cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Jose Manuel Pérez <jmperez AT i2basque.eus>
- To: Stefan Winter <stefan.winter AT restena.lu>
- Cc: cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] Problem connecting to eduroam
- Date: Thu, 13 Jun 2019 11:57:20 +0200
> El 13 jun 2019, a las 9:03, Stefan Winter <stefan.winter AT restena.lu>
> escribió:
>
> Hello,
Hello,
>
> the settings in the institution's eduroam CAT admin area are incorrect.
>
> I see a list of four CAs in CAT:
>
> (root)
>
> Issuer: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN
> = AddTrust External CA Root
> Subject: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN
> = AddTrust External CA Root
>
> (intermediates)
> Issuer: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN
> = AddTrust External CA Root
> Subject: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
> Network, CN = USERTrust RSA Certification Authority
>
> Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
> Network, CN = USERTrust RSA Certification Authority
> Subject: C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN =
> TERENA SSL CA 2
>
> Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> Assured ID Root CA
> Subject: C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN =
> TERENA SSL CA 3
>
> The first three are not relevant for the server certificate; they come
> from a previous version of the Trusted Certificate Service which has
> been discontinued many years ago.
>
> The fourth is a relevant *intermediate* CA for your server certificate,
> but its root is not included ("DigiCert Assured ID Root CA").
>
> You need to find that root CA and include it in your CAT institution
> settings.
>
> While you are at it, you can then also delete the three other obsolete CAs.
>
> With these settings, MacOS only works if you get the prompt to override
> a mismatching trust chain and to explicitly accept the incoming
> certificate. While that works, it is not secure at all; your users would
> probably click through the very same prompt if a certificate from a
> rogue attacker were presented. You should fix the CAT settings ASAP and
> properly configure the devices with the new settings.
Thank you very much for your answer. I’ve deleted three first entries and
added Root CA, now tested and working in Linux as well, we’ll try it in
Windows.
>
> Greetings,
>
> Stefan Winter
>
> Am 04.06.19 um 14:42 schrieb Jose Manuel Pérez:
>> Hi people at Gean,
>>
>> We have some problems connecting to eduroam from Windows and Linux boxes
>> (not from MacOS). Downloaded last CAT installer but could not get
>> authentication, we get some TLS certificate problem:
>>
>> Jun 4 13:38:16 mint wpa_supplicant[831]: TLS: Certificate verification
>> failed, error 2 (unable to get issuer certificate) depth 1 for
>> '/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3'
>> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0:
>> CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1
>> subject='/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3'
>> err='unable to get issuer certificate'
>> Jun 4 13:38:16 mint wpa_supplicant[831]: SSL: SSL3 alert: write (local
>> SSL3 detected an error):fatal:unknown CA
>> Jun 4 13:38:16 mint wpa_supplicant[831]: OpenSSL: openssl_handshake -
>> SSL_connect error:1416F086:SSL
>> routines:tls_process_server_certificate:certificate verify failed
>>
>> What could be the problem? Radius servers have certificates up to date.
>>
>> Here log output for a connection attempt:
>>
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6400] device
>> (wlp3s0): Activation: starting connection 'eduroam'
>> (1cc36963-612e-48b7-9f96-de830bca67c0)
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6402] audit:
>> op="connection-activate" uuid="1cc36963-612e-48b7-9f96-de830bca67c0"
>> name="eduroam" pid=1496 uid=1000 result="success"
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6405] device
>> (wlp3s0): state change: disconnected -> prepare (reason 'none',
>> sys-iface-state: 'managed')
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6411] device
>> (wlp3s0): state change: prepare -> config (reason 'none', sys-iface-state:
>> 'managed')
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6414] device
>> (wlp3s0): Activation: (wifi) access point 'eduroam' has security, but
>> secrets are required.
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6414] device
>> (wlp3s0): state change: config -> need-auth (reason 'none',
>> sys-iface-state: 'managed')
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6454] device
>> (wlp3s0): state change: need-auth -> prepare (reason 'none',
>> sys-iface-state: 'managed')
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6456] device
>> (wlp3s0): state change: prepare -> config (reason 'none', sys-iface-state:
>> 'managed')
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6458] device
>> (wlp3s0): Activation: (wifi) connection 'eduroam' has security, and
>> secrets exist. No new secrets needed.
