The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Jérôme BERTHIER <Jerome.Berthier AT inria.fr>]

Hi Stefan,

Le 16/01/2018 à 08:36, Stefan Winter a écrit :

This seems to be a limitation of Windows system which does not support
the character @ in the outer identity (at least under the network
connection GUI).

This is indeed intentional; the guys at Microsoft thought it's a good
idea not to allow typing a realm for the outer ID.

By the way, they make it mandatory for a PEAP connection but they let it free for a TTLS connection. This is weird.

It's not a bug in the sense that the @ character is broken in that input
field - it's a feature: Microsoft really does not want a realm to be
typed. If your actual username contains a realm, it will be extracted
from the inner username and appended as a realm to outer. If your inner
username does not contain a realm, the input from the outer ID field is
used as-is.

Yes that's fine.

Is there anyway to fix it by concatenating the realm provided by CAT and
the inner username during the installation process ?

No. The spec does not allow explicit configuration of realms for outer
IDs; trying to smuggle it in are blocked.

OK I understand that we cannot workaround this rule forced by Microsoft.

But there could be a trick under CAT to deal with it, you could just concatenate the realm provided by CAT admin and the inner username during the installation process ?

This could avoid to ask for users to respect the format username@realm because I guess that a lot won't do (and will open support case to ask why their eduroam connection does not work ;-)).

At least, a specific disclaimer could be printed before asking for credentials in the assistant ?

Thanks you very much for your answers

Regards,

-- 
Jérôme BERTHIER
DSI - SESI - Equipe Conception
Inria Bordeaux - Sud-Ouest
+ 33 5 24 57 40 50

Attachment: smime.p7s
Description: Signature cryptographique S/MIME