The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Matthew Slowe <Matthew.Slowe AT jisc.ac.uk>]

Good $timezone,

Today I realised I had been a derp and set up a new eduroam service with a EAP Server Name along the lines of “CN=Organisation X eduroam Server”. All my testing was going fine up until I started using a real mobile device to try to use it configured via CAT… it just failed… iOS logged it as:

[eapttls_plugin.c:968] eapttls_verify_server(): server certificate not trusted status 1001 -9807

… even though rad_eap_test with, apparently, all the same pre-requisites on validation was fine.

Much gnashing of teeth later, I remembered someone had mentioned that some clients need the CN to be in FQDN format (and, possibly, for it to be actually valid). While I have nothing to cite for this, could a sanity check be added to the CAT admin sections to ensure that the "Name (CN) of Authentication Server” appears to be in the right format?

Thanks,

-- 

Matthew Slowe

Technical Specialist - Trust & Identity

Direct: 07442 097185
Team: 0300 300 2212, option 2
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
 
Jisc Trust and Identity Services
UK Access Management Federation - Assent - Certificate Service and Domain Registry

https://jisc.ac.uk/network/trust-and-identity