The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi Zenon,
 do I understand the log correctly? Did you define "eduroam" as the
additional TKIP SSID?
It looks like you did. Well, indeed CAT does not cope with this. TKIP on
eduroam is "illegal" and we should probably have some configuration test
blocking this setting in CAT. Indeed due to this "illegality" and the
fact that previously CAT was installing the "eduroam (TKIP)" profile, we
are now silently removing this profile if found on the machine.
Therefore your diagnosis was correct, CAT was removing the profile and
then tried to add credentials and was failing on this. It simply did not
realise that the additional SSID was in fact eduroam. To make things
worse, for TKIP profiles we also install the AES profile, so what we
were actually doing in this case was:
1. install "eduroam" (as the default network)
2. install "eduroam" as the additional AES network
3. install "eduroam (TKIP)" as the additional TKIP network
4. remove "eduroam (TKIP)" as the "illegal" network

Plus remove every located profile before installing a new one, plus
install credentials for every profile installed.
This does create this mess that you see in the logs. If for TKIP you set
up any other SSID then things will go smoothly.

Yours
Tomasz



W dniu 2015-12-28 o 18:43, Zenon Mousmoulas pisze:
> Hi Stefan,
>
>
> On 2015-12-21 08:20, Stefan Winter wrote:
>>> there is an IdP-wide option in CAT to configure an additional ssid with
>>> TKIP. Does this still do anything, since the removal of (automatically
>>> included) TKIP profiles in CAT 1.1? Looking at non-binary profiles
>>> produced, I can't see a difference after enabling this option. And a
>>> Windows 10 user reported a problem[1] with an installer with this
>>> option
>>> enabled.
>>
>> The change was merely about the "eduroam" SSID itself; it previously
>> came with a TKIP profile included; but not any more.
>>
>> An additional SSID can still manually be configured with TKIP support.
>>
>> If you looked at the non-binary Apple OS X / iOS profiles: for them,
>> there is indeed no change, as the configuration profiles on that
>> platform do not make a distinction - everything is just "WPA", and
>> includes WPA+WPA2 and TKIP+AES.
>
> OK
>
>> So: we are not aware of any issues in that regard. If there was a
>> problem on a Windows installation, a bit more detail would be needed.
>
> I managed to get access to the user's computer and get a closer look
> at the problem after all.
>
> The error as displayed can be seen in the attachment (sorry, no screen
> grab). The message in Greek corresponds to this string from devices.pot:
>
> #: devices/ms/Files/common.inc:1014
> msgid "Credentials installation problem"
> msgstr "Πρόβλημα κατά την εγκατάσταση των διαπιστευτηρίων"
>
> I then ran the installer with debug:
>
> eduroam-W10-GRNET_S.A.-_SHA2_GRNET-HQ_eduroam_IdP.exe -DEBUG=4
>
> This is the log output:
>
> | Platfrom:64
> | WindowsVer:8
> | Checking for wireless interfaces
> | Exec: C:\Users\PDTSAN\AppData\Local\Temp\wlan_test.exe
> | wlan_test.exe returned 0
> | Wireless check OK
> | testing for EAP: 88
> | EAP test returned:
> | Symantec test returned:
> | Entering WiredConfirm with wireless_result=0; wired=0
> | locating certificate  SHA=0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
> Level=root
> | Testing machine store root
> | Execute: certutil -store root 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
> | certutil returned -2146893807
> | Testing machine store authroot
> | Execute: certutil -store authroot
> 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
> | certutil returned 0
> | Found AUTHROOT
> | Checking for profile eduroam (TKIP)
> | Exec: netsh wlan show profiles eduroam (TKIP)
> | netsh returned 1
> | profile eduroam (TKIP) not found
> | Checking for profile eduroam
> | Exec: netsh wlan show profiles eduroam
> | netsh returned 1
> | profile eduroam not found
> | Execute: netsh wlan add profile
> C:\Users\PDTSAN\AppData\Local\Temp\wlan_prof-0.xml
> | netsh returned 0
> | Profile eduroam (TKIP) created
> | Execute: netsh wlan add profile
> C:\Users\PDTSAN\AppData\Local\Temp\wlan_prof-1.xml
> | netsh returned 0
> | Profile eduroam created
> | Additional Deletes
> | Checking for profile eduroam (TKIP)
> | Exec: netsh wlan show profiles eduroam (TKIP)
> | netsh returned 0
> | found profile eduroam (TKIP)
> | deleting profile "eduroam (TKIP)"
> | Execute: netsh wlan delete profile "eduroam (TKIP)"
> | Installing wireless credentials
> | installing credentials for profile eduroam (TKIP)
> | Execute: C:\Users\PDTSAN\AppData\Local\Temp\setEAPCred.exe
> "zmousm AT admin.grnet.gr"
>  "base_64_password_not_recorded" "eduroam (TKIP)"
> | setEAPCred.exe returned 4
> | installing credentials for profile eduroam
> | Execute: C:\Users\PDTSAN\AppData\Local\Temp\setEAPCred.exe
> "zmousm AT admin.grnet.gr"
>  "base_64_password_not_recorded" "eduroam"
> | setEAPCred.exe returned 0
> | writing C:\Users\PDTSAN\Downloads\inst_cat.cmd
>
> It looks like the installer adds and subsequently removes an "eduroam
> (TKIP)" profile. It calls setEAPCred.exe to set credentials for
> "eduroam (TKIP)" but it fails. I suppose it can't do that for a
> profile that has just been deleted.
>
> So the question is: Is this on purpose, so we can't configure an
> eduroam SSID with TKIP, or is this just a conflict with the installer
> trying to get rid of an automatically included eduroam/TKIP profile
> that might have been installed in the past?
>
> Merry Christmas,
> Z.
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users

-- 
Tomasz Wolniewicz    
          
twoln AT umk.pl
        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576