Skip to Content.
Sympa Menu

cat-users - RE: [[cat-users]] cat.eduroam.org TLS iOS

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

RE: [[cat-users]] cat.eduroam.org TLS iOS


Chronological Thread 
  • From: Pierluigi Checchi <pierluigi.checchi AT polimi.it>
  • To: Stefan Winter <stefan.winter AT restena.lu>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: RE: [[cat-users]] cat.eduroam.org TLS iOS
  • Date: Thu, 31 Jan 2019 08:38:02 +0000
  • Accept-language: it-IT, en-US
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (1024-bit key) header.d=polimi365.onmicrosoft.com
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=pierluigi.checchi AT polimi.it;

Hi Stefan,
I am asked the certificate to use for eduroam and can successfully connect
(using a .mobileconfig profile for OSX and a certificate installed from our
website). The main things to note is:

- I am on the last iOS
- Your certificate is just another profile on iOS
- Once you associate the cert with an ssid (i.e. eduroam or our local EAP-TLS
prolimi-protected SSID) you cannot "forget" that ssid and you have just to
remove the profile
- You end having two profiles on iOS: one is the certificate, one is the
profile containing ssids etc.

I am sending screenshots of the entire procedure on a separate private email
to you.

Thank you,
PC

---
Pierluigi CHECCHI
Politecnico di Milano
Area Servizi ICT - Servizio Gestione Rete dati-fonia
Piazza Leonardo da Vinci, 32 - 20133 Milano - Italy
Tel: +39 02 2399 2356
Mobile: +39 3473532996
pierluigi.checchi AT polimi.it





-----Original Message-----
From: Stefan Winter <stefan.winter AT restena.lu>
Sent: Thursday, January 31, 2019 8:31 AM
To: Pierluigi Checchi <pierluigi.checchi AT polimi.it>; cat-users AT lists.geant.org
Subject: Re: [[cat-users]] cat.eduroam.org TLS iOS

Hello,

> we created a cat profile containing only EAP-TLS as an authentication
> method.
>
> The “installer” (a .mobileconfig Apple profile) seems to be
> unavailable to download for iOS devices.
>
> That’ strange because the same profile, available to download from
> cat, for Apple OSX, if installed on iOS is 100% compatible with iOS
> and useful to autoconfigure iOS iPads or iPhone.
>
> Can you make it available also for iOS users or I am missing something?

This was done intentionally at the time.

iOS can download a TLS profile and install it just fine.

However, the profiles naturally do not contain an actual client certificate.

Earlier versions of iOS we tested were unable to associate a
already-installed TLS client certificate (i.e. imported as a stand-alone
.p12 file) with the newly installed Wi-Fi profile. This rendered the entire
installation process pointless.

What you write above seems to imply that things have changed? Did you
actually *use* the Wi-Fi profile with a pre-installed client certificate and
did that work? How does the initial connection dialog look like, if any? Are
you asked about the client certificate, or will it just pick the (one and
only) client cert it finds in the device?

Greetings,

Stefan Winter

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche 2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's
key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66



Archive powered by MHonArc 2.6.19.

Top of Page