The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

> But there could be a trick under CAT to deal with it, you could just
> concatenate the realm provided by CAT admin and the inner username
> during the installation process ?
> 
> This could avoid to ask for users to respect the format username@realm
> because I guess that a lot won't do (and will open support case to ask
> why their eduroam connection does not work ;-)).
> 
> At least, a specific disclaimer could be printed before asking for
> credentials in the assistant ?

The problem here is that we do not know whether you as an admin *want*
the users to provide the suffix or do *not* want that.

FYI, a vast majority of IdPs instructs their users with sth like "use
your email address as username" - which means users are expected to know
and type their realm.

There are however also IdPs - and I assume you are among them - who have
instructions like "use your local userid "foobar123" as the login name.
Those rely on outer identities with realm for request routing, and keep
the users away from the @suffix construct altogether.

You should be aware that this is a rather fragile construct. Some
operating systems - like Windows/PEAP as we are just now talking about -
do not make a clean separation between outer and inner ID. There are
(still) some supplicants which do not support any differentiation of IDs
at all, and always copy inner to outer - which is then bound to fail.

In the case of Windows, there is a significant caveat:

I'm sure our own installer can be made to construct an inner ID with
realm based on user input without realm and the extra knowledge what the
configured realm is. We'd still need to know if we are supposed to that
extra mangling for the IdP in question or not - and either tell users to
type in something with a realm ending or not. So this means extra
options to configure admin-side.

But if the user ever has to re-enter the credentials then this will be
via Windows' built-in pop-up asking for a username; and that one does no
clever post-processing of the extra CAT knowledge. Users will be left
confused and will have realm-less settings, leaving them with a DoS.

I.e. you are up for usability trouble either way.

Frankly, I think you are better off with choosing TTLS. This will
install our own GEANTlink supplicant, and that handles outer ID with
realms explicitly (like it IMHO should).

Either that, or consistently instructing your users to always use
username@realm as a User ID for eduroam. That way, even people with
manual configuration at least get service.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature