Skip to Content.
Sympa Menu

cat-users - [cat-users] eduroam CAT (win7) failed interaction with AV (SEP)?

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

[cat-users] eduroam CAT (win7) failed interaction with AV (SEP)?


Chronological Thread 
  • From: "Wood, Peter (ISS)" <p.wood AT lancaster.ac.uk>
  • To: "cat-users AT geant.net" <cat-users AT geant.net>
  • Subject: [cat-users] eduroam CAT (win7) failed interaction with AV (SEP)?
  • Date: Fri, 26 Apr 2013 14:23:02 +0000
  • Accept-language: en-GB, en-US
  • List-archive: <http://mail.geant.net/mailman/private/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>

Good Afternoon,

 

We've been looking at using eduroam CAT here at Lancaster, on the whole it looks really promising.

 

We're coming across a problem relating to our AV solution. The machine is Win 7 (x64 Fully Patched) and the AV is Symantec End Point Protection 12.1.2 (x64), but I suspect this will apply to any Win 7+ machine running our AV.

 

When we run the CAT executable we proceed through the screens until the actual installation phrase, at which point we get a pop up message of "Profile installation error for eduroam (TKIP).", if you accept you then get another for "Credentials installation problem", then "Profile installation error for eduroam." and finally "Credentials installation problem".

 

Digging through the Event Viewer we find an entry which related to the same time of installation of the profiles:

Skipping: Eap method DLL path validation failed. Error: typeId=25, authorId=0, vendorId=0, vendorType=0

 

After a fair amount of digging we find that it appears that SEP has replaced the pointers to rastls.dll with one to its own SysRasMan64.dll. It does this for all of the EAP types. PEAP-MSCHAPv2 (I think) is at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\25

 

Removing SEP 12.1 “solves” the problem, CAT works. However we can't mandate users remove AV, run CAT, then reinstall AV. It's not really practical, and how many of them are likely to reinstall AV.

 

What gets more interesting is that executing "netsh wlan add profile wlan_prof-[01].xml" on the profiles in the temporary directory works and the profiles are successfully installed, so SEP hasn't completely stuffed the provisioning system.

 

I'm working with our AV team to remove SNAC (which we are not using) from the AV installation (if possible), but I'm wondering if we could explain the difference why the profile installation works with netsh, but not (presumably) the WlanSetProfile API.

 

Has anyone already come across this and can shed some light? I remember playing with SU1X a long time ago and having the same problem, I'm guessing it's the same issue.

 

Kind regards,

 

Peter.

--

Peter Wood

Network Security Specialist

Information Systems Services

Lancaster University

 

Email: p.wood AT lancaster.ac.uk

 




Archive powered by MHonArc 2.6.19.

Top of Page