cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

RE: [[cat-users]] Eduroam certificate renewal

From: "Alam, Nahid /DZNE" <Nahid.Alam AT DZNE.DE>
To: Christina Klam <cklam AT ias.edu>
Cc: cat-users <cat-users AT lists.geant.org>, "Uysal, Cueneyt /DZNE" <Cueneyt.Uysal AT dzne.de>, "Khan, Emrose /DZNE" <Emrose.Khan AT dzne.de>, "Hakimi, Hasibullah /DZNE" <Hasibullah.Hakimi AT dzne.de>, "eduroam AT dfn.de" <eduroam AT dfn.de>, "Rocha Almeida, Jose /DZNE" <Jose.Almeida AT dzne.de>, "Baracchi, Laura /DZNE" <Laura.Baracchi AT dzne.de>
Subject: RE: [[cat-users]] Eduroam certificate renewal
Date: Thu, 18 Jan 2024 08:17:35 +0000
Accept-language: en-US, de-DE
Ironport-data: A9a23:Fus8lajXkBMcMNlw53olp3b0X161mxAKZh0ujC45NGQN5FlGYwSz9 tYtKTDba6jfYmLyZYM2P70CxjpV6pOAy95jQVFkpXszRChD8ZXIWYrBcUmoZS3JccCcERpu5 pwSNdWbfJg/QHXW/RnzO+bqpiRx2fyCGrSjULCaUswdqW+IbQ944f40s7Bp39E26TTAPz6wh T+bT60zUnek3jd7PzpMsOSBsBwHUJ/a5m5HtAQyNawW4FbSx3BLUZhHfKi9dCCnH9kFQeDqF 7yfnOnm92/Q80l9Utr4ye2rfhNRHuSLNAaD1CUIBfL/i3CuysBSPoMTbZLwPm8L1mvS9zwI9 OhwiXDZpWbFVIXNne0SXkEATmdmO6IuFNTvLXHvvZGdwRLNfXewnqQwVxFpbYMVp7ksCz0Up aRFdDpSNEqP3r7vybjgGrQ125kuJ8K7MolA6ng6nGDXXKd6HvgvL0mrCfpwhV/c0egXQqaBP 5FxhUNTUSn8j3SjWrt9IJM7leil3iGuNT9Apzp5zoJr6TKJkF0vgLaxYNfeIYCEFZ1YxB/B/ j6YoTygDhgTb42SkGGL+yOn2uGTwi6gBo5JGLPpqaU2jQWfmWYdVEEbPbfXTZlVr2bnMz4IA xBJp3dGQdEOyXGWovnBszyQ8Hfe7kJHA4BdTrcwsFDVk6DZvgvECjRZEjMeMIZ37MYfSG1x3 DdlvT9I6R+DElGxYSjAnltBhWrqYUD5FUdbOWleC1FtD+DL+OkblgjIQstoDJm7h9j0HSCY6 z2RpUDSvZ1K5SIw//v9pQ2vbw6E/MCTElZsv1WPBwpJ0ysgDGKbT93wgbTkxasYRGqpZgHpl GQJncGY8NcPAfml/MBaaLxQdF0Bz6/t3Az02TaDLbF4n9ie0yLLkbRr3d1LDBwB3vDo2dPeS BS7VQt5vPe/NZYxBEN9S9rZ588ClcAMGTl5Pxx9gxUnjpVZLWe6EC9SiUG4wlLmk2MtioMEa c3KLpqHLG0UOY4+5W/jLwsd+edDKiEWz2WWW4++ygTiiePYaGyTRPEJKzNibMhgtOXc5lyPo 5AFb5LiJxZ3CYUSZgHx+I4SIRYjKXE+LZzkrcEReuPrzg9OQTxxUKGJmOpJl4pNkoBzhsP0o U+HZU5D9UPgq3n4CyWMUyU2AF/oddMlxZ4hBgQnPlKh3lAiaJ3p4asCH7M8dKVi6fdu1+VcS /geZ97GDflGTCiB/C4SBbHwoJF4cx2urQ6AOWypbVACk4VIHlSPopm9JFuprnFXZsaqifYDT 3Sb/luzafI+q85KVa46tNrHI4uNgEUg
Ironport-hdrordr: A9a23:U0xG3aziLvfio6jrcOFOKrPwAL1zdoMgy1knxilNoERuA6ilf8 DHppgmPGzP+VEssRAb6Ku90ca7IU80maQe3WBVB8bGYOCEghrTEGgB1/qA/9SIIUSXndK1l5 0QEZSWY+eeMbEOt6fHCX6DferIruPrzEniv5a5854kd3ASV0hP1XYANjqm

Hi Christina Klam,

Thanks for your information, actually users are facing this issue only from uderoam CAT application, using their mobile phone as well as computers windows/mac/android. However you can share your workaround with us, it may help us for future if any case raise relevant this issue.

