cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] [Ext] Re: Cisco WLC failing auth with cat tool

From: Hunter Fuller <hf0002 AT uah.edu>
To: "Schwartz, Roger J" <rschwart AT uthsc.edu>
Cc: Tomasz Wolniewicz <twoln AT umk.pl>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] [Ext] Re: Cisco WLC failing auth with cat tool
Date: Mon, 9 Sep 2019 14:04:15 -0500

Roger,

I feel like we're gonna need the detailed logs for this auth from ISE at some point. Since the testing tool is at least getting the cert, it means the eduroam infrastructure is routing it to the server correctly. So at this point I would want to look at why ISE is rejecting the authentication.

Does this tool work OK? https://www.eduroam.us/test/realm

--
Hunter Fuller
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Mon, Sep 9, 2019 at 1:53 PM Schwartz, Roger J <rschwart AT uthsc.edu> wrote:

Philippe,

I have a root and two intermediates installed in the cat tool.

Roger

Roger Schwartz
Senior Wireless Network Technician

The University of Tennessee Health Science Center
Network Services
Alexander Building Room 724
877 Madison Ave
MEMPHIS, TN 38103

rschwart AT uthsc.edu
t: 901.448.2236

From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> on behalf of Schwartz, Roger J <rschwart AT uthsc.edu>
Sent: Monday, September 9, 2019 1:50 PM
To: Tomasz Wolniewicz <twoln AT umk.pl>; cat-users AT lists.geant.org <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] [Ext] Re: Cisco WLC failing auth with cat tool
I get this during the test

eduroamTL dk

Connected to eduroam.uthsc.edu.
elapsed time: 3381 ms.
Test partially successful: a bidirectional RADIUS conversation with multiple round-trips was carried out, and ended in an Access-Reject as planned. Some configuration errors were observed; the list is below.

The certificate chain includes the root CA certificate. This does not serve any useful purpose but inflates the packet exchange, possibly leading to more round-trips and thus slower authentication.

At least one certificate is outside its validity period (not yet valid, or already expired)!

The EAP server name does not match any of the configured names in your profile!

Subject:
CN=eduroam.uthsc.edu,OU=ITS Network Services,O=University of Tennessee,street=800 Andy Holt Tower,L=Knoxville,ST=TN,postalCode=37996-1711,C=US
Issuer:

This cert is no longer in use and I have uploaded the new certs with a new tool.

eduroamTL nl

Connected to ise-admin1.netsrv.uthsc.edu.
elapsed time: 15096 ms.
Test partially successful: a bidirectional RADIUS conversation with multiple round-trips was carried out, and ended in an Access-Reject as planned. Some properties of the connection attempt were sub-optimal; the list is below.

The certificate chain includes the root CA certificate. This does not serve any useful purpose but inflates the packet exchange, possibly leading to more round-trips and thus slower authentication.

The certificate contained a CN or subjectAltName:DNS which contains a wildcard ('*'). This can be problematic on some supplicants. If the certificate also contains names which are wildcardless, and you only use those for your supplicant configuration, then you can safely ignore this notice.

This is the correct information.

The live login fails, we are having some latency issues with our internet pipe.

Roger Schwartz
Senior Wireless Network Technician

The University of Tennessee Health Science Center
Network Services
Alexander Building Room 724
877 Madison Ave
MEMPHIS, TN 38103

rschwart AT uthsc.edu
t: 901.448.2236

From: Tomasz Wolniewicz <twoln AT umk.pl>
Sent: Monday, September 9, 2019 1:39 PM
To: Schwartz, Roger J <rschwart AT uthsc.edu>; cat-users AT lists.geant.org <cat-users AT lists.geant.org>
Subject: [Ext] Re: [[cat-users]] Cisco WLC failing auth with cat tool
This really looks like a certificate mismatch problem. If you are an admin of your CAT IdP you could run the RADIUS tests from the admin interface and see what it tells you.

Tomasz

W dniu 09.09.2019 o 19:30, Schwartz, Roger J pisze:

I have created a new cat tool for our school as we are moving to Cisco ISE radius servers to authenticate. I am able to connect manually to eduroam, but using the cat tool I keep failing authentication. I have been using the cat tool to connect to our free-radius with no issues. Has anyone seen this or something like it?

Thanks

Roger

Roger Schwartz
Senior Wireless Network Technician

The University of Tennessee Health Science Center
Network Services
Alexander Building Room 724
877 Madison Ave
MEMPHIS, TN 38103

rschwart AT uthsc.edu
t: 901.448.2236

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576
To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

[[cat-users]] Cisco WLC failing auth with cat tool, Schwartz, Roger J, 09/09/2019
- Re: [[cat-users]] Cisco WLC failing auth with cat tool, Tomasz Wolniewicz, 09/09/2019
  - Re: [[cat-users]] [Ext] Re: Cisco WLC failing auth with cat tool, Schwartz, Roger J, 09/09/2019
    - Re: [[cat-users]] [Ext] Re: Cisco WLC failing auth with cat tool, Schwartz, Roger J, 09/09/2019
      - Re: [[cat-users]] [Ext] Re: Cisco WLC failing auth with cat tool, Hunter Fuller, 09/09/2019
    - Re: [[cat-users]] [Ext] Re: Cisco WLC failing auth with cat tool, Tomasz Wolniewicz, 09/09/2019

	Connected to eduroam.uthsc.edu. elapsed time: 3381 ms. Test partially successful: a bidirectional RADIUS conversation with multiple round-trips was carried out, and ended in an Access-Reject as planned. Some configuration errors were observed; the list is below.
		The certificate chain includes the root CA certificate. This does not serve any useful purpose but inflates the packet exchange, possibly leading to more round-trips and thus slower authentication.
		At least one certificate is outside its validity period (not yet valid, or already expired)!
		The EAP server name does not match any of the configured names in your profile!
	Subject: CN=eduroam.uthsc.edu,OU=ITS Network Services,O=University of Tennessee,street=800 Andy Holt Tower,L=Knoxville,ST=TN,postalCode=37996-1711,C=US Issuer:

	Connected to ise-admin1.netsrv.uthsc.edu. elapsed time: 15096 ms. Test partially successful: a bidirectional RADIUS conversation with multiple round-trips was carried out, and ended in an Access-Reject as planned. Some properties of the connection attempt were sub-optimal; the list is below.
		The certificate chain includes the root CA certificate. This does not serve any useful purpose but inflates the packet exchange, possibly leading to more round-trips and thus slower authentication.
		The certificate contained a CN or subjectAltName:DNS which contains a wildcard ('*'). This can be problematic on some supplicants. If the certificate also contains names which are wildcardless, and you only use those for your supplicant configuration, then you can safely ignore this notice.