Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] [Ext] Re: Cisco WLC failing auth with cat tool

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] [Ext] Re: Cisco WLC failing auth with cat tool


Chronological Thread 
  • From: "Schwartz, Roger J" <rschwart AT uthsc.edu>
  • To: Tomasz Wolniewicz <twoln AT umk.pl>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] [Ext] Re: Cisco WLC failing auth with cat tool
  • Date: Mon, 9 Sep 2019 18:50:04 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uthsc.edu; dmarc=pass action=none header.from=uthsc.edu; dkim=pass header.d=uthsc.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CuJ/U5l++iizYPLQg4YtwBIb5jKFM6WXl0AhD/evQLo=; b=Zd2EhVwyAlcK1VhBvaL52+vAgyS+Ucts0rdHB+tT67NM25s4cmZAuvAMB/kbTiC9uCEKupqaR8Sc4rOkvj5LEFvA56hPLEBmuHBh6nIkfAreekgfRADlwweE6VZ/qq9T8FpHYGKMSH6IatAKhQZFDAGDeQTjpk4qD2Dvg278/AEQIw1eqvLB9Nx3oC75Gs9ziq7Qkb1nVJoNI+xpc7Bd8wYcEjx7wVHidx/GAI/Qr4kYfn9b2k2qmu7jqydBxFwQ8WQhy413Kj5jf/yxbH+sQeS+yxu26kpu1Kv0NNV6me0ZfgwOdNG8+g2SSI4HnltvioCYOM20Q51js5A/7EsXsg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PceyhyeSNAX3wEbBK0QTpvA/tPM4KGfkNperBC6ro3UmXoR4Z82JwSXj65G0rk12h9PP5Cmi9QnRAZDoDI/pIPSGXFRX0277z/X8HkZYiYdZVUf6TJYhRv+2aMwRG5dojMlVOF+h6nEnNAjMZNirlt7SmhbSS1Fuub3+yFXCQOCEPMHiL0c3jd6a+8sqAmFPl5cLZlZejEoWOahhJtjDk4JhOXsOuJ1g7cxQ+y1pqwGTJ8RTIbm/3LAtplHHOSqMbev7Q0EBuJEZ31k6sle7tsK9SuuAXIWlubsIpDiTHYM7zp6GyEOLSMSDN40ohNs7NpMwLTP75YFtUcJDQy0eew==
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=rschwart AT uthsc.edu;

I get this during the test

eduroamTL dk
Connected to eduroam.uthsc.edu.
elapsed time: 3381 ms.

Test partially successful: a bidirectional RADIUS conversation with multiple round-trips was carried out, and ended in an Access-Reject as planned. Some configuration errors were observed; the list is below.

  The certificate chain includes the root CA certificate. This does not serve any useful purpose but inflates the packet exchange, possibly leading to more round-trips and thus slower authentication.
  At least one certificate is outside its validity period (not yet valid, or already expired)!
  The EAP server name does not match any of the configured names in your profile!
 
Subject:
CN=eduroam.uthsc.edu,OU=ITS Network Services,O=University of Tennessee,street=800 Andy Holt Tower,L=Knoxville,ST=TN,postalCode=37996-1711,C=US
Issuer:
This cert is no longer in use and I have uploaded the new certs with a new tool.

 eduroamTL nl
Connected to ise-admin1.netsrv.uthsc.edu.
elapsed time: 15096 ms.

Test partially successful: a bidirectional RADIUS conversation with multiple round-trips was carried out, and ended in an Access-Reject as planned. Some properties of the connection attempt were sub-optimal; the list is below.

  The certificate chain includes the root CA certificate. This does not serve any useful purpose but inflates the packet exchange, possibly leading to more round-trips and thus slower authentication.
  The certificate contained a CN or subjectAltName:DNS which contains a wildcard ('*'). This can be problematic on some supplicants. If the certificate also contains names which are wildcardless, and you only use those for your supplicant configuration, then you can safely ignore this notice.
This is the correct information.

The live login fails, we are having some latency issues with our internet pipe.


Roger Schwartz
Senior Wireless Network Technician

The University of Tennessee Health Science Center
Network Services
Alexander Building Room 724
877 Madison Ave
MEMPHIS, TN 38103

rschwart AT uthsc.edu
t: 901.448.2236


From: Tomasz Wolniewicz <twoln AT umk.pl>
Sent: Monday, September 9, 2019 1:39 PM
To: Schwartz, Roger J <rschwart AT uthsc.edu>; cat-users AT lists.geant.org <cat-users AT lists.geant.org>
Subject: [Ext] Re: [[cat-users]] Cisco WLC failing auth with cat tool
 

This really looks like a certificate mismatch problem. If you are an admin of your CAT IdP you could run the RADIUS tests from the admin interface and see what it tells you.

Tomasz





W dniu 09.09.2019 o 19:30, Schwartz, Roger J pisze:
I have created a new cat tool for our school as we are moving to Cisco ISE radius servers to authenticate. I am able to connect manually to eduroam, but using the cat tool I keep failing authentication. I have been using the cat tool to connect to our free-radius with no issues. Has anyone seen this or something like it?

Thanks
Roger  


Roger Schwartz
Senior Wireless Network Technician

The University of Tennessee Health Science Center
Network Services
Alexander Building Room 724
877 Madison Ave
MEMPHIS, TN 38103

rschwart AT uthsc.edu
t: 901.448.2236

-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576



Archive powered by MHonArc 2.6.19.

Top of Page