The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Jérôme BERTHIER <Jerome.Berthier AT inria.fr>]

Le 16/01/2018 à 10:32, Stefan Winter a écrit :
> Hello,
>
> > But there could be a trick under CAT to deal with it, you could just
> > concatenate the realm provided by CAT admin and the inner username
> > during the installation process ?
> >
> > This could avoid to ask for users to respect the format username@realm
> > because I guess that a lot won't do (and will open support case to ask
> > why their eduroam connection does not work ;-)).
> >
> > At least, a specific disclaimer could be printed before asking for
> > credentials in the assistant ?
> The problem here is that we do not know whether you as an admin *want*
> the users to provide the suffix or do *not* want that.
>
> FYI, a vast majority of IdPs instructs their users with sth like "use
> your email address as username" - which means users are expected to know
> and type their realm.
>
> There are however also IdPs - and I assume you are among them - who have
> instructions like "use your local userid "foobar123" as the login name.
> Those rely on outer identities with realm for request routing, and keep
> the users away from the @suffix construct altogether.
>
> You should be aware that this is a rather fragile construct. Some
> operating systems - like Windows/PEAP as we are just now talking about -
> do not make a clean separation between outer and inner ID. There are
> (still) some supplicants which do not support any differentiation of IDs
> at all, and always copy inner to outer - which is then bound to fail.
>
> In the case of Windows, there is a significant caveat:
>
> I'm sure our own installer can be made to construct an inner ID with
> realm based on user input without realm and the extra knowledge what the
> configured realm is. We'd still need to know if we are supposed to that
> extra mangling for the IdP in question or not - and either tell users to
> type in something with a realm ending or not. So this means extra
> options to configure admin-side.
>
> But if the user ever has to re-enter the credentials then this will be
> via Windows' built-in pop-up asking for a username; and that one does no
> clever post-processing of the extra CAT knowledge. Users will be left
> confused and will have realm-less settings, leaving them with a DoS.
>
> I.e. you are up for usability trouble either way.
>
> Frankly, I think you are better off with choosing TTLS. This will
> install our own GEANTlink supplicant, and that handles outer ID with
> realms explicitly (like it IMHO should).
>
> Either that, or consistently instructing your users to always use
> username@realm as a User ID for eduroam. That way, even people with
> manual configuration at least get service.
>
> Greetings,
>
> Stefan Winter
OK Stefan

We'll consider moving to TTLS for Windows devices if needed.

Thanks you very mucho for this feedback

Have a nice day

--
Jérôme BERTHIER
DSI - SESI - Equipe Conception
Inria Bordeaux - Sud-Ouest
+ 33 5 24 57 40 50

Attachment: smime.p7s
Description: Signature cryptographique S/MIME