Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Problem connecting to eduroam

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Problem connecting to eduroam


Chronological Thread 
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: Jose Manuel Pérez <jmperez AT i2basque.eus>, cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] Problem connecting to eduroam
  • Date: Thu, 13 Jun 2019 09:03:29 +0200
  • Autocrypt: addr=stefan.winter AT restena.lu; prefer-encrypt=mutual; keydata= mQINBFIplEwBEADTSz+DS8nio+RSvfSLLfaOnCGi1nqpn8Pb1laVUyEvnAAzZ5jemiS88Gxf iDH6hUGlWzcaW0hCfUHGiohr485adbjxRksPngWgAt/1bRxpifsW3zObFjgog01WWQV5Sihl wc4zr8zvYbFA5BJZ6YdkR9C5J015riv5OS30WTjA65SSXgYrb7zJWPwmegTFwE093uBFvC39 waz3xYpVu5j87nO6w2MVQt/8sY2/2BFPEq+xfOajl18UEwc7w8SCgnZdlVNcmEK4UBvJuwS/ 1lsR2JeQa8Gu1EDxC7PRgMgNXsDSWnnBe9aVmfG54+6ILe1QH2dwk9sPBQT5w2+vjijrb3Dv 9ur+1kN+TNU2XE436jVpnnY/3OsLdix30STQn4Q/XOm7YoVMeDwwviefilRxzK0dXA+wKj92 T68Od82CFxuZqPAgBCVmWfQM91iK9piqFK+QP+R3vF6+NGDBdwbe68iVKs0v5L8XmbxBQndj pmo+lo2asmBR2TAIfZHaKdgtBw13u3GPVVKlg/Mpko8ki9JOSem2aFyi3kQEVKptWgXT3POl 97DWJzsR5VyKz6GOx9kJAEISRyLZwm0wqh8+9LCza5oeIKW381lzq1b9x30vOh8CBSQQJ+cG 9ko0yPHAj7Suw2TmPXx1qMctmE6Ahq82ZW30SljdZby8WQuR2wARAQABtDxTdGVmYW4gV2lu dGVyIChSRVNURU5BIGtleSAyMDEzKykgPHN0ZWZhbi53aW50ZXJAcmVzdGVuYS5sdT6JAjkE EwECACMFAlIplEwCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDA3mo1ijncZj7/ D/99hVS+mJr8dSPCaDaUFFxBiT2eI1LoR8VKEerTCRw5BsdL6pN2eRJZ9NmsqWo1ynWVHEzO 91bNZ+oZGgyoNohcBAI7p+r0qUTzkyqwdZO4kMm0pqKoM9xkP3tf2mjGujKjOz4Y7S7wnz2Z FokeUsecoRVJF/++/qHnmeWLn44J1HUKLHYCjMu+QXGOgGXgz024jQ5eUrnPwzNp0Z90AFVH lWC+bymty/ToIUUCQqS5Ff0jzdWLd8U695OG9iGvjBQT1LdEjsfbAwuKV5UcnpxNqUpUwKa5 9hdX5/2cMZP07FI1UXwnBlxa8rJfdb13FLjSKX4vUUHedYUZMjMPgcwl1a+zGE22lHiSQWgP 8QLA/W3BLsi22ERCEPZBfexOeOtaWIItDIz18fIaQoMDoRPshzar0JI2CzLYsyeKySAtYJEH FVoLmMvhkwzBmgqA/BEswUA67CfCr1jFHRXdpmWM7YkyAmMa9q6LwquWKS5+MXlUXe/3oZUc gpw/T9Uuy3Jo3RdS7B3jFcWaVr6KsO/A9u1gr/aYn5M+iJTQSj4vzqtkQaJTpSspRZoKa66H Zt3IwSYiDiYZqtM83ynuj9kjnZzGfnuTaNIi996q6Mptr33mOzIE1wmMqnJYwTr3EcNtf483 q/qrJwh5ES8Q9xY7aat/ZcSl8fKubW4TlfVr8bkCDQRSKZRMARAAvBPpn7FQq7LQ5glohtbL 6XIEo1U4X67S0TzUYieENSWSVYuWYIhCBldmWdmH8Bpj/qHeqdon7v+SLtR4WngzMR9toupK cFfHnbP9kpazTSB2ySHxXWGX1gJOpPXdCcg9iveKBHEsDn00ThTcPsvtXpnnzET16pXIvOXO 0bxTmVZ4INIF1SWgvYma/g8kBbgXLpkj8tOywBqFiiYPEZlDeCxDHiMgUDh6olda9K/0TZFT dMPUgjKuubfAeaDNCOrVt4RjmFOaRLikcZocmgJhm3z/j25x7/mnNu+0di1H/S67YGQJ+pqC FInzIXDx7aRW2+JCiqsY2X3xOPWZZzjyis5SNnfOcPH3gt2hYz1fy+thsBGf4NgCN01JRqIJ 2/MOQCgUdwh+9l8xqaJvCkUHM4hVh4W62MAe1u7UEqQbvvNEqxM5034vcvlE+/LRkrDCspw+ 2YJ9QyroLerVRwW5DVleP8Ifi8VB3yD80nqXYs9aqRy0BkDNIQ43ERhESMt8dJqrNkxgC6pe mZrhNwyDh+hy2kPNGQh/iBpdKuH1o3E24TIZoV2v3YHvzob7aAYHddE/PofAXhJW7I9mAs+H dWDmnI8ckuPDFpFH+Y/BFGvEXgcnJAJ1wEvf+4LuiIi0MHjR4EWFn9vvoFDAIqD10h3FSd3D 59HGtdSsNn4XaCsAEQEAAYkCHwQYAQIACQUCUimUTAIbDAAKCRDA3mo1ijncZhBtEACL036d djc5pFoYIdoUY1vT8SMXJNquewCnL1quDADzqDZFU5GNlQEy10krSfBwlTb9ahTtE0JFrOdZ wUZtoa1Pgfr8nU6KOgrXPHbNjS/9dyc5CwGVVIpOavIm2CsMVDJ9LCF/NT+u/t1k6eGfHhPV l3dUQyDa/lzc1chKUIVQYQkFmr0A/iXP+29lFCaI+IeyU0bSdZhezDwUROn5vEx+fiPZyHDS hCb+BxJv/o2LQp9JHenCiSbO+ioRZdxgbWfoKBuXOfmSStqMWXas/gZ5vS3xq72LNtKPRxgp jX3P8Zml1XDqpcBau7eK75VKE0Yd06YxnUIsbcEzInUc3uzW/u0DFpXYkMJb0XIvJyUt5yYP KfV13N8kSkPi5pLxm8yuftXMzfgeFMR7nafY3glTVj/TxElzg6xeZNqfC2ZjIbBtZg9ylHU8 u8wwB+dX282crs0R3N9A064C71/cXlBqcjzjlKH2NUIWGxr+od3TXFIFjszSU3NgMPKrWNhF LLwS81MpbkOe73s6aDhS8RDyNucoxtKXriLR+4Xiu4+pyj5ukYP1JqpB3ZobY/XZgCnJMye+ 7xeTpIDJ1LPORxM3NNAElyb26lxAK2P+km+EpI0Zzz6rNSCfg5jYQ474+e/GBgaSG4MlaPoZ +XAfN46u1Xjjv1/AkkA4IA6m5zP5og==
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Hello,

