cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Sverrir Davíðsson <sverrir AT thekking.is>
- To: Stefan Winter <stefan.winter AT restena.lu>, eduroam CAT Feedback <cat-users AT lists.geant.org>
- Subject: RE: [[cat-users]] Trooble using Eduroam Installer, help needed
- Date: Mon, 30 Nov 2015 12:35:29 +0000
- Accept-language: is-IS, en-US
Ho Stefan
Sorry, I must have pressed send to quickly :)
Here are the logs, see attachments
Best regards
Sverrir Davíðsson
-----Original Message-----
From: Stefan Winter
[mailto:stefan.winter AT restena.lu]
Sent: mánudagur, 30. nóvember 2015 11:48
To: Sverrir Davíðsson
<sverrir AT thekking.is>;
eduroam CAT Feedback
<cat-users AT lists.geant.org>
Subject: Re: Trooble using Eduroam Installer, help needed
Hello,
> Hi my name is Sverrir,
> I have been setting up a IdP for the Iceland Academy of the Arts.
thanks for contacting the list and not me directly.
> Radius Authentication works, but we are unable to us the Installer.
>
> I´m having trouble getting the Installer (EXE) setup to work against
> our SSID.
>
> We are able to connect directly to "eduroam" SSID without the use of
> the Installer, user gets authenticated and connected no problem.
"Connected" is easy. Getting connected *securely*, i.e. with all security
checks client-side enabled, is harder.
The installers set all the security parameters. Only once those checks are
actually enabled, subtle misconfigurations on the server side will have
consequences.
> But when we try to use the Installer, there is something of with the
> creation of the wifi Profile, users will not get connected and my
> RADIUS complains about user mismatch.
>
> I see that the User Security ID is NULL when using the Installer.
I have no idea what the "User Security ID" is supposed to be?
> I have tested this on both windows 10 and 8,1.
>
> I see at the top of the page that CAT vas recently updraded to
> versions 1.1.1, could that be the root of my problems?
No. We should really remove the MOTD. This version is up since over a month
now.
> All attach some more info regarding our Wifi troubles.
>
>
>
> Radius: Windows Server 2012R2
>
> Microsoft: Protected EAP (PEAP)
>
> Secure Password (EAP-MSCHAP v2)
>
> Cert: Public SSL from GoDaddy
>
> AP: Cisco
This setup is as standard as can be and as such is probably not the source of
any problem.
> Logs from Radius and Client when Connecting to eduroam
>
> Connecting directly to eduroam (Without Installer), See attachement :
> Eduroam-NonInstaller.txt
>
> Connecting to eduroam (With Installer), See attachement :
> Eduroam-Installer.txt
If you'd attach the log files, we could actually look at them ;-)
Greetings,
Stefan Winter
>
>
>
>
>
> Best Regards
>
> Sverrir Davíðsson
>
>
>
> ----------------------------------------------------------------------
> -- Skilmálar / Disclaimer <https://www.thekking.is/is/skilmalar>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche 2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's
key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
----------------------------RADIUS
LOG------------------------------------------------------------
Network Policy Server granted full access to a user because the host met the
defined health policy.
User:
Security ID: LHI\the-sverrir
Account Name:
the-sverrir AT lhi.is
Account Domain: LHI
Fully Qualified Account Name: LHI\the-sverrir
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 80-e0-1d-b5-7f-70:eduroam
Calling Station Identifier: 10-0b-a9-a1-17-fc
NAS:
NAS IPv4 Address: 130.208.220.60
NAS IPv6 Address: -
NAS Identifier: Cisco_85:a1:04
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: WiFi Authentication
Client IP Address: 130.208.220.60
Authentication Details:
Connection Request Policy Name: Eduroam LHI
Network Policy Name: NAP 802.1X (Wireless) Eduroam LHI
Authentication Provider: Windows
Authentication Server: LHI-DC01.lhi.is
Authentication Type: PEAP
EAP Type: Microsoft: Secured password
(EAP-MSCHAP v2)
Account Session Identifier:
35363534383162312F31303A30623A61393A61313A31373A66632F333136313137
Quarantine Information:
Result: Full Access
Extended-Result: -
Session Identifier: -
Help URL: -
System Health Validator Result(s): -
----------------------------RADIUS LOG
ENDS------------------------------------------------------------
----------------------------Client WiFi
Configration------------------------------------------------------------
Profile eduroam on interface Wi-Fi:
=======================================================================
Applied: All User Profile
