Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] eduroam CAT (win7) failed interaction with AV (SEP)?

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] eduroam CAT (win7) failed interaction with AV (SEP)?


Chronological Thread 
  • From: Tomasz Wolniewicz <twoln AT umk.pl>
  • To: "Wood, Peter (ISS)" <p.wood AT lancaster.ac.uk>
  • Cc: "cat-users AT geant.net" <cat-users AT geant.net>
  • Subject: Re: [cat-users] eduroam CAT (win7) failed interaction with AV (SEP)?
  • Date: Fri, 26 Apr 2013 21:00:48 +0200
  • List-archive: <http://mail.geant.net/mailman/private/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>

Hi,
   we have diagnosed the problem just a few days ago with the help form French collogues.
This is what I have found out. If I start a Windows cmd window from the installer then nets wlan add profile run form this window fails, while the same thing run from a cmd window started normally from the Windows menu works just fine.

  I have already modified the installer so that
1. it never tries to install user credential after the profile install has failed
2. it checks for the Symanted EAPmethod (unassigned number 88) asnd if the profile installation fails and Symanted is found a hint about this is displayed to the user.

This is going to be in CAT 1.0.3 for sure, but this is just error handling, not a way around. My idea for a fix is to dump a batch file containing all profile install commands and tell the user to run it manually. Not very pretty but hopefully effective, still this require testing first.

There is some stuff about related problems on the net and it appears this is 64-bit specific, therefore would look more liker a bug the a feature :).

Peter, could you test running the installer in admin mode and see if this makes any difference? This one I did not test.
Tomasz



I have also codded

W dniu 26.04.2013 16:23, Wood, Peter (ISS) pisze:

Good Afternoon,

 

We've been looking at using eduroam CAT here at Lancaster, on the whole it looks really promising.

 

We're coming across a problem relating to our AV solution. The machine is Win 7 (x64 Fully Patched) and the AV is Symantec End Point Protection 12.1.2 (x64), but I suspect this will apply to any Win 7+ machine running our AV.

 

When we run the CAT executable we proceed through the screens until the actual installation phrase, at which point we get a pop up message of "Profile installation error for eduroam (TKIP).", if you accept you then get another for "Credentials installation problem", then "Profile installation error for eduroam." and finally "Credentials installation problem".

 

Digging through the Event Viewer we find an entry which related to the same time of installation of the profiles:

Skipping: Eap method DLL path validation failed. Error: typeId=25, authorId=0, vendorId=0, vendorType=0

 

After a fair amount of digging we find that it appears that SEP has replaced the pointers to rastls.dll with one to its own SysRasMan64.dll. It does this for all of the EAP types. PEAP-MSCHAPv2 (I think) is at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\25

 

Removing SEP 12.1 “solves” the problem, CAT works. However we can't mandate users remove AV, run CAT, then reinstall AV. It's not really practical, and how many of them are likely to reinstall AV.

 

What gets more interesting is that executing "netsh wlan add profile wlan_prof-[01].xml" on the profiles in the temporary directory works and the profiles are successfully installed, so SEP hasn't completely stuffed the provisioning system.

 

I'm working with our AV team to remove SNAC (which we are not using) from the AV installation (if possible), but I'm wondering if we could explain the difference why the profile installation works with netsh, but not (presumably) the WlanSetProfile API.

 

Has anyone already come across this and can shed some light? I remember playing with SU1X a long time ago and having the same problem, I'm guessing it's the same issue.

 

Kind regards,

 

Peter.

--

Peter Wood

Network Security Specialist

Information Systems Services

Lancaster University

 

Email: p.wood AT lancaster.ac.uk

 


-- 
Tomasz Wolniewicz    
  twoln AT umk.pl     http://www.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication
                                      Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750  fax: +48-56-622-1850 tel kom.: +48-693-032-576



Archive powered by MHonArc 2.6.19.

Top of Page