the settings in the institution's eduroam CAT admin area are incorrect.

I see a list of four CAs in CAT:

(root)

Issuer: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN
= AddTrust External CA Root
Subject: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN
= AddTrust External CA Root

(intermediates)
Issuer: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN
= AddTrust External CA Root
Subject: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority

Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority
Subject: C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN =
TERENA SSL CA 2

Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Assured ID Root CA
Subject: C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN =
TERENA SSL CA 3

The first three are not relevant for the server certificate; they come
from a previous version of the Trusted Certificate Service which has
been discontinued many years ago.

The fourth is a relevant *intermediate* CA for your server certificate,
but its root is not included ("DigiCert Assured ID Root CA").

You need to find that root CA and include it in your CAT institution
settings.

While you are at it, you can then also delete the three other obsolete CAs.

With these settings, MacOS only works if you get the prompt to override
a mismatching trust chain and to explicitly accept the incoming
certificate. While that works, it is not secure at all; your users would
probably click through the very same prompt if a certificate from a
rogue attacker were presented. You should fix the CAT settings ASAP and
properly configure the devices with the new settings.

Greetings,

Stefan Winter

Am 04.06.19 um 14:42 schrieb Jose Manuel Pérez:
> Hi people at Gean,
>
> We have some problems connecting to eduroam from Windows and Linux boxes
> (not from MacOS). Downloaded last CAT installer but could not get
> authentication, we get some TLS certificate problem:
>
> Jun 4 13:38:16 mint wpa_supplicant[831]: TLS: Certificate verification
> failed, error 2 (unable to get issuer certificate) depth 1 for
> '/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3'
> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0:
> CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1
> subject='/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3'
> err='unable to get issuer certificate'
> Jun 4 13:38:16 mint wpa_supplicant[831]: SSL: SSL3 alert: write (local
> SSL3 detected an error):fatal:unknown CA
> Jun 4 13:38:16 mint wpa_supplicant[831]: OpenSSL: openssl_handshake -
> SSL_connect error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed
>
> What could be the problem? Radius servers have certificates up to date.
>
> Here log output for a connection attempt:
>
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6400] device
> (wlp3s0): Activation: starting connection 'eduroam'
> (1cc36963-612e-48b7-9f96-de830bca67c0)
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6402] audit:
> op="connection-activate" uuid="1cc36963-612e-48b7-9f96-de830bca67c0"
> name="eduroam" pid=1496 uid=1000 result="success"
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6405] device
> (wlp3s0): state change: disconnected -> prepare (reason 'none',
> sys-iface-state: 'managed')
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6411] device
> (wlp3s0): state change: prepare -> config (reason 'none', sys-iface-state:
> 'managed')
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6414] device
> (wlp3s0): Activation: (wifi) access point 'eduroam' has security, but
> secrets are required.
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6414] device
> (wlp3s0): state change: config -> need-auth (reason 'none',
> sys-iface-state: 'managed')
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6454] device
> (wlp3s0): state change: need-auth -> prepare (reason 'none',
> sys-iface-state: 'managed')
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6456] device
> (wlp3s0): state change: prepare -> config (reason 'none', sys-iface-state:
> 'managed')
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6458] device
> (wlp3s0): Activation: (wifi) connection 'eduroam' has security, and secrets
> exist. No new secrets needed.
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6458] Config:
> added 'ssid' value 'eduroam'
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6459] Config:
> added 'scan_ssid' value '1'
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6459] Config:
> added 'bgscan' value 'simple:30:-65:300'
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6459] Config:
> added 'key_mgmt' value 'WPA-EAP'
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6459] Config:
> added 'proto' value 'RSN'
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6459] Config:
> added 'pairwise' value 'CCMP'
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6459] Config:
> added 'group' value 'CCMP TKIP'
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6459] Config:
> added 'password' value '<hidden>'
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6459] Config:
> added 'eap' value 'TTLS'
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6459] Config:
> added 'fragment_size' value '1266'
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6460] Config:
> added 'phase2' value 'auth=PAP'
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6460] Config:
> added 'ca_cert' value '/home/jmperez/.cat_installer/ca.pem'
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6460] Config:
> added 'altsubject_match' value
> 'DNS:radius1.i2basque.es;DNS:radius3.i2basque.es'
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6460] Config:
> added 'identity' value 'jmperez AT i2basque.es'
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6460] Config:
> added 'anonymous_identity' value 'anonymous AT i2basque.es'
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6460] Config:
> added 'proactive_key_caching' value '1'
> Jun 4 13:38:16 mint kernel: [ 300.753553] wlp3s0: authenticate with
> 24:f2:7f:f7:16:90
> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0: SME: Trying to
> authenticate with 24:f2:7f:f7:16:90 (SSID='eduroam' freq=5260 MHz)
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6594] device
> (wlp3s0): supplicant interface state: inactive -> authenticating
> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0: Trying to associate with
> 24:f2:7f:f7:16:90 (SSID='eduroam' freq=5260 MHz)
> Jun 4 13:38:16 mint kernel: [ 300.763722] wlp3s0: send auth to
> 24:f2:7f:f7:16:90 (try 1/3)
> Jun 4 13:38:16 mint kernel: [ 300.765410] wlp3s0: authenticated
> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0: Associated with
> 24:f2:7f:f7:16:90
> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0:
> CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
> Jun 4 13:38:16 mint kernel: [ 300.767180] wlp3s0: associate with
> 24:f2:7f:f7:16:90 (try 1/3)
> Jun 4 13:38:16 mint kernel: [ 300.768718] wlp3s0: RX AssocResp from
> 24:f2:7f:f7:16:90 (capab=0x411 status=0 aid=4)
> Jun 4 13:38:16 mint kernel: [ 300.768820] wlp3s0: associated
> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6661] device
> (wlp3s0): supplicant interface state: authenticating -> associated
> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0: CTRL-EVENT-EAP-STARTED
> EAP authentication started
> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0:
> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0:
> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0: CTRL-EVENT-EAP-METHOD EAP
> vendor 0 method 21 (TTLS) selected
> Jun 4 13:38:16 mint wpa_supplicant[831]: TLS: Certificate verification
> failed, error 2 (unable to get issuer certificate) depth 1 for
> '/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3'
> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0:
> CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1
> subject='/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3'
> err='unable to get issuer certificate'
> Jun 4 13:38:16 mint wpa_supplicant[831]: SSL: SSL3 alert: write (local
> SSL3 detected an error):fatal:unknown CA
> Jun 4 13:38:16 mint wpa_supplicant[831]: OpenSSL: openssl_handshake -
> SSL_connect error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed
> Jun 4 13:38:17 mint wpa_supplicant[831]: wlp3s0: CTRL-EVENT-EAP-FAILURE
> EAP authentication failed
> Jun 4 13:38:19 mint wpa_supplicant[831]: wlp3s0: Authentication with
> 24:f2:7f:f7:16:90 timed out.
> Jun 4 13:38:19 mint kernel: [ 303.933755] wlp3s0: deauthenticating from
> 24:f2:7f:f7:16:90 by local choice (Reason: 3=DEAUTH_LEAVING)
> Jun 4 13:38:20 mint wpa_supplicant[831]: wlp3s0: CTRL-EVENT-DISCONNECTED
> bssid=24:f2:7f:f7:16:90 reason=3 locally_generated=1
> Jun 4 13:38:20 mint wpa_supplicant[831]: wlp3s0:
> CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=1
> duration=10 reason=AUTH_FAILED
> Jun 4 13:38:20 mint wpa_supplicant[831]: wlp3s0:
> CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=2
> duration=26 reason=CONN_FAILED
> Jun 4 13:38:20 mint wpa_supplicant[831]: wlp3s0: CTRL-EVENT-REGDOM-CHANGE
> init=CORE type=WORLD
> Jun 4 13:38:20 mint NetworkManager[857]: <warn> [1559648300.2405]
> sup-iface[0x55e3e816ca40,wlp3s0]: connection disconnected (reason -3)
> Jun 4 13:38:20 mint NetworkManager[857]: <info> [1559648300.2453] device
> (wlp3s0): supplicant interface state: associated -> disconnected
> Jun 4 13:38:20 mint NetworkManager[857]: <info> [1559648300.3454] device
> (wlp3s0): supplicant interface state: disconnected -> scanning
> Jun 4 13:38:42 mint NetworkManager[857]: <warn> [1559648322.2079] device
> (wlp3s0): Activation: (wifi) association took too long
> Jun 4 13:38:42 mint NetworkManager[857]: <info> [1559648322.2080] device
> (wlp3s0): state change: config -> need-auth (reason 'none',
> sys-iface-state: 'managed')
> Jun 4 13:38:42 mint NetworkManager[857]: <warn> [1559648322.2103] device
> (wlp3s0): Activation: (wifi) asking for new secrets
> Jun 4 13:38:42 mint dbus-daemon[792]: [system] Activating via systemd:
> service name='org.freedesktop.hostname1'
> unit='dbus-org.freedesktop.hostname1.service' requested by ':1.63'
> (uid=1000 pid=1543 comm="nm-applet " label="unconfined")
> Jun 4 13:38:42 mint systemd[1]: Starting Hostname Service...
> Jun 4 13:38:42 mint dbus-daemon[792]: [system] Successfully activated
> service 'org.freedesktop.hostname1'
> Jun 4 13:38:42 mint systemd[1]: Started Hostname Service.
> Jun 4 13:38:47 mint NetworkManager[857]: <info> [1559648327.1416] device
> (wlp3s0): supplicant interface state: scanning -> inactive
> Jun 4 13:40:42 mint NetworkManager[857]: <warn> [1559648442.2154] device
> (wlp3s0): No agents were available for this request.
> Jun 4 13:40:42 mint NetworkManager[857]: <info> [1559648442.2154] device
> (wlp3s0): state change: need-auth -> failed (reason 'no-secrets',
> sys-iface-state: 'managed')
> Jun 4 13:40:42 mint NetworkManager[857]: <warn> [1559648442.2161] device
> (wlp3s0): Activation: failed for connection 'eduroam'
> Jun 4 13:40:42 mint NetworkManager[857]: <info> [1559648442.2167] device
> (wlp3s0): state change: failed -> disconnected (reason 'none',
> sys-iface-state: 'managed')
> Jun 4 13:40:42 mint kernel: [ 446.321394] IPv6: ADDRCONF(NETDEV_UP):
> wlp3s0: link is not ready
>
>
> Best regards.
>


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0xC0DE6A358A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page