The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi Christopher,

   this indeed looks like a lowest impact approach even if, in the end it will probably prove unnecessary, as the current user should probably be used every time. Still unexpected things pop up, and I found out that our method of populating user credentials does not seem to work when the wireless profile is not global. As a result we could end up in a situation whee we ask the user for credentials, install the non-global profile and then the user would get prompted for credentials.

This is not very clean, so we need to take a closer look, but we are working on it.

Tomasz

W dniu 11.01.2019 o 02:04, Johnson, Christopher pisze:

Hi Tomasz,

I forgot to mention in my previous response - in regards to "logic being built in" was also intended more of a suggestion/request for a "if else" type of situation - where the educatCAT could check if "createallusergroup" is enabled.

- If enabled, run the netsh command as normal

- If the check fails, then attempt the "user=current" switch.

Thanks again! Looking forward to seeing how eduroam goes. We went live yesterday with the initial broadcasting. 😊

Christopher Johnson

---

From: Johnson, Christopher
Sent: Thursday, January 10, 2019 2:55:54 PM
To: Tomasz Wolniewicz; cat-users AT lists.geant.org
Subject: RE: [[cat-users]] Windows 10 - eduroamCAT utility fails due to "createalluserprofile" flag set to disabled

 

Hi Tomasz,

 

Thanks for the response and feedback. You’re correct at is indeed a pretty limited use-case – as you mentioned most managed machines are auto-provisioned via group-policy and such through other means. Sometimes we see this type of behavior when a student brings their work laptop from an internship or business school that’s heavily locked down or a teacher taking classes may bring their work laptop as well – since that createalluserprofile limitation can be a global setting.

 

What’s funny is this is also a problem with the legacy CloudPath XpressConnect Wizard as well that I spent time troubleshooting a few months ago. But only today did I find a potential enhancement via the “user=current switch”. That’s part of how I caught on to it so quickly as I spent a good amount of time troubleshooting the other onboarding product.

 

I definitely understand a lot of testing should be done before making this change if consideration is made for it.

 

Thanks for your time and consideration!

 

Christopher Johnson

Wireless Network Engineer

AT Infrastructure Operations & Networking (ION)

Illinois State University

(309) 438-8444

Stay connected with ISU IT news and tips with @ISU IT Help on Facebook and Twitter

From: Tomasz Wolniewicz <twoln AT umk.pl>
Sent: Thursday, January 10, 2019 2:35 PM
To: Johnson, Christopher <cbjohns AT ilstu.edu>; cat-users AT lists.geant.org
Subject: Re: [[cat-users]] Windows 10 - eduroamCAT utility fails due to "createalluserprofile" flag set to disabled

 

Hi,

  What you suggest makes a lot of sense. eduroam credentials are personal therefore should be restricted to the current user. Besides the installed root CA will be limited to the the current user anyway, so the profile should not work for others. It would seem that adding user=current to netsh should be safe for everyone, but surely we should run quite a bit of testing before making this change.

On the other hand, we imagined that in a managed Windows environment the network provisioning would be done centrally anyway, this is probably why we never got this request before.

Tomasz Wolniewicz

W dniu 10.01.2019 o 20:10, Johnson, Christopher pisze:

Good Afternoon,

 

We’re just starting to make use of the eduroamCAT utility and ran into an issue. Wasn’t sure if this was right place to report problem/request?

 

I wanted to inquire if additional logic could be built into the CAT utility to create the eduroam profile as a “User” profile instead of “All User Profiles”? This is to help end-users in Windows 10 that have managed machines where the “createalluserprofile” flag is globally set to disabled via group policy (default in GPO apparently after consulting with GPO admin). When the utility is ran with this flag set to disabled, the profile installation will fail when “netsh wlan add profile **** xml” is ran.

 

Looking at the switches/format the “netsh wlan add profile commands”, if “user=current” was added – this would get around the issue.

 

1. Netsh wlan show createalluserprofile – shows current state of this flag.

 

2. Administrator Privileges - netsh wlan set profile createalluserprofile enabled=yes/no – can be used to reproduce this problem on a home/personal machine.

 

3. Screen shot with example below: createalluserprofile is set to “disabled”. By attempting to perform a “netsh wlan add profile wlan_prof-0.xml” – errors out due to “You do not have the permission to add profile “eduroam” for all users”. If I append “user=current” to the netsh command – the profile is installed successfully.

 

 

Output of inst_cat.cmd when eduroamCAT is ran:

 

 

Christopher Johnson

Wireless Network Engineer

AT Infrastructure Operations & Networking (ION)

Illinois State University

(309) 438-8444

Stay connected with ISU IT news and tips with @ISU IT Help on Facebook and Twitter

 

 

 

 

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

-- 

Tomasz Wolniewicz    

          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre

Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,

pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland

tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750                            tel kom.: +48-693-032-576

Attachment: smime.p7s
Description: Kryptograficzna sygnatura S/MIME