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6458]
>> Config: added 'ssid' value 'eduroam'
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6459]
>> Config: added 'scan_ssid' value '1'
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6459]
>> Config: added 'bgscan' value 'simple:30:-65:300'
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6459]
>> Config: added 'key_mgmt' value 'WPA-EAP'
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6459]
>> Config: added 'proto' value 'RSN'
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6459]
>> Config: added 'pairwise' value 'CCMP'
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6459]
>> Config: added 'group' value 'CCMP TKIP'
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6459]
>> Config: added 'password' value '<hidden>'
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6459]
>> Config: added 'eap' value 'TTLS'
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6459]
>> Config: added 'fragment_size' value '1266'
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6460]
>> Config: added 'phase2' value 'auth=PAP'
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6460]
>> Config: added 'ca_cert' value '/home/jmperez/.cat_installer/ca.pem'
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6460]
>> Config: added 'altsubject_match' value
>> 'DNS:radius1.i2basque.es;DNS:radius3.i2basque.es'
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6460]
>> Config: added 'identity' value 'jmperez AT i2basque.es'
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6460]
>> Config: added 'anonymous_identity' value 'anonymous AT i2basque.es'
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6460]
>> Config: added 'proactive_key_caching' value '1'
>> Jun 4 13:38:16 mint kernel: [ 300.753553] wlp3s0: authenticate with
>> 24:f2:7f:f7:16:90
>> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0: SME: Trying to
>> authenticate with 24:f2:7f:f7:16:90 (SSID='eduroam' freq=5260 MHz)
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6594] device
>> (wlp3s0): supplicant interface state: inactive -> authenticating
>> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0: Trying to associate with
>> 24:f2:7f:f7:16:90 (SSID='eduroam' freq=5260 MHz)
>> Jun 4 13:38:16 mint kernel: [ 300.763722] wlp3s0: send auth to
>> 24:f2:7f:f7:16:90 (try 1/3)
>> Jun 4 13:38:16 mint kernel: [ 300.765410] wlp3s0: authenticated
>> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0: Associated with
>> 24:f2:7f:f7:16:90
>> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0:
>> CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
>> Jun 4 13:38:16 mint kernel: [ 300.767180] wlp3s0: associate with
>> 24:f2:7f:f7:16:90 (try 1/3)
>> Jun 4 13:38:16 mint kernel: [ 300.768718] wlp3s0: RX AssocResp from
>> 24:f2:7f:f7:16:90 (capab=0x411 status=0 aid=4)
>> Jun 4 13:38:16 mint kernel: [ 300.768820] wlp3s0: associated
>> Jun 4 13:38:16 mint NetworkManager[857]: <info> [1559648296.6661] device
>> (wlp3s0): supplicant interface state: authenticating -> associated
>> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0: CTRL-EVENT-EAP-STARTED
>> EAP authentication started
>> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0:
>> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
>> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0:
>> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
>> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0: CTRL-EVENT-EAP-METHOD
>> EAP vendor 0 method 21 (TTLS) selected
>> Jun 4 13:38:16 mint wpa_supplicant[831]: TLS: Certificate verification
>> failed, error 2 (unable to get issuer certificate) depth 1 for
>> '/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3'
>> Jun 4 13:38:16 mint wpa_supplicant[831]: wlp3s0:
>> CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1
>> subject='/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3'
>> err='unable to get issuer certificate'
>> Jun 4 13:38:16 mint wpa_supplicant[831]: SSL: SSL3 alert: write (local
>> SSL3 detected an error):fatal:unknown CA
>> Jun 4 13:38:16 mint wpa_supplicant[831]: OpenSSL: openssl_handshake -
>> SSL_connect error:1416F086:SSL
>> routines:tls_process_server_certificate:certificate verify failed
>> Jun 4 13:38:17 mint wpa_supplicant[831]: wlp3s0: CTRL-EVENT-EAP-FAILURE
>> EAP authentication failed
>> Jun 4 13:38:19 mint wpa_supplicant[831]: wlp3s0: Authentication with
>> 24:f2:7f:f7:16:90 timed out.
