An open discussion list for topics related to the geteduroam service

[Muhammad Farhan SJAUGI <farhan AT sifulan.my>]

Hi,

Just an update for everyone's benefit who comes across this email in the future. So, I managed to solve the first "problem".

After deeply looked at the source code, so basically there are two ways the admin can pass the realm name:

1. Http hostname/domain name: The code will look at the http hostname/domain name and do a cross check with the realm_vhost table to find out the realm. However, despite there's a function/method/API to add this mapping, it seems not implemented yet as a command like the command to add a new realm. Hence, I had to add it manually in the database.

2. Http GET parameter: By adding ?realm=<realm name> or &realm=<realm name> when requesting for a profile (e.g. https://get.eduroam.my/profiles/new/?realm=<realm name>). 

Each has pros and cons, depending on the setup that you are looking for; like the 1st option looks more "seamless" as you don't have to provide the realm. However, in a multitenant setup, you need to set up multiple web server virtual hosting for each realm. The 2nd option is simpler for the administrator, but they have to remind the user to mention the realm name in the url. (CMIIW).

Hope this helps.

Regards

--
Ts. Muhammad Farhan SJAUGI, S.Kom. M.Sc.

SIFULAN Malaysian Access Federation
Email: farhan AT sifulan.my
Homepage: https://sifulan.my
  

On Mon, 22 Nov 2021 at 15:35, Muhammad Farhan SJAUGI <farhan AT sifulan.my> wrote:

Hi,

OK, I managed to solve the problem no 2. Apparently, the ServerID attributes inside the profile didn't match with the actual server hostname as a "radius." string was added.

So, I have to edit the servername by hand in the database (or any better way?) to make it correct. After this change, I able to login by using the credential generated by using letswifi ca.

However, any idea how can I solve the first problem?

Regards

--
Ts. Muhammad Farhan SJAUGI, S.Kom. M.Sc.

SIFULAN Malaysian Access Federation
Email: farhan AT sifulan.my
Homepage: https://sifulan.my
  

On Sun, 21 Nov 2021 at 17:11, Muhammad Farhan SJAUGI <farhan AT sifulan.my> wrote:

Hi,

We are setting up a letswifi ca portal for our federation members. So far everything went well as we are able to register a new realm and get the profile (however we need to add ?realm=<realm name> manually to download the profile).

However, when we tested the account, we got the following error message at the Freeradius 3 (FR3) despite we had added the realm's letwifi ca cert in the ca trusted list:

(33) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A
(33) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
(33) eap_tls: ERROR: System call (I/O) error (-1)
(33) eap_tls: ERROR: TLS receive handshake failed during operation
(33) eap_tls: ERROR: [eaptls process] = fail
(33) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed

My questions are:

1. Is there any way to let the user download the profile without having to manually add ?realm=<realm name> in the url browser?

2. Any idea what the problem is with our FR3 EAP-TLS configuration? FYI, our FR3 uses letsencrypt cert.

Regards

--
Ts. Muhammad Farhan SJAUGI, S.Kom. M.Sc.

SIFULAN Malaysian Access Federation
Email: farhan AT sifulan.my
Homepage: https://sifulan.my