Profile information
-------------------
Version : 1
Type : Wireless LAN
Name : eduroam
Control options :
Connection mode : Connect automatically
Network broadcast : Connect only if this network is broadcasting
AutoSwitch : Do not switch to other networks
MAC Randomization : Disabled
Connectivity settings
---------------------
Number of SSIDs : 1
SSID name : "eduroam"
Network type : Infrastructure
Radio type : [ Any Radio Type ]
Vendor extension : Not present
Security settings
-----------------
Authentication : WPA2-Enterprise
Cipher : CCMP
Security key : Absent
802.1X : Enabled
EAP type : Microsoft: Protected EAP (PEAP)
802.1X auth credential : Machine or user credential
Cache user information : Yes
Cost settings
-------------
Cost : Unrestricted
Congested : No
Approaching Data Limit : No
Over Data Limit : No
Roaming : No
Cost Source : Default
----------------------------Client WiFi Configration
ENDS------------------------------------------------------------
----------------------------RADIUS
LOG------------------------------------------------------------
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name:
the-sverrir AT lhi.is
Account Domain: LHI
Fully Qualified Account Name: LHI\the-sverrir
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 80-e0-1d-b5-7f-70:eduroam
Calling Station Identifier: 10-0b-a9-a1-17-fc
NAS:
NAS IPv4 Address: 130.208.220.60
NAS IPv6 Address: -
NAS Identifier: Cisco_85:a1:04
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: WiFi Authentication
Client IP Address: 130.208.220.60
Authentication Details:
Connection Request Policy Name: Eduroam LHI
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: LHI-DC01.lhi.is
Authentication Type: PEAP
EAP Type: -
Account Session Identifier:
35363534376363352F31303A30623A61393A61313A31373A66632F333135393237
Logging Results: Accounting information was
written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user
credentials mismatch. Either the user name provided does not map to an
existing user account or the password was incorrect.
----------------------------RADIUS LOG
ENDS------------------------------------------------------------
----------------------------Client WiFi
Configration------------------------------------------------------------
C:\WINDOWS\system32>netsh wlan show profile name ="eduroam" key=clear
Profile eduroam on interface Wi-Fi:
=======================================================================
Applied: All User Profile
Profile information
-------------------
Version : 1
Type : Wireless LAN
Name : eduroam
Control options :
Connection mode : Connect automatically
Network broadcast : Connect even if this network is not broadcasting
AutoSwitch : Do not switch to other networks
MAC Randomization : Disabled
Connectivity settings
---------------------
Number of SSIDs : 1
SSID name : "eduroam"
Network type : Infrastructure
Radio type : [ Any Radio Type ]
Vendor extension : Not present
Security settings
-----------------
Authentication : WPA2-Enterprise
Cipher : CCMP
Security key : Absent
802.1X : Enabled
EAP type : Microsoft: Protected EAP (PEAP)
802.1X auth credential : User credential
Credentials configured : No
Cache user information : Yes
Cost settings
-------------
Cost : Unrestricted
Congested : No
Approaching Data Limit : No
Over Data Limit : No
Roaming : No
Cost Source : Default
----------------------------Client WiFi Configration
ENDS------------------------------------------------------------
- [[cat-users]] Trooble using Eduroam Installer, help needed, Sverrir Davíðsson, 11/30/2015
- Re: [[cat-users]] Trooble using Eduroam Installer, help needed, Stefan Winter, 11/30/2015
- RE: [[cat-users]] Trooble using Eduroam Installer, help needed, Sverrir Davíðsson, 11/30/2015
- Re: [[cat-users]] Trooble using Eduroam Installer, help needed, Stefan Winter, 11/30/2015
- Re: [[cat-users]] Trooble using Eduroam Installer, help needed, Stefan Winter, 11/30/2015
- RE: [[cat-users]] Trooble using Eduroam Installer, help needed, Sverrir Davíðsson, 11/30/2015
- Re: [[cat-users]] Trooble using Eduroam Installer, help needed, Stefan Winter, 11/30/2015
- Re: [[cat-users]] Trooble using Eduroam Installer, help needed, A . L . M . Buxey, 11/30/2015
- RE: [[cat-users]] Trooble using Eduroam Installer, help needed, Sverrir Davíðsson, 11/30/2015
- RE: [[cat-users]] Trooble using Eduroam Installer, help needed, Sverrir Davíðsson, 11/30/2015
- Re: [[cat-users]] Trooble using Eduroam Installer, help needed, Stefan Winter, 11/30/2015
Archive powered by MHonArc 2.6.19.