Thanking you,

Khandakar Nahid Alam

Network & Cyber Security Engineer

Deutsches Zentrum für Neurodegenerative Erkrankungen e. V. (DZNE)

Venusberg-Campus 1/99
53127 Bonn

Mail: nahid.alam AT dzne.de

Web: www.dzne.de

signature_122933437

*********************************

Vorstand: Prof. Pierluigi Nicotera, MD PhD (Vorstandsvorsitzender und Wissenschaftlicher Vorstand)

und Dr. Sabine Helling-Moegen, LL.M. (Administrativer Vorstand).

Das DZNE ist im Vereinsregister des Amtsgerichts Bonn eingetragen (VR 9021).

From: Christina Klam <cklam AT ias.edu>
Sent: Wednesday, January 17, 2024 5:20 PM
To: Alam, Nahid /DZNE <Nahid.Alam AT DZNE.DE>
Cc: cat-users <cat-users AT lists.geant.org>; Uysal, Cueneyt /DZNE <Cueneyt.Uysal AT dzne.de>; Khan, Emrose /DZNE <Emrose.Khan AT dzne.de>; Hakimi, Hasibullah /DZNE <Hasibullah.Hakimi AT dzne.de>; eduroam AT dfn.de; Rocha Almeida, Jose /DZNE <Jose.Almeida AT dzne.de>; Baracchi, Laura /DZNE <Laura.Baracchi AT dzne.de>
Subject: Re: [[cat-users]] Eduroam certificate renewal

CAUTION: This email originated from outside of DZNE. Do not click links or open attachments unless you recognize the sender and know the content is safe.
ACHTUNG: Dies ist eine externe E-Mail, bitte seien Sie vorsichtig beim Anklicken von Links oder Öffnen von Anhängen

Alam,

Is this with Windows or all devices? We had something similar happen when we replaced the certificate in August. If this is just Windows, I will send you our workaround.

Christina Klam
Network Engineer
Institute for Advanced Study
1 Einstein Dr
Princeton, NJ 08540
(m) +1 609-751-7899
(o) +1 609-734-8154
cklam AT ias.edu

From: "Alam, Nahid /DZNE" <cat-users AT lists.geant.org>
To: "cat-users" <cat-users AT lists.geant.org>
Cc: "Uysal, Cueneyt /DZNE" <Cueneyt.Uysal AT dzne.de>, "Khan, Emrose /DZNE" <Emrose.Khan AT dzne.de>, "Hakimi, Hasibullah /DZNE" <Hasibullah.Hakimi AT dzne.de>, eduroam AT dfn.de, "Rocha Almeida, Jose /DZNE" <Jose.Almeida AT dzne.de>, "Baracchi, Laura /DZNE" <Laura.Baracchi AT dzne.de>
Sent: Tuesday, January 16, 2024 12:13:59 PM
Subject: RE: [[cat-users]] Eduroam certificate renewal

Dear Eduroam Support Team,

Recently we renewed our ISE certificate and after that our eduroams user are facing connectivity issue using eduroam CAT Application, we discovered that the authentication process is being rejected from our ISE. ISE log is showing Certificate issue TSL error as below.

Possible Resolution Ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!

Possible Root cause While trying to negotiate a TLS handshake with the client, ISE received an unexpected TLS alert message. This might be due to the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.

Note that user can connect eduroam service directly using their username and credential without eduroam CAT application. Upon inspecting the eduroam CAT application profile, it has come to our attention that a specific/old root certificate has been hardcoded for end users, and unfortunately, this certificate has expired. We need to edit this profile and set the correct updated certificate then end user will able to connect eduroam service using eduroam CAT application. However, the process of editing the application profile is currently unknown to us, and we are seeking your assistance in guiding us through the necessary steps. Your expertise and support in resolving this matter would be greatly appreciated.

End User eduroam CAT application profile settings which is hardcoded with old certificate is given below.