com>, CN = DigiCert Global Root G2
>
> 2) intermediate CA (irrelevant for Android installers, but anyway)
>
> Subject: C = US, O = DigiCert Inc, OU = www.digicert.com
> <http://www.digicert.com>, CN = RapidSSL TLS RSA CA G1
>
> However, looking at your actual EAP conversation, I see that the RADIUS
> server is sending the following server cert and intermediate:
>
> Server:
>
> Issuer: C = US, O = DigiCert Inc,OU = www.digicert.com
> <http://www.digicert.com>, CN = RapidSSL RSA CA 2018
> Subject: wireless.unb.ca
>
> Intermediate:
> Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com
> <http://www.digicert.com>, CN = DigiCert Global Root CA
> Subject: C = US, O = DigiCert Inc, OU = www.digicert.com
> <http://www.digicert.com>, CN = RapidSSL RSA CA 2018
>
> As you can see, the server cert's chain is NOT ending in the root CA you
> configured in CAT (... Global Root *CA* vs.. Global Root *G2*).
>
> It is not surprising and actually intentional that Android refuses to
> authenticate against this (unknown, and from its POV possibly rogue) server.
>
> To be honest, the bigger question which startles me somewhat is: why is
> this NOT an issue in all the other operating systems?
>
> Would you happen to be aware of any special CA cross-signing going on in
> those CAs, which fixes this for operating systems knowing about the
> cross-signed variants?
>
> Greetings,
>
> Stefan Winter
>
> Am 18.01.19 um 14:12 schrieb Stefan Winter:
>> Hello,
>>
>>> We’ve migrated our Wi-Fi at the University of New Brunswick (Canada)
>>> to eduroam only. We’re trying to streamline connectivity for our
>>> faculty/staff and students and have been promoting the eduroam CAT.
>>> We’re having issues with the app on Android.
>>>
>>> If you set it up on the device, it just continually tries to connect.
>>> Once you stop, and then go in to the wireless settings on the device,
>>> you can connect, if you do not validate the certificate.
>>>
>>> It works for all other operating systems. Has anyone else had this
>>> issue, and if so, were you able to resolve it?
>>>
>>> We are using PEAP with Pase2:MSCHAPv2.
>>>
>>> I’m asking on behalf of my team, so if you get too technical, I’ll
>>> pass on the question 😊
>>
>> Your server certificate is issued by an intermediate CA, which in turn
>> ends in a root CA.
>>
>> For Android, it is only possible to load root CAs onto the device, not
>> intermediates.
>>
>> The intermediate is however /required/ for certificate validation to work.
>>
>> The only way to make this happen is by making sure the RADIUS server
>> sends that intermediate certificate during the EAP exchange. If it is
>> *only* sending the server certificate, the behaviour you describe occurs.
>>
>> If that's the issue, then you should have a corresponding warning in
>> the admin area of CAT when running the realm reachability tests. Is
> that so?
>>
>> Greetings,
>>
>> Stefan Winter
>>
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Attachment:
0xC0DE6A358A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
- [[cat-users]] Android CAT Issues, Blair T. Sawler, 01/17/2019
- Re: [[cat-users]] Android CAT Issues, Stefan Winter, 01/18/2019
- Re: [[cat-users]] Android CAT Issues, Stefan Winter, 01/18/2019
- RE: [[cat-users]] Android CAT Issues, Blair T. Sawler, 01/18/2019
- Message not available
- RE: [[cat-users]] Android CAT Issues, Blair T. Sawler, 01/23/2019
- Re: [[cat-users]] Android CAT Issues, Stefan Winter, 01/28/2019
- RE: [[cat-users]] Android CAT Issues, Blair T. Sawler, 01/28/2019
- Re: [[cat-users]] Android CAT Issues, Stefan Winter, 01/28/2019
- RE: [[cat-users]] Android CAT Issues, Blair T. Sawler, 01/23/2019
- Message not available
- RE: [[cat-users]] Android CAT Issues, Blair T. Sawler, 01/18/2019
- Re: [[cat-users]] Android CAT Issues, Stefan Winter, 01/18/2019
- Re: [[cat-users]] Android CAT Issues, Stefan Winter, 01/18/2019
Archive powered by MHonArc 2.6.19.