Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] [WARNING: ATTACHMENT(S) MAY CONTAIN MALWARE]Re: [DFN#2024011710000984] Eduroam certificate renewal

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] [WARNING: ATTACHMENT(S) MAY CONTAIN MALWARE]Re: [DFN#2024011710000984] Eduroam certificate renewal


Chronological Thread 
  • From: "Rocha Almeida, Jose /DZNE" <Jose.Almeida AT dzne.de>
  • To: DFN eduroam <eduroam AT dfn.de>
  • Cc: "Uysal, Cueneyt /DZNE" <Cueneyt.Uysal AT dzne.de>, "Khan, Emrose /DZNE" <Emrose.Khan AT dzne.de>, "Hakimi, Hasibullah /DZNE" <Hasibullah.Hakimi AT dzne.de>, "Baracchi, Laura /DZNE" <Laura.Baracchi AT dzne.de>, Martin Stanislav <ms AT uakom.sk>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>, "Afandiyev, Fazil /DZNE" <Fazil.Afandiyev AT dzne.de>, "Alam, Nahid /DZNE" <Nahid.Alam AT DZNE.DE>
  • Subject: Re: [[cat-users]] [WARNING: ATTACHMENT(S) MAY CONTAIN MALWARE]Re: [DFN#2024011710000984] Eduroam certificate renewal
  • Date: Wed, 31 Jan 2024 13:40:59 +0000
  • Accept-language: de-DE, en-US
  • Ironport-data: A9a23:HUt1jqBbl099JRVW/9Ljw5YqxClBgxIJ4kV8jC+edVH5lGZ7hGRDl z1BRindabyNfyGsLIcnLMj0oHqyi+aWk48+HRwsqmoFoxli+MbMDo2VcUn9Y3+fcsaeFkw74 csTZIGaJcw5ESKH9k+gabG8/CIk36zUTeahU+WcM319TFQ4Rn0s1ENokbNn2uaE7TTX7yal4 Lse9OWCaQD6s9INDkoU976b+lQok9nbng9euVclfbZQsVTClnYSSpkYIPnZE5eDeWUoIwLAb 76FlNmE1mPF4w9/TZSuiLK9b1YHWKLIIBOSzHFRXu+fuTV4mjYvyboBD9M3ZF1LijuIlNlty dJLnIGsSQAzP7Hd3u8HV0FGUCMmPfURu+dNybDksdCP1x+BNHD237NzF0wsIZcF4foxCmZLs sEjBQoxdA2Ym9iN6Zu3RtV2m98/B+CtN5kD4jwjlbsxxYcmXYzbEeKN4tRDxHEtnc1UAezDf NZfYj1qNHz8j2Z01iQq5OgWx6Hw7kTXcyFEsEnH4u0s7mPPzQN2lrPqNZ3+QufSb/g9oqrjn Y6xwoiDKkpcbLSi4TqZ7mq31KiIhi7wRIMdE/uz8fstq2WonlQuYCH6LmBX1sRV8GblHYo3F nEpx8YOkUQT3ELzEoP0D0K18CbU4kBMC9BaSLZnuF+Hw/CNuVfDVzQOZzMQM9ZOWO3a5NAJO v1lu/uzWFSDZZXMESr1Go+89G/0Y25PRYM7TXdsZRMf5NX+q50EgBvKT9JyeIa4ldSd9QvYm lhmlwBgwe1O5SI3///jpwyf2mn1/sOhojMdv207YEr0tmuVW6b4P+RE2XCDhd5cIYCQSEW2v XRss6ByO8hXUPlhPATUKAk8NOnBC8StaVUwsnYzd3UVzAlBzlb4FWxmDJGSE28yWioMUWeBj EY+Imq97rcLVJehRfcfj45cl63GZEUvfDjofqm8UzZAXnR+XCi8rS5sZxOa5jnKkk8lipwWA Ka5eNn5WB72CYw/pNa3b+0blKE0gyUugDuKA5zpyRnh3aH2iHy9EO9DaB3XNLB/tvvdyOnW2 48328+i6RJEXavXZiza8IIaBVwYK3V9CZ2eR8l/L7DbfVo8QDhJ5/n5058dcJRutotuyer1x E2NXEAE60rfvCiSQemNQjU5AF/1Zr5yoW8hOiUpFVqm3T4vbO6H6bw3apI0erxh7+8L5fV9U 7wYYMiaGdxLSy/b4HISYJD7sMplbhvDuO6VF3P9JmB5JsQwAVaRo7cIYzfSycXHNQLv3eNWn lFq/lqzrUYrL+i6MPvrVQ==
  • Ironport-hdrordr: A9a23:7gTolK0w9lUO6cyOWAo2VwqjBJ4kLtp133Aq2lEZdPUMSL39qy iv9M526faGskd3ZJhAo6H6BEDuexPhHPJOi7X5eI3SOTUO21HYVr2Kj7GSoAEIcheWnoVgPO VbAspD4bbLYmSS+Pya3ODOKbgdKbe8nZxAzt2uqUuFBTsaEp2IwT0JcjqmLg==

