The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

I am not sure if I correctly interpret your question.

Any EAP client needs to *know* the root to be able to decide that the server cert not only has the correct name but also that it originates form the trusted source. If the root is already in the Windows trust store then the only use that the installer makes of it is pointing to its fingerprint as *the root*.

The intermediate certificates normally should not be needed. It should be up to the RADIUS server to send out all intermediates together with the server certificate. The client is then able to verify the whole path (using the root that it has locally). If the server does not send the chain then the client needs to have the intermediates for verification.

Cheers

Tomasz Wolniewicz

W dniu 22.12.2021 o 17:27, Stevens, Andy pisze:

Interesting, can somebody refer to information why windows 10 clients need the root installed, alongside the intermediate to make a proper connection?

 

--

 

Met vriendelijke groet,

 

Andy Stevens

Network / WiFi Infrastructure Engineer
CWNA 160383 | ECSE

MDT - Network Services

Aanwezig (ma t/m do) 

Wageningen University & Research

Actio / Gebouw 116

Akkermaalsbos 12 / 6708 WB Wageningen

Postbus 59 / 6700 AB Wageningen

T +31 (0) 3174 88653

E andy.stevens AT wur.nl

http://www.disclaimer-nl.wur.nl/

 

Wil je iets melden? Doe het eenvoudig en snel online.

Want to report a problem? Use our online self service

 

 

 

From: <cat-users-request AT lists.geant.org> on behalf of Stefan Paetow <Stefan.Paetow AT jisc.ac.uk>
Reply to: Stefan Paetow <Stefan.Paetow AT jisc.ac.uk>
Date: Wednesday, 22 December 2021 at 16:42
To: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>, "darren.wheatcroft" <darren.wheatcroft AT NOTTINGHAM.AC.UK>
Subject: Re: [[cat-users]] Fwd: Windows 10 & CAT - TLS Session reuse error

 

Yes, I suspect that is exactly it.

 

Uploading the Comodo AAA certificate should probably resolve the problem if the GEANT cert is shipped along with the server certificate.

 

Regards

 

Stefan Paetow
Federated Roaming Technical Specialist

t: +44 (0)1235 822 125
e-mail/teams: stefan.paetow AT jisc.ac.uk
gpg: 0x3FCE5142

Until 24/12/2021, I am only in the office Tuesdays to Thursdays.

In line with government advice, at Jisc we’re now working from home and our offices are currently closed. Read our statement on coronavirus.

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

 

 

From: <cat-users-request AT lists.geant.org> on behalf of Stefan Winter <stefan.winter AT restena.lu>
Reply to: Stefan Winter <stefan.winter AT restena.lu>
Date: Tuesday, 21 December 2021 at 12:53
To: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>, "darren.wheatcroft" <darren.wheatcroft AT NOTTINGHAM.AC.UK>
Subject: Re: [[cat-users]] Fwd: Windows 10 & CAT - TLS Session reuse error

 

Hello,

 

could you let us know the old and new roots? If the new root is by any chance AAA Services, I think I have a rough idea...

 

Stefan Winter

 

 

Am 21.12.21 um 13:51 schrieb Stefan Winter:

Hi,

 

forwarding on behalf of Darren Wheatcroft, as the mail was sent to the -request address.

 

Stefan Winter

-------- Weitergeleitete Nachricht --------

Betreff:

Windows 10 & CAT - TLS Session reuse error

Datum:

Mon, 20 Dec 2021 11:57:58 +0000

Von:

Darren Wheatcroft <Darren.Wheatcroft AT nottingham.ac.uk>

An:

cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org>

 

Hi,

 

We have recently updated our certificates and the CAT tool has been updated accordingly with the cert chain.

 

Since doing this, no Windows 10 device will connect to eduroam - we get 'Unable to connect to this network' on the client, and 'TLS Session Reuse' on the Clearpass server.

 

MacOS, iOS and Android all connect OK. It isn't our build of Windows 10 as it happens on personal machines as well.

 

Essentially the only thing that changed in the CAT tool this year was the certificate chain.

 

Manually forgetting, then connecting will work every time.

 

Does anyone know of any client side logs we could dig into to see what is going on? This years cert update has been a bit challenging!

 

Kind regards

 

Darren

 

--

Darren Wheatcroft

 

Digital and Technology Services

University of Nottingham

 

 

This message and any attachment are intended solely for the addressee

and may contain confidential information. If you have received this

message in error, please contact the sender and delete the email and

attachment. 

Any views or opinions expressed by the author of this email do not

necessarily reflect the views of the University of Nottingham. Email

communications with the University of Nottingham may be monitored 

where permitted by law.

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

      To unsubscribe,
        send this message:
        mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
        Or use the following link:
        https://lists.geant.org/sympa/sigrequest/cat-users
    
-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uniwersyteckie Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika         Nicolaus Copernicus University,
pl. Rapackiego 1, Torun                pl. Rapackiego 1, Torun, Poland
            tel: +48-56-611-2750; tel kom.: +48-693-032-576