Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Windows profile - add realm to inner username

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Windows profile - add realm to inner username


Chronological Thread 
  • From: Jérôme BERTHIER <Jerome.Berthier AT inria.fr>
  • To: Stefan Winter <stefan.winter AT restena.lu>, cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] Windows profile - add realm to inner username
  • Date: Tue, 16 Jan 2018 11:01:19 +0100
  • Organization: Inria DSI

Le 16/01/2018 à 10:32, Stefan Winter a écrit :
Hello,

But there could be a trick under CAT to deal with it, you could just
concatenate the realm provided by CAT admin and the inner username
during the installation process ?

This could avoid to ask for users to respect the format username@realm
because I guess that a lot won't do (and will open support case to ask
why their eduroam connection does not work ;-)).

At least, a specific disclaimer could be printed before asking for
credentials in the assistant ?
The problem here is that we do not know whether you as an admin *want*
the users to provide the suffix or do *not* want that.

FYI, a vast majority of IdPs instructs their users with sth like "use
your email address as username" - which means users are expected to know
and type their realm.

There are however also IdPs - and I assume you are among them - who have
instructions like "use your local userid "foobar123" as the login name.
Those rely on outer identities with realm for request routing, and keep
the users away from the @suffix construct altogether.

You should be aware that this is a rather fragile construct. Some
operating systems - like Windows/PEAP as we are just now talking about -
do not make a clean separation between outer and inner ID. There are
(still) some supplicants which do not support any differentiation of IDs
at all, and always copy inner to outer - which is then bound to fail.

In the case of Windows, there is a significant caveat:

I'm sure our own installer can be made to construct an inner ID with
realm based on user input without realm and the extra knowledge what the
configured realm is. We'd still need to know if we are supposed to that
extra mangling for the IdP in question or not - and either tell users to
type in something with a realm ending or not. So this means extra
options to configure admin-side.

But if the user ever has to re-enter the credentials then this will be
via Windows' built-in pop-up asking for a username; and that one does no
clever post-processing of the extra CAT knowledge. Users will be left
confused and will have realm-less settings, leaving them with a DoS.

I.e. you are up for usability trouble either way.

Frankly, I think you are better off with choosing TTLS. This will
install our own GEANTlink supplicant, and that handles outer ID with
realms explicitly (like it IMHO should).

Either that, or consistently instructing your users to always use
username@realm as a User ID for eduroam. That way, even people with
manual configuration at least get service.

Greetings,

Stefan Winter

OK Stefan

We'll consider moving to TTLS for Windows devices if needed.

Thanks you very mucho for this feedback

Have a nice day

--
Jérôme BERTHIER
DSI - SESI - Equipe Conception
Inria Bordeaux - Sud-Ouest
+ 33 5 24 57 40 50


Attachment: smime.p7s
Description: Signature cryptographique S/MIME




Archive powered by MHonArc 2.6.19.

Top of Page