cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

RE: [[cat-users]] Eduroam certificate renewal

From: "Alam, Nahid /DZNE" <Nahid.Alam AT DZNE.DE>
To: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
Cc: "Uysal, Cueneyt /DZNE" <Cueneyt.Uysal AT dzne.de>, "Khan, Emrose /DZNE" <Emrose.Khan AT dzne.de>, "Hakimi, Hasibullah /DZNE" <Hasibullah.Hakimi AT dzne.de>, "eduroam AT dfn.de" <eduroam AT dfn.de>, "Rocha Almeida, Jose /DZNE" <Jose.Almeida AT dzne.de>, "Baracchi, Laura /DZNE" <Laura.Baracchi AT dzne.de>
Subject: RE: [[cat-users]] Eduroam certificate renewal
Date: Tue, 16 Jan 2024 17:13:59 +0000
Accept-language: en-US, de-DE
Ironport-data: A9a23:Os/qda3XSQp3Be29pvbD5dZxkn2cJEfYwER7XKvMYbSIYAKW5UVek zNIDGmGO+HQIjXFz+oGO96zoE8OuZ+Gxt4xTlFu/CkyQi4U8ZXLXY6XdRj9YH7KJ8SaQB1rt JVGYdfKJps6EHaCrRzwP7S8pyVyivnWGNIQZAKk1gVZHGeIHw9/2U88xYbV+7JVvORVau/sV bnaosjWN1L9g2MyKmQbg07ogEpl4qys42kR4lJkO/5C5APVmiBNVZ8TK6/hcHKiE9ZZQeO0T L6fk+q0pTyI80snB4n9meahLBxQGuXcN1XU1Cc+t8RO4/RnjnVaPvETbaRFOR4N49nwo+1M9 DkkWfxcIy8oO6TDlbxFDV9aCy4W0cZupuKYKyCz4ZDOk0TKI3Kynv82VUg6ZtZHp7YmXm8ep aZEeGhSZxyKi7zmmLvmEbI8ipp4cJOyNY0S5C4+k2uEBJ7KLXyjr4DivLe0ix9s254VdRqnW /ckVNZPUPjhSxcUawtJBcJmxbvz1nXxLGcB91+e+PVuvjSCnQcsgeWwGdeEIdbiqee5P6q7S sAq20yjX3n24fTGkWLtHkqE37OJx2WhMG4rPOXQ3uZwh1GOzXAkBhQTVF+qydG0kUfWt+h3c iT4wQJw6/BvnKCXZoOlBUHg+Sfa5kR0t+d4SoXW1incksI43C7EXgDofhYZAPQ6uck/QyAd1 1Pht7sF0hQ27dV54VrEnlulhWva1Ro9dAfuVgdYJecx2OQPlalo5v75onaPJ4bu5jH9MWmYL zlnN0HSjZ1L5SIA//3TEVwqH1tAD3UGJ+I4zly/Y46r0u92TJC0etyXzGqH1+xZFLipXFiek kY7ocfLuYjiDbnV/MCMaO8LWa+2ovOVdWWGx1J9GZRn+y/FF3yLJNgWuHcnfhcvaJ5eEdPqS Ba7VQd5wpZTPXfsRKt+Zqq9GcIni6TtfTjgfqmJPoIVM8YrHOOB1AF0SEeexiOqq1Y9tPllC JHAL9mHCl9PXMyLyxLzHY/xy4QDzSkigH7ISIrg5xCmyqaFInGYQLEZdlyUYYgR4a+ZugLc9 v5TOc3Mxxg3bQHlSnCPt9ZVdApaayJjX/gatvBqSwJKGSI+cElJNhMb6epJl1BN90iNqtr1w w==
Ironport-hdrordr: A9a23:Soaho6D7OZb5WmPlHelw55DYdb4zR+YMi2TDtnoBMiC9F/byqy nAppomPHPP5Qr5G0tQ/OxoQZPgfZqEz/5ICOoqTNWftWvdyROVxehZhOOJ/9SHIVyGygc378 hdmsZFZOEYQmIK6foSTTPIdOoI0Z2syojtr+Hb1nJsRQZhZ+Vb6RtjAArzKDwUeOADP+teKK ah

Dear Eduroam Support Team,

Recently we renewed our ISE certificate and after that our eduroams user are facing connectivity issue using eduroam CAT Application, we discovered that the authentication process is being rejected from our ISE. ISE log is showing Certificate issue TSL error as below.

Possible Resolution Ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!

Possible Root cause While trying to negotiate a TLS handshake with the client, ISE received an unexpected TLS alert message. This might be due to the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.

Note that user can connect eduroam service directly using their username and credential without eduroam CAT application. Upon inspecting the eduroam CAT application profile, it has come to our attention that a specific/old root certificate has been hardcoded for end users, and unfortunately, this certificate has expired. We need to edit this profile and set the correct updated certificate then end user will able to connect eduroam service using eduroam CAT application. However, the process of editing the application profile is currently unknown to us, and we are seeking your assistance in guiding us through the necessary steps. Your expertise and support in resolving this matter would be greatly appreciated.

End User eduroam CAT application profile settings which is hardcoded with old certificate is given below.

Thanking you,

Khandakar Nahid Alam

Network & Cyber Security Engineer

Deutsches Zentrum für Neurodegenerative Erkrankungen e. V. (DZNE)

Venusberg-Campus 1/99
53127 Bonn

Mail: nahid.alam AT dzne.de

Web: www.dzne.de

signature_122933437

*********************************

Vorstand: Prof. Pierluigi Nicotera, MD PhD (Vorstandsvorsitzender und Wissenschaftlicher Vorstand)

und Dr. Sabine Helling-Moegen, LL.M. (Administrativer Vorstand).

Das DZNE ist im Vereinsregister des Amtsgerichts Bonn eingetragen (VR 9021).

RE: [[cat-users]] Eduroam certificate renewal, Alam, Nahid /DZNE, 01/16/2024
- Re: [[cat-users]] Eduroam certificate renewal, Martin Stanislav, 01/17/2024
  - RE: [[cat-users]] Eduroam certificate renewal, Alam, Nahid /DZNE, 01/17/2024
  - Re: [[cat-users]] [DFN#2024011710000984] Eduroam certificate renewal, DFN eduroam, 01/17/2024
    - RE: [[cat-users]] [WARNING: ATTACHMENT(S) MAY CONTAIN MALWARE]Re: [DFN#2024011710000984] Eduroam certificate renewal, Khan, Emrose /DZNE, 01/18/2024
      - RE: [[cat-users]] [WARNING: ATTACHMENT(S) MAY CONTAIN MALWARE]Re: [DFN#2024011710000984] Eduroam certificate renewal, Khan, Emrose /DZNE, 01/22/2024
        
        Re: [[cat-users]] [WARNING: ATTACHMENT(S) MAY CONTAIN MALWARE]Re: [DFN#2024011710000984] Eduroam certificate renewal, Rocha Almeida, Jose /DZNE, 01/31/2024
- Re: [[cat-users]] Eduroam certificate renewal, Christina Klam, 01/17/2024
  - RE: [[cat-users]] Eduroam certificate renewal, Alam, Nahid /DZNE, 01/18/2024