The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Good morning all,

a few factoids around this question...

1) eduroam requires to have an @realm construct for routing purposes;
not necessarily for the actual username. To facilitate that, the CAT
admin interface allows to set up the routing (outer) identity completely
pre-filled with the privacy-preserving "anonymous" local username bit.
If not using that, then indeed the actual username is used, and in that
same case, yes, *then* the user is required to enter the user ID with
the realm suffix.

2) The place to formally request features is by filing an issue on
Github. https://github.com/GEANT/CAT/issues

3) This particular feature was already requested and we've implemented
the admin side of it already: https://github.com/GEANT/CAT/issues/11
It's intended to be a feature of the the next feature release. I'm
updating the issue with a screenshot and item 4) below.

4) Our ability to deliver this on the actual installer varies by OS; on
some OSes we have more control over user-interactivity, on some we have
less. Windows and Linux are not a problem, Android probably can be made
to work, anything Apple is not possible.

Your best option really is to set up a fixed anonymous outer identity -
it enhances privacy *and* ameliorates request routing instantly. If you
then also re-configure your RADIUS server to not insist on the @realm
portion for the /inner/ (actual) user identity, then users can actually
enter "just" their local ID and things continue to work.

If that is something you don't want, then waiting for the next version
and configuring that you want the realm part either prefilled/hinted or
actually enforced is the thing to do.

Greetings,

Stefan Winter

Am 11.09.2017 um 22:37 schrieb Hunter Fuller:
> Philippe, 
> 
> Maybe I am being naïve, but couldn't CAT just reject any username that
> didn't have an @ in it? It's just for eduroam, and you always have to
> use an @ to connect to eduroam, right?
> 
> On Mon, Sep 11, 2017 at 1:26 PM Scott Bertilson 
> <ssb AT umn.edu
> <mailto:ssb AT umn.edu>>
>  wrote:
> 
>     I've found many users are confused by the dialog for entering the
>     "user" part of the credentials because it is usually something like
>     "userid" which doesn't clearly imply that a realm is also required.
> 
>     Maybe a good option for this would be for the CAT to append the
>     realm automatically if none was supplied or always.  Isn't it going
>     to be fixed per institution?  (Pretty new at using the CAT, so maybe
>     naive question.)
> 
>     On Mon, Sep 11, 2017 at 1:03 PM, Michael Davis 
> <davis AT udel.edu
>     
> <mailto:davis AT udel.edu>>
>  wrote:
> 
>         Is there a way to formally make enhancement requests to the CAT
>         App Dev ?
> 
>         We just completed our first move-in of 30K users on eduroam with
>         CAT,
>         and the Help Desk had over 2,000 tickets having to either:
> 
>         1) Remind everyone to retry and use @domain.edu
>         <http://domain.edu> on their Username, Why can't CAT
>             enforce that if configured?
> 
>         2) Remind everyone to retry and carefully re-enter their password.
> 
>         The whole week would have been a non-issue if CAT would have
>         been able
>         to enforce the domain and verified passwords...
> 
> 
>         On 8/15/17 9:50 AM, Ayres G.J. wrote:
> 
>             Hello,
> 
>             The android CAT app, like the other OS installers, follow
>             the same
>             methodology the native OS uses.
>             Android only asks a user to enter a password once natively,
>             so the app does
>             the same.
>             Same with Windows and Apple if you use the native interface,
>             I believe.
> 
>             Maybe an option to allow a user to see the password they
>             type, would be more
>             suitable?
>             Android has this feature in its native Wi-Fi setup interface.
> 
>             Gareth Ayres
> 
>                 -----Original Message-----
>                 From: Michael Davis 
> [mailto:davis AT udel.edu
>                 
> <mailto:davis AT udel.edu>]
>                 Sent: 15 August 2017 14:23
>                 To: 
> cat-users AT lists.geant.org
>                 
> <mailto:cat-users AT lists.geant.org>
>                 Subject: [[cat-users]] CAT app password verification
> 
>                 My apologies if this has been discussed before.  We're
>                 bracing for a
> 
>             primary
> 
>                 campus SSID switch to eduroam/CAT this Fall, and
>                 noticing a lot of
> 
>             preliminary
> 
>                 users are mis-typing their password into the CAT App. 
>                 Is there a reason
> 
>             that
> 
>                 CAT doesn't ask for a re-type verification of the
>                 password like most
> 
>             password
> 
>                 entry systems?
> 
> 
>         -- 
>          Mike Davis
>          Systems Programmer V
>          NSS - University of Delaware  - 302.831.8756 <tel:(302)%20831-8756>
>          Newark, DE  19716         Email 
> davis AT udel.edu
>         
> <mailto:davis AT udel.edu>
> 
>         To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org
>         
> <mailto:sympa AT lists.geant.org>?subject=unsubscribe%20cat-users
>         Or use the following link:
>         https://lists.geant.org/sympa/sigrequest/cat-users
> 
> 
>     To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org
>     
> <mailto:sympa AT lists.geant.org>?subject=unsubscribe%20cat-users
>     Or use the following link:
>     https://lists.geant.org/sympa/sigrequest/cat-users
> 
> -- 
> 
> --
> Hunter Fuller
> Network Engineer
> VBH Annex B-5
> +1 256 824 5331
> 
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature