Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] additional ssid with TKIP

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] additional ssid with TKIP


Chronological Thread 
  • From: Zenon Mousmoulas <zmousm AT noc.grnet.gr>
  • To: Stefan Winter <stefan.winter AT restena.lu>
  • Cc: cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] additional ssid with TKIP
  • Date: Mon, 28 Dec 2015 19:43:53 +0200
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass header.i= AT noc.grnet.gr

Hi Stefan,


On 2015-12-21 08:20, Stefan Winter wrote:
there is an IdP-wide option in CAT to configure an additional ssid with
TKIP. Does this still do anything, since the removal of (automatically
included) TKIP profiles in CAT 1.1? Looking at non-binary profiles
produced, I can't see a difference after enabling this option. And a
Windows 10 user reported a problem[1] with an installer with this option
enabled.

The change was merely about the "eduroam" SSID itself; it previously
came with a TKIP profile included; but not any more.

An additional SSID can still manually be configured with TKIP support.

If you looked at the non-binary Apple OS X / iOS profiles: for them,
there is indeed no change, as the configuration profiles on that
platform do not make a distinction - everything is just "WPA", and
includes WPA+WPA2 and TKIP+AES.

OK

So: we are not aware of any issues in that regard. If there was a
problem on a Windows installation, a bit more detail would be needed.

I managed to get access to the user's computer and get a closer look at the problem after all.

The error as displayed can be seen in the attachment (sorry, no screen grab). The message in Greek corresponds to this string from devices.pot:

#: devices/ms/Files/common.inc:1014
msgid "Credentials installation problem"
msgstr "Πρόβλημα κατά την εγκατάσταση των διαπιστευτηρίων"

I then ran the installer with debug:

eduroam-W10-GRNET_S.A.-_SHA2_GRNET-HQ_eduroam_IdP.exe -DEBUG=4

This is the log output:

| Platfrom:64
| WindowsVer:8
| Checking for wireless interfaces
| Exec: C:\Users\PDTSAN\AppData\Local\Temp\wlan_test.exe
| wlan_test.exe returned 0
| Wireless check OK
| testing for EAP: 88
| EAP test returned:
| Symantec test returned:
| Entering WiredConfirm with wireless_result=0; wired=0
| locating certificate SHA=0563b8630d62d75abbc8ab1e4bdfb5a899b24d43 Level=root
| Testing machine store root
| Execute: certutil -store root 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
| certutil returned -2146893807
| Testing machine store authroot
| Execute: certutil -store authroot 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
| certutil returned 0
| Found AUTHROOT
| Checking for profile eduroam (TKIP)
| Exec: netsh wlan show profiles eduroam (TKIP)
| netsh returned 1
| profile eduroam (TKIP) not found
| Checking for profile eduroam
| Exec: netsh wlan show profiles eduroam
| netsh returned 1
| profile eduroam not found
| Execute: netsh wlan add profile C:\Users\PDTSAN\AppData\Local\Temp\wlan_prof-0.xml
| netsh returned 0
| Profile eduroam (TKIP) created
| Execute: netsh wlan add profile C:\Users\PDTSAN\AppData\Local\Temp\wlan_prof-1.xml
| netsh returned 0
| Profile eduroam created
| Additional Deletes
| Checking for profile eduroam (TKIP)
| Exec: netsh wlan show profiles eduroam (TKIP)
| netsh returned 0
| found profile eduroam (TKIP)
| deleting profile "eduroam (TKIP)"
| Execute: netsh wlan delete profile "eduroam (TKIP)"
| Installing wireless credentials
| installing credentials for profile eduroam (TKIP)
| Execute: C:\Users\PDTSAN\AppData\Local\Temp\setEAPCred.exe "zmousm AT admin.grnet.gr" "base_64_password_not_recorded" "eduroam (TKIP)"
| setEAPCred.exe returned 4
| installing credentials for profile eduroam
| Execute: C:\Users\PDTSAN\AppData\Local\Temp\setEAPCred.exe "zmousm AT admin.grnet.gr" "base_64_password_not_recorded" "eduroam"
| setEAPCred.exe returned 0
| writing C:\Users\PDTSAN\Downloads\inst_cat.cmd

It looks like the installer adds and subsequently removes an "eduroam (TKIP)" profile. It calls setEAPCred.exe to set credentials for "eduroam (TKIP)" but it fails. I suppose it can't do that for a profile that has just been deleted.

So the question is: Is this on purpose, so we can't configure an eduroam SSID with TKIP, or is this just a conflict with the installer trying to get rid of an automatically included eduroam/TKIP profile that might have been installed in the past?

Merry Christmas,
Z.

Attachment: IMG_2318.jpg
Description: JPEG image




Archive powered by MHonArc 2.6.19.

Top of Page