Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Windows profile - add realm to inner username

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Windows profile - add realm to inner username


Chronological Thread 
  • From: Tomasz Wolniewicz <twoln AT umk.pl>
  • To: cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] Windows profile - add realm to inner username
  • Date: Tue, 16 Jan 2018 12:00:13 +0100

Hi,
   I would  like to step back a little bit.
In general the two settings of CAT - the realm and the string for the
anonymous identity are there for just one purpose - serving the
anonymous identity. In principle user's input should have nothing to do
with these settings, therefore if the OS handles things correctly and
the admin enters these two CAT settings then the user should not be able
to touch them.

If you use TTLS then on the native supplicant we use on Windows 8 and
8.1 the whole outer identity will be pushed into the configuration. If
Windows needs to prompt the user for credentials then this should be
only the inner credentials and this should not touch the outer part that
we set ourselves.

PEAP really is this special example. If you read the MS spec you will
see that they did not leave space for separate implementation of the
full outer identity and this is how they have implemented this in the
system. Other implementations of PEAP (say wpa_supplicant) seem to
overuse the spec and actually allow a username+realm as the outer
identity, but this really is beside the point.

To summarise, if you really want to have different realms you must stay
away from PEAP and you must also realise that the "naive" manual
configuration will simply not work for your users (which might be
actually considered a good thing).

Tomasz

W dniu 16.01.2018 o 10:32, Stefan Winter pisze:
> Hello,
>
>> But there could be a trick under CAT to deal with it, you could just
>> concatenate the realm provided by CAT admin and the inner username
>> during the installation process ?
>>
>> This could avoid to ask for users to respect the format username@realm
>> because I guess that a lot won't do (and will open support case to ask
>> why their eduroam connection does not work ;-)).
>>
>> At least, a specific disclaimer could be printed before asking for
>> credentials in the assistant ?
> The problem here is that we do not know whether you as an admin *want*
> the users to provide the suffix or do *not* want that.
>
> FYI, a vast majority of IdPs instructs their users with sth like "use
> your email address as username" - which means users are expected to know
> and type their realm.
>
> There are however also IdPs - and I assume you are among them - who have
> instructions like "use your local userid "foobar123" as the login name.
> Those rely on outer identities with realm for request routing, and keep
> the users away from the @suffix construct altogether.
>
> You should be aware that this is a rather fragile construct. Some
> operating systems - like Windows/PEAP as we are just now talking about -
> do not make a clean separation between outer and inner ID. There are
> (still) some supplicants which do not support any differentiation of IDs
> at all, and always copy inner to outer - which is then bound to fail.
>
> In the case of Windows, there is a significant caveat:
>
> I'm sure our own installer can be made to construct an inner ID with
> realm based on user input without realm and the extra knowledge what the
> configured realm is. We'd still need to know if we are supposed to that
> extra mangling for the IdP in question or not - and either tell users to
> type in something with a realm ending or not. So this means extra
> options to configure admin-side.
>
> But if the user ever has to re-enter the credentials then this will be
> via Windows' built-in pop-up asking for a username; and that one does no
> clever post-processing of the extra CAT knowledge. Users will be left
> confused and will have realm-less settings, leaving them with a DoS.
>
> I.e. you are up for usability trouble either way.
>
> Frankly, I think you are better off with choosing TTLS. This will
> install our own GEANTlink supplicant, and that handles outer ID with
> realms explicitly (like it IMHO should).
>
> Either that, or consistently instructing your users to always use
> username@realm as a User ID for eduroam. That way, even people with
> manual configuration at least get service.
>
> Greetings,
>
> Stefan Winter
>

--
Tomasz Wolniewicz

twoln AT umk.pl
http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576


Attachment: smime.p7s
Description: Kryptograficzna sygnatura S/MIME




Archive powered by MHonArc 2.6.19.

Top of Page