cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

RE: [[cat-users]] CAT installer broken on TTLS PAP

From: David Andrus <david_andrus AT byu.edu>
To: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
Subject: RE: [[cat-users]] CAT installer broken on TTLS PAP
Date: Tue, 23 Oct 2018 15:27:30 +0000
Accept-language: en-US
Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (2048-bit key) header.d=byu.edu

Is it possible to make the realm check configurable? Rather than just on/off let us determine what the check should be. The realm check for our institution requires “@onboard.byu.edu” (which is the URL for our RADIUS server) however we only actually require “@byu.edu” to make life a little easier for our users and the way we’re currently set up @onboard.byu.edu won’t work from on-campus. I’d like to enable the realm check and/or have the prefill option checked, but as currently implemented it won’t work for us.

David Andrus

Network Product Manager

Brigham Young University

O: (801)422-0969

C: (385)312-7414

From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> On Behalf Of Stefan Winter
Sent: Tuesday, October 23, 2018 9:08 AM
To: Alberto Martínez <alberto_martinez AT deusto.es>
Cc: twoln AT umk.pl; cat-users AT lists.geant.org; paolo.cecchini AT uniurb.it
Subject: Re: [[cat-users]] CAT installer broken on TTLS PAP

Hello,

I appreciate that you are favoring reality instead of correctness, but if that check gets removed every other institution will receive more support calls from people who don't input the expected NAI domain on the installer.

Can this be a configuration item checked on by default, instead? "inner User-Name domain must match outer (anonymous) identifier's domain"

That is already configurable. You can require the user-entered ID to end in a specific realm (and that is then the same realm as the outer; we only ask for one realm and use it both for outer /and/ for this optional check).

If you unset this "check" checkbox (pun not intended) then the argument is that we shouldn't be performing /any/ checks. Right now we do run those basic checks the IdP didn't ask for; that's the (much smaller) problem space at hand here.

Greetings,

Stefan

Regards,

Alberto

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

[[cat-users]] CAT installer broken on TTLS PAP, Paolo Cecchini, 10/23/2018
- Re: [[cat-users]] CAT installer broken on TTLS PAP, Tomasz Wolniewicz, 10/23/2018
  - Re: [[cat-users]] CAT installer broken on TTLS PAP, Tomasz Wolniewicz, 10/23/2018
    - Re: [[cat-users]] CAT installer broken on TTLS PAP, Stefan Winter, 10/23/2018
      - Re: [[cat-users]] CAT installer broken on TTLS PAP, Alberto Martínez, 10/23/2018
        
        Re: [[cat-users]] CAT installer broken on TTLS PAP, Alberto Martínez, 10/23/2018
        
        Re: [[cat-users]] CAT installer broken on TTLS PAP, Stefan Winter, 10/23/2018
        
        RE: [[cat-users]] CAT installer broken on TTLS PAP, David Andrus, 10/23/2018
        
        Re: [[cat-users]] CAT installer broken on TTLS PAP, Tomasz Wolniewicz, 10/23/2018
        Re: [[cat-users]] CAT installer broken on TTLS PAP, David Andrus, 10/23/2018
        
        Re: [[cat-users]] CAT installer broken on TTLS PAP, Tomasz Wolniewicz, 10/23/2018
        
        Re: [[cat-users]] CAT installer broken on TTLS PAP, Stefan Winter, 10/23/2018
      - Re: [[cat-users]] CAT installer broken on TTLS PAP, Tomasz Wolniewicz, 10/24/2018
      - Re: [[cat-users]] CAT installer broken on TTLS PAP, Zenon Mousmoulas, 10/24/2018
        
        Re: [[cat-users]] CAT installer broken on TTLS PAP, Tomasz Wolniewicz, 10/24/2018