cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Tomasz Wolniewicz <twoln AT umk.pl>
- To: Stefan Winter <stefan.winter AT restena.lu>
- Cc: cat-users AT geant.net
- Subject: Re: [cat-users] eduroam CAT - installers issue
- Date: Fri, 26 Apr 2013 14:07:03 +0200
- List-archive: <http://mail.geant.net/mailman/private/cat-users/>
- List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
Hi,
Stefan's answer is not entirely correct, so some comments in-line
W dniu 2013-04-26 13:33, Stefan Winter pisze:
Hello,"edurom (TKIP)" is *exclusively* TKIP. This is just how Windows profiles work.
please allow me to cc the
cat-users AT geant.net
mailing list; answers such
as this one are of benefit for the entire community.
I am writing to you regarding the eduroam CAT, which we highlyeduroam CAT always produces one installer for the SSID eduroam which is
appreciate and would like our users to benefit from.
After following the eduroam CAT guide for institution administrators,
https://confluence.terena.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+institution+administratorsI
encounter difficulties while testing the generated installers. For
example, On Mac OS X (Mountain) Lion an eduroam profile is created but
it is impossible to join eduroam network. On Windows 7, I have noticed
that the installer is trying to use TKIP encryption. On our campus
(University of Lausanne Switzerland) we recently changed the eduroam
WLAN configuration from WPA mixed to WPA2-Enterprise (AES).
configured for both WPA/TKIP and WPA2/AES. If your network is running
WPA2/AES, then this is of course supported.
On your Windows 7, you may have noticed that the profile is called
"eduroam (with TKIP)" (not "exclusively" TKIP) - when the computer
chooses this profile this does NOT mean it is trying to connect via
TKIP. If the network eduroam is shown in your networks list as being
compatible with this profile, then the Operating System makes the "right
choice" by itself.
eduroam (without TKIP) is given a preference, therefore this is the one which should be used first. If we could configure AES+TKIP in a single profile then we would have done so.
If the machine is connecting as eduroam (TKIP) then it *is* connecting via TKIP, contrary to what Stefan has written.
I am not entirely sure (and I have no means of testing this at the moment) what will be shown to the user inside an exclusively AES network.
Perhaps eduroam (TKIP) will be displayed but if you try connecting using this profile you should get a message that the network settings are wrong.
Normally connection happens automatically therefore the user should never see such problems. In a TKIP - only network, the "eduroam" profile which is AES-only should be tried first and when this fails, "eduroam (TKIP)" would be tried next. In a network which supports AES, the "eduroam" profile should be given priority. If this fails, for instance due to a password problem or a connection problem, TKIP will be tried and probably should fail as well, as the same credentials will be used.
If the user actively clicks connect on a given profile this could change the priorities. This is why on the installer screen we tell the user to use non TKIP whenever possible, but I realise people probably do not read this.
Stefan has explained why we still insist on installing the TKIP profile for Windows users - this way we make Windows behave the same way as Apple or Android devices, where both AES abd TKIP are always supported.
Tomasz
The reason for still including WPA/TKIP is that your users may roam to
other hotspots which may not have made the transition. When TKIP is
configured, eduroam will continue to work for your users at these
hotspots; otherwise, they would have to reconfigure their computer.
I suspect that the issue is due to the TKIP encryption type. Is there aThe choice to configure the "eduroam" for both TKIP and AES is done
way to choose between TKIP and AES, while configuring eduroam CAT in
order to obtain the installers?
I must be doing something wrong in the configuration procedure.
automatically and is not configurable. If you have an additional SSID
which you deploy only in your university, then you have full control
whether or not you want to include the legacy TKIP support by selecting
either the option "Additional SSID" or "Additional SSID (with TKIP)"
where the former one obviously means AES-only.
On your connectivity issue, I contemplate from what you write that
neither Mac OS nor Windows function at all. That is very unusual; we
have many IdPs for which all installers work exactly as advertised.
Are you sure your RADIUS infrastructure is working correctly?
Did you run the realm reachability checks, and do they show an error?
Can you connect to the eduroam network if connecting with manual
configuration instead of CAT installers?
If the answers to the above are Yes, Ran it with no problems, and Yes,
then I suggest you let me take a look at your CAT institution. You can
grant me access by inviting my e-mail address as a co-admin for the
institution with the "Add/Remove Administrators" button.
Greetings,
Stefan Winter
--
Tomasz Wolniewicz
twoln AT umk.pl
http://www.home.umk.pl/~twoln
Uczelniane Centrum Informatyczne Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576
- Re: [cat-users] eduroam CAT - installers issue, Stefan Winter, 04/26/2013
- Re: [cat-users] eduroam CAT - installers issue, Tomasz Wolniewicz, 04/26/2013
Archive powered by MHonArc 2.6.19.