The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi,
 Stefan's answer is not entirely correct, so some comments in-line
W dniu 2013-04-26 13:33, Stefan Winter pisze:
> Hello,
>
> please allow me to cc the 
> cat-users AT geant.net
>  mailing list; answers such
> as this one are of benefit for the entire community.
>
> > I am writing to you regarding the eduroam CAT, which we highly
> > appreciate and would like our users to benefit from.
> >
> > After following the eduroam CAT guide for institution administrators,
> >   
> > https://confluence.terena.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+institution+administratorsI
> > encounter difficulties while testing the  generated installers. For
> > example, On Mac OS X (Mountain) Lion an eduroam profile is created but
> > it is impossible to join eduroam network. On Windows 7, I have noticed
> > that the installer is trying to use TKIP encryption. On our campus
> > (University of Lausanne Switzerland) we recently changed the eduroam
> > WLAN configuration from WPA mixed to WPA2-Enterprise (AES).
> eduroam CAT always produces one installer for the SSID eduroam which is
> configured for both WPA/TKIP and WPA2/AES. If your network is running
> WPA2/AES, then this is of course supported.
>
> On your Windows 7, you may have noticed that the profile is called
> "eduroam (with TKIP)" (not "exclusively" TKIP) - when the computer
> chooses this profile this does NOT mean it is trying to connect via
> TKIP. If the network eduroam is shown in your networks list as being
> compatible with this profile, then the Operating System makes the "right
> choice" by itself.
"edurom (TKIP)" is *exclusively* TKIP. This is just how Windows profiles 
work.
eduroam (without TKIP) is given a preference, therefore this is the one 
which should be used first. If we could configure AES+TKIP in a single 
profile then we would have done so.

If the machine is connecting as eduroam (TKIP) then it *is* connecting 
via TKIP, contrary to what Stefan has written.

I am not entirely sure (and I have no means of testing this at the 
moment) what will be shown to the user inside an exclusively AES network.
Perhaps eduroam (TKIP) will be displayed but if you try connecting using 
this profile you should get a message that the network settings are wrong.

Normally connection happens automatically therefore the user should 
never see such problems. In a TKIP - only network, the "eduroam" profile 
which is AES-only should be tried first and when this fails, "eduroam 
(TKIP)" would be tried next. In a network which supports AES, the 
"eduroam" profile should be given priority. If this fails, for instance 
due to a password problem or a connection problem, TKIP will be tried 
and probably should fail as well, as the same credentials will be used.

If the user actively clicks connect on a given profile this could change 
the priorities. This is why on the installer screen we tell the user  to 
use non TKIP whenever possible, but I realise people probably do not 
read this.

 Stefan has explained why we still insist on installing the TKIP 
profile for Windows users - this way we make Windows behave the same way 
as Apple or Android devices, where both AES abd TKIP are always supported.

Tomasz

> The reason for still including WPA/TKIP is that your users may roam to
> other hotspots which may not have made the transition. When TKIP is
> configured, eduroam will continue to work for your users at these
> hotspots; otherwise, they would have to reconfigure their computer.
>
> > I suspect that the issue is due to the TKIP encryption type. Is there a
> > way to choose between TKIP and AES, while configuring eduroam CAT in
> > order to obtain the installers?
> >
> > I must be doing something wrong in the configuration procedure.
> The choice to configure the "eduroam" for both TKIP and AES is done
> automatically and is not configurable. If you have an additional SSID
> which you deploy only in your university, then you have full control
> whether or not you want to include the legacy TKIP support by selecting
> either the option "Additional SSID" or "Additional SSID (with TKIP)"
> where the former one obviously means AES-only.
>
> On your connectivity issue, I contemplate from what you write that
> neither Mac OS nor Windows function at all. That is very unusual; we
> have many IdPs for which all installers work exactly as advertised.
>
> Are you sure your RADIUS infrastructure is working correctly?
> Did you run the realm reachability checks, and do they show an error?
> Can you connect to the eduroam network if connecting with manual
> configuration instead of CAT installers?
>
> If the answers to the above are Yes, Ran it with no problems, and Yes,
> then I suggest you let me take a look at your CAT institution. You can
> grant me access by inviting my e-mail address as a co-admin for the
> institution with the "Add/Remove Administrators" button.
>
> Greetings,
>
> Stefan Winter

--
Tomasz Wolniewicz
          
twoln AT umk.pl
        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576