Opened 3 years ago

Closed 3 years ago

Last modified 5 weeks ago

#871 closed defect (fixed)

eduroam via TLS does not work

Reported by: claudio.allocchio@… Owned by: chelliot@…
Priority: tbd Milestone: ietf-091
Component: wireless Keywords: eduroam
Cc: llynch@… My Current Location: Coral II
My MAC Address: 90:27:e4:ea:5c:7b My OS: OSX 10.6.8

Description

I've an eduroam account which uses TLS authentication, Common Name

Claudio Allocchio@…

it seems the AUTH process does not even start, as I do not see the AUTH request to go out at all.

OS: OSX 10.6.8
MAC: 90:27:e4:ea:5c:7b

I may try, if needed for debugging, do the AUTH with TTLS...

thanks

Change history (16)

comment:1 Changed 3 years ago by llynch@…

Cc: llynch@… added
Component: incomingwireless
Owner: changed from claudio.allocchio@… to nkukich@…
Status: newassigned
Type: requestdefect

comment:2 Changed 3 years ago by chelliot@…

Owner: changed from nkukich@… to chelliot@…

We have not tested and do not currently support eduroam using client certificates. If this configuration works at other eduroam sites, please come by the NOC and we'll look at adding support for TLS here.

Chris.

comment:3 Changed 3 years ago by Claudio.Allocchio@…

yes, it works (it's my standard eduroam auth method).

I'll come to the NOC thus you can debug. I've got it also on Android 4.4.2

see you later

On Mon, 10 Nov 2014, IETF Meeting/NOC wrote:

> #871: eduroam via TLS does not work
> -------------------------------------+-------------------------------------
>           Reporter:                 |           Owner:
>  claudio.allocchio@…                |  claudio.allocchio@…
>               Type:  request        |          Status:  new
>           Priority:  tbd            |       Milestone:  ietf-91
>          Component:  incoming       |        Keywords:  eduroam
> My Current Location:  Coral II       |  My MAC  Address:  90:27:e4:ea:5c:7b
>              My OS:  OSX 10.6.8     |
> -------------------------------------+-------------------------------------
> I've an eduroam account which uses TLS authentication, Common Name
>
> Claudio Allocchio@garr.it
>
> it seems the AUTH process does not even start, as I do not see the AUTH
> request to go out at all.
>
> OS: OSX 10.6.8
> MAC: 90:27:e4:ea:5c:7b
>
> I may try, if needed for debugging, do the AUTH with TTLS...
>
> thanks
>
> --
> Ticket URL: <https://tickets.meeting.ietf.org/ticket/871>
> IETF Meeting/NOC <https://tickets.meeting.ietf.org>
> IETF Meeting - NOC pages
>

------------------------------------------------------------------------------
Claudio Allocchio             G   A   R   R          Claudio.Allocchio@garr.it
                         Senior Technical Officer
tel: +39 040 3758523      Italian Academic and       G=Claudio; S=Allocchio;
fax: +39 040 3758565        Research Network         P=garr; A=garr; C=it;

            PGP Key: http://www.cert.garr.it/PGP/keys.php3#ca

comment:4 Changed 3 years ago by Claudio.Allocchio@…

BTW, where is the NOC room?

------------------------------------------------------------------------------
Claudio Allocchio             G   A   R   R          Claudio.Allocchio@garr.it
                         Senior Technical Officer
tel: +39 040 3758523      Italian Academic and       G=Claudio; S=Allocchio;
fax: +39 040 3758565        Research Network         P=garr; A=garr; C=it;

            PGP Key: http://www.cert.garr.it/PGP/keys.php3#ca

comment:5 Changed 3 years ago by chelliot@…

Claudio,

We'd like to continue debugging this problem with you. We do indeed have a problem with the space in your username, which we should be able to easily fix. We don't know if there is a separate issue with TLS or not.

Thanks!
Chris.

comment:6 in reply to:  5 Changed 3 years ago by chelliot@…

Replying to chelliot@…:

Claudio,

We'd like to continue debugging this problem with you. We do indeed have a problem with the space in your username, which we should be able to easily fix. We don't know if there is a separate issue with TLS or not.

Thanks!
Chris.

comment:7 in reply to:  description Changed 3 years ago by chelliot@…

Replying to claudio.allocchio@…:

I've an eduroam account which uses TLS authentication, Common Name

Claudio Allocchio@…

it seems the AUTH process does not even start, as I do not see the AUTH request to go out at all.

