Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] this is not a problem but a request...

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] this is not a problem but a request...


Chronological Thread 
  • From: Tomasz Wolniewicz <twoln AT umk.pl>
  • To: Stefan Winter <stefan.winter AT restena.lu>
  • Cc: "cat-users AT geant.net" <cat-users AT geant.net>, Philippe Hanset <phanset AT anyroam.net>
  • Subject: Re: [cat-users] this is not a problem but a request...
  • Date: Sat, 2 Nov 2013 09:50:59 +0100
  • List-archive: <https://mail.geant.net/mailman/private/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>

I was about to write the same as Stefan, but then decided not to :). The reason being that while all that Stefan says is true, in practice it proably is not used. For instance, I do nor see how to make this happen in Windows PEAP. When the user enteres the user-name, and the anonymous identity is set, then the outer name becomes the preset user part plus the realm of the inner identity. Of course when you use TTLS you are essentially free to use completely separate names. I do not know, perhaps there are sites not using Windows PEAP at all and using names like Stefan describes. However, at this stage, on Windows, we are not able to set the inner user-name part in TTLS, so for now we could not implement this request anyway.

Tomasz


-----
Tomasz Wolniewicz

Dnia 2 lis 2013 o godz. 09:15 Stefan Winter <stefan.winter AT restena.lu> napisał(a):

Hello,

One of the schools that uses CAT in our US federation asked me if it would be possible
for CAT to automatically fill the REALM (or at least check for its absence and warn the user) when users enter their credentials.
It doesn't have to automatically add the REALM but it could at least check for the existence of a structure of the form
*@*

We were thinking about this during the design phase of the tool. The issue with this is the inner identity does NOT have to contain any realm portion at all. The realm is only required in the outer identity to route the request to the IdP. There are no required naming conventions for the inner identity.

I guess that probably many IdPs conflate these two independent names and do use the same realm in inner. But for those who don't (e.g. using a Windows DOMAIN\\user  or "joe%accounting" or just "johndoe" without any qualifier), it would be a rather undue interference from the tool's side to throw a "Hey, are you sure you didn't forget an @ there?" in the user's face when the situation simply doesn't warrant it.

We could try to make this configurable somewhat, but since there's no required convention on the format, this could be a bit messy... at best, I could imagine a config item "Prefill username with" and then those with a DOMAIN could do "MYDOMAIN\\" and others with a strange suffix construct would do "%accounting". It would still be up to the user to have the intelligence to put his username after vs. before what's prefilled - placing the cursor at a specific point in the UI is really rather hard, I would think.

BTW... will you add the LOGOUT button on the admin interface?

As Tomasz noted, already implemented for the upcoming 1.1.  :-)

Greetings,

Stefan Winter


Thanks,

A bientôt,

Philippe

 
Philippe Hanset







Archive powered by MHonArc 2.6.19.

Top of Page