cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Tomasz Wolniewicz <twoln AT umk.pl>
- To: Sebastien Ceuterickx <Sebastien.Ceuterickx AT cern.ch>, "cat-users AT geant.net" <cat-users AT geant.net>
- Cc: Adam Wojciech Sosnowski <adam.sosnowski AT cern.ch>
- Subject: Re: [cat-users] [eduroam CAT] Windows 7 EAP-TLS authentication
- Date: Wed, 29 Jan 2014 16:16:16 +0100
- List-archive: <http://mail.geant.net/pipermail/cat-users/>
- List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
|
I am not sure I understand. You would want the username to be set to anonymous AT cern.ch for all users? I am not sure how RADIUS servers log things now, but it used to be that they logged by User-Name and to make sure that the User-Name fits the user cert, there was an option to compare the User-Name with one of the cert attributes. If you did not do that, then one user could claim to be another one or you would get all your authentications logged under just one user. Specifying anonymous AT cern.ch does not provide any additional user privacy, of course, as the user cert is sent unencrypted. What we do at my university is to provide our staff with pseudoanonymous certificates which only carry an assigned numebr as an ID, and no private data. The CN of the certificate is xxxx AT certyfikaty.umk.pl where xxxx is this number. Windows will extract this CN by itself and use it as User-Name, therefore our users do not even need to know this number (well at least for Windows). We think that this approach is quite tidy and safe for users, plus gives the extra security that the critical credentials like passwords cannot be compromised. I need to check if it is possible to tell Windows what the alternative user-name should be, but I rather doubt that it can be done easily. Tomasz W dniu 2014-01-29 16:01, Sebastien
Ceuterickx pisze:
Dear Tomasz,
Thank you very much for your reply. It works better. However, the alternative login name is still not set to “anonymous AT cern.ch”. Is there a possibility to prevent the user to do it manually?
Cheers, Sebastien --
Tomasz Wolniewicz
twoln AT umk.pl http://www.home.umk.pl/~twoln
Uczelniane Centrum Informatyczne Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576
|
- [cat-users] [eduroam CAT] Windows 7 EAP-TLS authentication, Sebastien Ceuterickx, 01/28/2014
- Re: [cat-users] [eduroam CAT] Windows 7 EAP-TLS authentication, Tomasz Wolniewicz, 01/28/2014
- Re: [cat-users] [eduroam CAT] Windows 7 EAP-TLS authentication, Sebastien Ceuterickx, 01/29/2014
- Re: [cat-users] [eduroam CAT] Windows 7 EAP-TLS authentication, Tomasz Wolniewicz, 01/29/2014
- Re: [cat-users] [eduroam CAT] Windows 7 EAP-TLS authentication, Sebastien Ceuterickx, 01/29/2014
- Re: [cat-users] [eduroam CAT] Windows 7 EAP-TLS authentication, Tomasz Wolniewicz, 01/29/2014
- Re: [cat-users] [eduroam CAT] Windows 7 EAP-TLS authentication, Sebastien Ceuterickx, 01/29/2014
- Re: [cat-users] [eduroam CAT] Windows 7 EAP-TLS authentication, Tomasz Wolniewicz, 01/28/2014
Archive powered by MHonArc 2.6.19.