Dear DFN colleagues,

Can you please provide me a one-time token, so I can test myself the access
to Eduroam Admin portal?


Best regards,

Jose Almeida
IT Core & Central Systems

Deutsches Zentrum für Neurodegenerative Erkrankungen e. V. (DZNE)
Venusberg-Campus 1/99
53127 Bonn
Mail: jose.almeida AT dzne.de <mailto:jose.almeida AT dzne.de>
Tel: 0228 43302 672
Web: www.dzne.de <http://www.dzne.de/>


*********************************
Vorstand: Prof. Pierluigi Nicotera, MD PhD (Vorstandsvorsitzender und
Wissenschaftlicher Vorstand)
und Dr. Sabine Helling-Moegen, LL.M. (Administrativer Vorstand).
Das DZNE ist im Vereinsregister des Amtsgerichts Bonn eingetragen (VR 9021).




On 22.01.24, 17:31, "Khan, Emrose /DZNE" <Emrose.Khan AT dzne.de
<mailto:Emrose.Khan AT dzne.de>> wrote:


Dear Team,


We are waiting for your update.


Best regards,


Md Ali Emrose Khan
Network & Cyber Security Engineer


Deutsches Zentrum für Neurodegenerative Erkrankungen e. V. (DZNE)
Venusberg-Campus 1/99
53127 Bonn
Mail: Emrose.Khan AT dzne.de <mailto:Emrose.Khan AT dzne.de>
Web: www.dzne.de




*********************************
Vorstand: Prof. Pierluigi Nicotera, MD PhD (Vorstandsvorsitzender und
Wissenschaftlicher Vorstand)
und Dr. Sabine Helling-Moegen, LL.M. (Administrativer Vorstand).
Das DZNE ist im Vereinsregister des Amtsgerichts Bonn eingetragen (VR 9021).


-----Original Message-----
From: Khan, Emrose /DZNE
Sent: Thursday, January 18, 2024 12:33 PM
To: 'DFN eduroam' <eduroam AT dfn.de <mailto:eduroam AT dfn.de>>; Alam, Nahid /DZNE
<Nahid.Alam AT DZNE.DE <mailto:Nahid.Alam AT DZNE.DE>>
Cc: Uysal, Cueneyt /DZNE <Cueneyt.Uysal AT dzne.de
<mailto:Cueneyt.Uysal AT dzne.de>>; Hakimi, Hasibullah /DZNE
<Hasibullah.Hakimi AT dzne.de <mailto:Hasibullah.Hakimi AT dzne.de>>; Rocha
Almeida, Jose /DZNE <Jose.Almeida AT dzne.de <mailto:Jose.Almeida AT dzne.de>>;
Baracchi, Laura /DZNE <Laura.Baracchi AT dzne.de
<mailto:Laura.Baracchi AT dzne.de>>; Martin Stanislav <ms AT uakom.sk
<mailto:ms AT uakom.sk>>; cat-users AT lists.geant.org
<mailto:cat-users AT lists.geant.org>
Subject: RE: [WARNING: ATTACHMENT(S) MAY CONTAIN MALWARE]Re:
[DFN#2024011710000984] [[cat-users]] Eduroam certificate renewal


Dear DFN Team,


We are currently experiencing difficulties accessing the eduroam CAT admin
portal and are unable to log in.


Could you please assist us by providing a one-time token that would enable us
to access the admin profile promptly? Your prompt attention to this matter is
highly appreciated, and we look forward to resolving this issue swiftly.


Thank you for your cooperation.


Best regards,


Md Ali Emrose Khan
Network & Cyber Security Engineer


Deutsches Zentrum für Neurodegenerative Erkrankungen e. V. (DZNE)
Venusberg-Campus 1/99
53127 Bonn
Mail: Emrose.Khan AT dzne.de <mailto:Emrose.Khan AT dzne.de>
Web: www.dzne.de




*********************************
Vorstand: Prof. Pierluigi Nicotera, MD PhD (Vorstandsvorsitzender und
Wissenschaftlicher Vorstand)
und Dr. Sabine Helling-Moegen, LL.M. (Administrativer Vorstand).
Das DZNE ist im Vereinsregister des Amtsgerichts Bonn eingetragen (VR 9021).


-----Original Message-----
From: DFN eduroam <eduroam AT dfn.de <mailto:eduroam AT dfn.de>>
Sent: Wednesday, January 17, 2024 1:15 PM
To: Alam, Nahid /DZNE <Nahid.Alam AT DZNE.DE <mailto:Nahid.Alam AT DZNE.DE>>
Cc: Uysal, Cueneyt /DZNE <Cueneyt.Uysal AT dzne.de
<mailto:Cueneyt.Uysal AT dzne.de>>; Khan, Emrose /DZNE <Emrose.Khan AT dzne.de
<mailto:Emrose.Khan AT dzne.de>>; Hakimi, Hasibullah /DZNE
<Hasibullah.Hakimi AT dzne.de <mailto:Hasibullah.Hakimi AT dzne.de>>; Rocha
Almeida, Jose /DZNE <Jose.Almeida AT dzne.de <mailto:Jose.Almeida AT dzne.de>>;
Baracchi, Laura /DZNE <Laura.Baracchi AT dzne.de
<mailto:Laura.Baracchi AT dzne.de>>; Martin Stanislav <ms AT uakom.sk
<mailto:ms AT uakom.sk>>; cat-users AT lists.geant.org
<mailto:cat-users AT lists.geant.org>
Subject: [WARNING: ATTACHMENT(S) MAY CONTAIN MALWARE]Re:
[DFN#2024011710000984] [[cat-users]] Eduroam certificate renewal


Dear Alam Nahid /DZNE!


please send an s/mime signed e-mail to eduroam AT dfn.de <mailto:eduroam AT dfn.de>.
Please use a user certificate from the TCS PKI (GÉANT, Sectigo) in order
to sign your e-mail.


You will then receive an encrypted e-mail containing the registration token
for admin access to eduroam CAT.


Best regards,
Ralf Paffrath


17.01.2024 11:05 - Alam Nahid /DZNE schrieb:


> Dear Support Team,
>
> We have lost admin access to the eduroam CAT portal DFN [1]. Can you please
> let us
> know how can we get back admin access to the eduroam CAT admin portal ?
>
> Is it the correct link to login eduroam CAT admin portal for DZNE ?
> https://idp.dzne.de/idp/profile/SAML2/Redirect/SSO?execution=e1s2
> <https://idp.dzne.de/idp/profile/SAML2/Redirect/SSO?execution=e1s2>
>
>
> By going through the below link eduroam CAT admin guide we can find the
> below step
> to replace new certificate.
>
> https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+IdP+administrators
>
> <https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+IdP+administrators>
>
>
> Replacing the RADIUS server root CA certificate:
>
> When your RADIUS server's root CA certificate is about to expire and you
> need to
> replace it with a new one, the new CA certificate needs to be communicated
> to all
> your users' devices. The procedure to achieve this is as follows:
>
> 1. Create a new “migration” eduroam profile in eduroam CAT, containing both
> the
> current and new root CA certificates. All previous eduroam CAT profiles
> should be
> deleted to avoid them being used. (Caveat: this new profile will not work as
> intended for Android < 7.1 devices).
>
> 2. Require all new and existing end-users to download the “migration”
> profile.
> Their devices, except for Android < 7.1, will then be capable of trusting
> both the
> current and the new CA, and will accept server certificates from either CA.
>
> 3. Once you are confident that all end-user devices have the “migration”
> profile
> installed, apply the new server certificate on the Radius server(s).
> Ideally, the
> host name in the certificate CN/subjectAltNames should be identical to the
> old
> server certificate. (Caveat: Android < 7.1 devices configured with the old
> root CA
> will now no longer be able to authenticate, they will need to install a new
> profile containing just the new root CA).
>
> 4. Create a new “permanent” eduroam profile in eduroam CAT, containing only
> the
> new root CA certificate. Delete the “migration” eduroam profile.
>
> 5. Require all existing Android < 7.1 users, and all new users, to download
> the
> new profile.
>
>
> Thanking you,
>
> Khandakar Nahid Alam
> Network & Cyber Security Engineer
>
> Deutsches Zentrum für Neurodegenerative Erkrankungen e. V. (DZNE)
> Venusberg-Campus 1/99
> 53127 Bonn
> Mail: nahid.alam AT dzne.de <mailto:nahid.alam AT dzne.de>
> Web: www.dzne.de
>
>
> *********************************
> Vorstand: Prof. Pierluigi Nicotera, MD PhD (Vorstandsvorsitzender und
> Wissenschaftlicher Vorstand)
> und Dr. Sabine Helling-Moegen, LL.M. (Administrativer Vorstand).
> Das DZNE ist im Vereinsregister des Amtsgerichts Bonn eingetragen (VR 9021).
>
>
> -----Original Message-----
> From: Martin Stanislav <ms AT uakom.sk <mailto:ms AT uakom.sk>>
> Sent: Wednesday, January 17, 2024 10:26 AM
> To: Alam, Nahid /DZNE <Nahid.Alam AT DZNE.DE <mailto:Nahid.Alam AT DZNE.DE>>
> Cc: cat-users AT lists.geant.org <mailto:cat-users AT lists.geant.org>; Uysal,
> Cueneyt /DZNE <Cueneyt.Uysal AT dzne.de <mailto:Cueneyt.Uysal AT dzne.de>>; Khan,
> Emrose /DZNE <Emrose.Khan AT dzne.de <mailto:Emrose.Khan AT dzne.de>>; Hakimi,
> Hasibullah /DZNE
> <Hasibullah.Hakimi AT dzne.de <mailto:Hasibullah.Hakimi AT dzne.de>>;
> eduroam AT dfn.de <mailto:eduroam AT dfn.de>; Rocha Almeida, Jose /DZNE
> <Jose.Almeida AT dzne.de <mailto:Jose.Almeida AT dzne.de>>; Baracchi, Laura /DZNE
> <Laura.Baracchi AT dzne.de <mailto:Laura.Baracchi AT dzne.de>>
> Subject: Re: [[cat-users]] Eduroam certificate renewal
>
> CAUTION: This email originated from outside of DZNE. Do not click links or
> open
> attachments unless you recognize the sender and know the content is safe.
> ACHTUNG: Dies ist eine externe E-Mail, bitte seien Sie vorsichtig beim
> Anklicken
> von Links oder Öffnen von Anhängen
>
>
> Dear Alam,
>
> Your org. needs to adjust its profile(s) on eduroam CAT portal [1] in case
> it's
> about to change the root CA used to issue a replacement EAP server
> certificate.
> Ideally add the new root CA to the published configuration profiles long
> enough
> before introducing the changes in the AAA infrustucture on your RADIUS
> server (a
> fair share of client devices accept multipe root CA in their supplicant
> setup
> nowadays).