OS: OSX 10.6.8
MAC: 90:27:e4:ea:5c:7b

I may try, if needed for debugging, do the AUTH with TTLS...

thanks

Claudio,
We'd like to continue debugging this problem with you. We do indeed have a problem with the space in your username, which we should be able to easily fix. We don't know if there is a separate issue with TLS or not.
Thanks!
Chris.

comment:8 Changed 3 years ago by Claudio.Allocchio@…

well that is NOT a "username", it is the "Common Name" attribute in the 
X.509 certificate 'Claudio Allocchio' with the eduroam realm added 
'garr.it'

:-)

It is likely that you do not configure radiator (or some the AP) correctly 
to handle 'blanks' (which are always present in CN attribute), thus 
instead of reading "Claudio Allocchio@garr.it" you just read "Claudio" and 
hence you do not have the realm... thus you cannot route the AUTH request 
correctly.

https://wiki.terena.org/display/H2eduroam/'How+to....'+(deploy,+promote+and+support)+eduroam

You might miss some "backslash" quoting in some config files... We had 
once this issue in one of the national federations... and I'm trying to 
recall the fix, but... I cannot find the email related to it...

------------------------------------------------------------------------------
Claudio Allocchio             G   A   R   R          Claudio.Allocchio@garr.it
                         Senior Technical Officer
tel: +39 040 3758523      Italian Academic and       G=Claudio; S=Allocchio;
fax: +39 040 3758565        Research Network         P=garr; A=garr; C=it;

            PGP Key: http://www.cert.garr.it/PGP/keys.php3#ca

comment:9 Changed 3 years ago by Claudio.Allocchio@…

yes... confirmed. You cannot read the "blank" correctly.

If I send out a CN without the "blank" it get correctly routed out until 
mu radius server, which then just rejects because of course that CN does 
not match the certificate's internal one.

Thus is is not a real TLS issue, but a radiator config issue because of 
the blank...

still looking into my emails to find the fix...

------------------------------------------------------------------------------
Claudio Allocchio             G   A   R   R          Claudio.Allocchio@garr.it
                         Senior Technical Officer
tel: +39 040 3758523      Italian Academic and       G=Claudio; S=Allocchio;
fax: +39 040 3758565        Research Network         P=garr; A=garr; C=it;

            PGP Key: http://www.cert.garr.it/PGP/keys.php3#ca

comment:10 Changed 3 years ago by Claudio.Allocchio@…

OK, I digged out where the error may be:

check the

UsernameCharset

and

RewriteUsername

directives, to verify that they correctly allow a blank to be transmitted 
:-)

I hope this helps!

all the best,

------------------------------------------------------------------------------
Claudio Allocchio             G   A   R   R          Claudio.Allocchio@garr.it
                         Senior Technical Officer
tel: +39 040 3758523      Italian Academic and       G=Claudio; S=Allocchio;
fax: +39 040 3758565        Research Network         P=garr; A=garr; C=it;

            PGP Key: http://www.cert.garr.it/PGP/keys.php3#ca

comment:11 Changed 3 years ago by Claudio.Allocchio@…

OK, you got it right now :-)

fixed.

you can close the ticket, and I how this was something useful for next 
time IETFs :-)

all the best!

------------------------------------------------------------------------------
Claudio Allocchio             G   A   R   R          Claudio.Allocchio@garr.it
                         Senior Technical Officer
tel: +39 040 3758523      Italian Academic and       G=Claudio; S=Allocchio;
fax: +39 040 3758565        Research Network         P=garr; A=garr; C=it;

            PGP Key: http://www.cert.garr.it/PGP/keys.php3#ca

comment:12 Changed 3 years ago by jim@…

Claudio,

I'm glad things are working for you! I'm not seeing any notes in this ticket that indicate who's working with you from the NOC side. Was there someone you worked with to make the Radiator changes?

Thanks!

  • Jim

comment:13 Changed 3 years ago by Claudio.Allocchio@…

>     I'm glad things are working for you! I'm not seeing any notes in this
> ticket that indicate who's working with you from the NOC side. Was there
> someone you worked with to make the Radiator changes?

I guess chelliot@pobox.com did that after my note about where to look into 
the Radiator configuration :-)


>
>    Thanks!
>
>     - Jim
>
> --
> Ticket URL: <https://tickets.meeting.ietf.org/ticket/871#comment:12>
> IETF Meeting/NOC <https://tickets.meeting.ietf.org>
> IETF Meeting - NOC pages
>

------------------------------------------------------------------------------
Claudio Allocchio             G   A   R   R          Claudio.Allocchio@garr.it
                         Senior Technical Officer
tel: +39 040 3758523      Italian Academic and       G=Claudio; S=Allocchio;
fax: +39 040 3758565        Research Network         P=garr; A=garr; C=it;

            PGP Key: http://www.cert.garr.it/PGP/keys.php3#ca

comment:14 Changed 3 years ago by jim@…

Resolution: fixed
Status: assignedclosed

Claudio,

Great. Thanks very much for working with us on this ... I'm always glad to improve our configurations!

Resolving!

  • Jim

comment:15 Changed 3 years ago by bzeeb+ietf@…

I had remotely from the other side of one and a half oceans and then failed to follow-up on the ticket; sorry about that.
And thanks for the detailed report :-)

comment:16 Changed 5 weeks ago by Rick Alfvin

Milestone: ietf-91ietf-091

Milestone renamed

Note: See TracTickets for help on using tickets.