>> Jun 4 13:38:19 mint kernel: [ 303.933755] wlp3s0: deauthenticating from
>> 24:f2:7f:f7:16:90 by local choice (Reason: 3=DEAUTH_LEAVING)
>> Jun 4 13:38:20 mint wpa_supplicant[831]: wlp3s0: CTRL-EVENT-DISCONNECTED
>> bssid=24:f2:7f:f7:16:90 reason=3 locally_generated=1
>> Jun 4 13:38:20 mint wpa_supplicant[831]: wlp3s0:
>> CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=1
>> duration=10 reason=AUTH_FAILED
>> Jun 4 13:38:20 mint wpa_supplicant[831]: wlp3s0:
>> CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=2
>> duration=26 reason=CONN_FAILED
>> Jun 4 13:38:20 mint wpa_supplicant[831]: wlp3s0: CTRL-EVENT-REGDOM-CHANGE
>> init=CORE type=WORLD
>> Jun 4 13:38:20 mint NetworkManager[857]: <warn> [1559648300.2405]
>> sup-iface[0x55e3e816ca40,wlp3s0]: connection disconnected (reason -3)
>> Jun 4 13:38:20 mint NetworkManager[857]: <info> [1559648300.2453] device
>> (wlp3s0): supplicant interface state: associated -> disconnected
>> Jun 4 13:38:20 mint NetworkManager[857]: <info> [1559648300.3454] device
>> (wlp3s0): supplicant interface state: disconnected -> scanning
>> Jun 4 13:38:42 mint NetworkManager[857]: <warn> [1559648322.2079] device
>> (wlp3s0): Activation: (wifi) association took too long
>> Jun 4 13:38:42 mint NetworkManager[857]: <info> [1559648322.2080] device
>> (wlp3s0): state change: config -> need-auth (reason 'none',
>> sys-iface-state: 'managed')
>> Jun 4 13:38:42 mint NetworkManager[857]: <warn> [1559648322.2103] device
>> (wlp3s0): Activation: (wifi) asking for new secrets
>> Jun 4 13:38:42 mint dbus-daemon[792]: [system] Activating via systemd:
>> service name='org.freedesktop.hostname1'
>> unit='dbus-org.freedesktop.hostname1.service' requested by ':1.63'
>> (uid=1000 pid=1543 comm="nm-applet " label="unconfined")
>> Jun 4 13:38:42 mint systemd[1]: Starting Hostname Service...
>> Jun 4 13:38:42 mint dbus-daemon[792]: [system] Successfully activated
>> service 'org.freedesktop.hostname1'
>> Jun 4 13:38:42 mint systemd[1]: Started Hostname Service.
>> Jun 4 13:38:47 mint NetworkManager[857]: <info> [1559648327.1416] device
>> (wlp3s0): supplicant interface state: scanning -> inactive
>> Jun 4 13:40:42 mint NetworkManager[857]: <warn> [1559648442.2154] device
>> (wlp3s0): No agents were available for this request.
>> Jun 4 13:40:42 mint NetworkManager[857]: <info> [1559648442.2154] device
>> (wlp3s0): state change: need-auth -> failed (reason 'no-secrets',
>> sys-iface-state: 'managed')
>> Jun 4 13:40:42 mint NetworkManager[857]: <warn> [1559648442.2161] device
>> (wlp3s0): Activation: failed for connection 'eduroam'
>> Jun 4 13:40:42 mint NetworkManager[857]: <info> [1559648442.2167] device
>> (wlp3s0): state change: failed -> disconnected (reason 'none',
>> sys-iface-state: 'managed')
>> Jun 4 13:40:42 mint kernel: [ 446.321394] IPv6: ADDRCONF(NETDEV_UP):
>> wlp3s0: link is not ready
>>
>>
>> Best regards.
>>
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche
> 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> <0xC0DE6A358A39DC66.asc>
Regards.
--
# Jose Manuel Pérez :: +34 648 156 387 #
# i2basque :: red y sistemas/sarea eta sistemak #
- [[cat-users]] Problem connecting to eduroam, Jose Manuel Pérez, 06/04/2019
- Re: [[cat-users]] Problem connecting to eduroam, Stefan Winter, 06/13/2019
- Re: [[cat-users]] Problem connecting to eduroam, Jose Manuel Pérez, 06/13/2019
- Re: [[cat-users]] Problem connecting to eduroam, Stefan Winter, 06/13/2019
Archive powered by MHonArc 2.6.19.