> This way the end users get a chance to setup their devices in a way that
> reflects
> comming changes in the infrastructure.
>
> Should you have lost admin acceess to the eduroam CAT portal DFN [1] is
> your most
> likely point of contact to resume the access.
>
> Kind regards,
> Martin
>
> [1] A guide to eduroam CAT for IdP administrators
> https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+IdP+administrators
>
> <https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+IdP+administrators>
>
> [2] https://www2.dfn.de/dienstbeschreibungro
> <https://www2.dfn.de/dienstbeschreibungro>
>
> On Tue, Jan 16, 2024 at 05:13:59PM +0000, "Alam, Nahid /DZNE" wrote:
> > Dear Eduroam Support Team,
> >
> > Recently we renewed our ISE certificate and after that our eduroams user
> > are facing connectivity issue using eduroam CAT Application, we
> > discovered that the authentication process is being rejected from our
> > ISE. ISE log is showing Certificate issue TSL error as below.
> >
> > [cid:image005.png AT 01DA48A7.B39A67B0]
> >
> > Possible Resolution Ensure that the ISE server certificate is trusted by
> > the client, by configuring the supplicant with the CA certificate that
> > signed the ISE server certificate. It is strongly recommended to not
> > disable the server certificate validation on the client!
> >
> > Possible Root cause While trying to negotiate a TLS handshake with the
> > client, ISE received an unexpected TLS alert message. This might be due
> > to the supplicant not trusting the ISE server certificate for some
> > reason. ISE treated the unexpected message as a sign that the client
> > rejected the tunnel establishment.
> >
> > Note that user can connect eduroam service directly using their username
> > and credential without eduroam CAT application. Upon inspecting the
> > eduroam CAT application profile, it has come to our attention that a
> > specific/old root certificate has been hardcoded for end users, and
> > unfortunately, this certificate has expired. We need to edit this profile
> > and set the correct updated certificate then end user will able to
> > connect eduroam service using eduroam CAT application. However, the
> > process of editing the application profile is currently unknown to us,
> > and we are seeking your assistance in guiding us through the necessary
> > steps. Your expertise and support in resolving this matter would be
> > greatly appreciated.
> >
> >
> > End User eduroam CAT application profile settings which is hardcoded with
> > old certificate is given below.
> >
> > [cid:image001.jpg AT 01DA4880.995EEDC0]
> >
> >
> >
> > Thanking you,
> >
> > Khandakar Nahid Alam
> > Network & Cyber Security Engineer
> >
> > Deutsches Zentrum für Neurodegenerative Erkrankungen e. V. (DZNE)
> > Venusberg-Campus 1/99
> > 53127 Bonn
> > Mail: nahid.alam AT dzne.de
> > <mailto:nahid.alam AT dzne.de><mailto:nahid.alam AT dzne.de
> > <mailto:nahid.alam AT dzne.de>>
> > Web: www.dzne.de<http://www.dzne.de/> <http://www.dzne.de/&gt;>
> >
> > [signature_122933437]
> > *********************************
> > Vorstand: Prof. Pierluigi Nicotera, MD PhD (Vorstandsvorsitzender und
> > Wissenschaftlicher Vorstand) und Dr. Sabine Helling-Moegen, LL.M.
> > (Administrativer Vorstand).
> > Das DZNE ist im Vereinsregister des Amtsgerichts Bonn eingetragen (VR
> > 9021).
> > To unsubscribe, send this message:
> > mailto:sympa AT lists.geant.org
> > <mailto:sympa AT lists.geant.org>?subject=unsubscribe%20cat-users
> > Or use the following link:
> > https://lists.geant.org/sympa/sigrequest/cat-users
> > <https://lists.geant.org/sympa/sigrequest/cat-users>
>
>
>
>
>




Mit freundlichen Grüßen/Kind regards,
Ralf Paffrath


--
eduroam Technischer Support
E-Mail: eduroam AT dfn.de <mailto:eduroam AT dfn.de> | Fon: +49 30884299-9120 |
Fax: +49 30884299-370
__________________________________________________________________________________


DFN - Deutsches Forschungsnetz | German National Research and Education
Network
Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1 | 10178 Berlin
https://www.dfn.de/ <https://www.dfn.de/>


Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | Christian
Zens
Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
VR AG Charlottenburg 7729 B | USt.-ID. DE 136623822


Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.24.

Top of Page