cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

RE: [[cat-users]] Windows 10 - eduroamCAT utility fails due to "createalluserprofile" flag set to disabled

From: "Johnson, Christopher" <cbjohns AT ilstu.edu>
To: Tomasz Wolniewicz <twoln AT umk.pl>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
Subject: RE: [[cat-users]] Windows 10 - eduroamCAT utility fails due to "createalluserprofile" flag set to disabled
Date: Thu, 10 Jan 2019 20:55:54 +0000
Accept-language: en-US
Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (1024-bit key) header.d=ilstu.edu
Authentication-results: spf=none (sender IP is ) smtp.mailfrom=cbjohns AT ilstu.edu;
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99

Hi Tomasz,

Thanks for the response and feedback. You’re correct at is indeed a pretty limited use-case – as you mentioned most managed machines are auto-provisioned via group-policy and such through other means. Sometimes we see this type of behavior when a student brings their work laptop from an internship or business school that’s heavily locked down or a teacher taking classes may bring their work laptop as well – since that createalluserprofile limitation can be a global setting.

What’s funny is this is also a problem with the legacy CloudPath XpressConnect Wizard as well that I spent time troubleshooting a few months ago. But only today did I find a potential enhancement via the “user=current switch”. That’s part of how I caught on to it so quickly as I spent a good amount of time troubleshooting the other onboarding product.

I definitely understand a lot of testing should be done before making this change if consideration is made for it.

Thanks for your time and consideration!

Christopher Johnson

Wireless Network Engineer

AT Infrastructure Operations & Networking (ION)

Illinois State University

(309) 438-8444

Stay connected with ISU IT news and tips with @ISU IT Help on Facebook and Twitter

From: Tomasz Wolniewicz <twoln AT umk.pl>
Sent: Thursday, January 10, 2019 2:35 PM
To: Johnson, Christopher <cbjohns AT ilstu.edu>; cat-users AT lists.geant.org
Subject: Re: [[cat-users]] Windows 10 - eduroamCAT utility fails due to "createalluserprofile" flag set to disabled

Hi,

What you suggest makes a lot of sense. eduroam credentials are personal therefore should be restricted to the current user. Besides the installed root CA will be limited to the the current user anyway, so the profile should not work for others. It would seem that adding user=current to netsh should be safe for everyone, but surely we should run quite a bit of testing before making this change.

On the other hand, we imagined that in a managed Windows environment the network provisioning would be done centrally anyway, this is probably why we never got this request before.

Tomasz Wolniewicz

W dniu 10.01.2019 o 20:10, Johnson, Christopher pisze:

Good Afternoon,

We’re just starting to make use of the eduroamCAT utility and ran into an issue. Wasn’t sure if this was right place to report problem/request?

I wanted to inquire if additional logic could be built into the CAT utility to create the eduroam profile as a “User” profile instead of “All User Profiles”? This is to help end-users in Windows 10 that have managed machines where the “createalluserprofile” flag is globally set to disabled via group policy (default in GPO apparently after consulting with GPO admin). When the utility is ran with this flag set to disabled, the profile installation will fail when “netsh wlan add profile **** xml” is ran.

Looking at the switches/format the “netsh wlan add profile commands”, if “user=current” was added – this would get around the issue.

Netsh wlan show createalluserprofile – shows current state of this flag.

Administrator Privileges - netsh wlan set profile createalluserprofile enabled=yes/no – can be used to reproduce this problem on a home/personal machine.

Screen shot with example below: createalluserprofile is set to “disabled”. By attempting to perform a “netsh wlan add profile wlan_prof-0.xml” – errors out due to “You do not have the permission to add profile “eduroam” for all users”. If I append “user=current” to the netsh command – the profile is installed successfully.

Output of inst_cat.cmd when eduroamCAT is ran:

Christopher Johnson

Wireless Network Engineer

AT Infrastructure Operations & Networking (ION)

Illinois State University

(309) 438-8444

Stay connected with ISU IT news and tips with @ISU IT Help on Facebook and Twitter

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

--

Tomasz Wolniewicz

          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre

Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,

pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland

tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576

[[cat-users]] Windows 10 - eduroamCAT utility fails due to "createalluserprofile" flag set to disabled, Johnson, Christopher, 01/10/2019
- Re: [[cat-users]] Windows 10 - eduroamCAT utility fails due to "createalluserprofile" flag set to disabled, Tomasz Wolniewicz, 01/10/2019
  - RE: [[cat-users]] Windows 10 - eduroamCAT utility fails due to "createalluserprofile" flag set to disabled, Johnson, Christopher, 01/10/2019
    - Re: [[cat-users]] Windows 10 - eduroamCAT utility fails due to "createalluserprofile" flag set to disabled, Johnson, Christopher, 01/11/2019
      - Re: [[cat-users]] Windows 10 - eduroamCAT utility fails due to "createalluserprofile" flag set to disabled, Tomasz Wolniewicz, 01/11/2019