The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi David,

   I think you may have a problem with your configuration. From what I could test both reams - onboard.byu.edu and byu.edu are correctly routed to your RADIUS server. The server name CN is onboard.byu.edu but this is just a name and is not used for routing in any way.

  You ask your users to enter netid AT byu.edu as their  identifier and you have set the realm value to be onboard.byu.edu. Finally you only support one EAP type - PEAP-MSCHAPv2. In addition to that you have unset the anonymous identity support.

   These settings mean that the realm value is not used in any way, the outer identity is set the same as the inner, therefore users actually expose their real identity to all eduroam sites. The realm setting would be used if you had the anonymous outer identity set.

   If you set the realm value to byu.edu and set realm checks (or even realm prefill) then you will be sure that your users will be forced to input a correct form of the identifier to Windows and Linux installers (with Apple we cannot do much as the identifier is entered into the local system prompt and we cannot control that).

   I would also suggest that you enable the anonymous outer identity.

As far as I can tell, the current checks of CAT can be applied to your situation, just fix the config.

Tomasz

W dniu 23.10.2018 o 17:27, David Andrus pisze:

Is it possible to make the realm check configurable? Rather than just on/off let us determine what the check should be. The realm check for our institution requires “@onboard.byu.edu” (which is the URL for our RADIUS server) however we only actually require “@byu.edu” to make life a little easier for our users and the way we’re currently set up @onboard.byu.edu won’t work from on-campus. I’d like to enable the realm check and/or have the prefill option checked, but as currently implemented it won’t work for us.

 

--

David Andrus

Network Product Manager

Brigham Young University

O: (801)422-0969

C: (385)312-7414

 

From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> On Behalf Of Stefan Winter
Sent: Tuesday, October 23, 2018 9:08 AM
To: Alberto Martínez <alberto_martinez AT deusto.es>
Cc: twoln AT umk.pl; cat-users AT lists.geant.org; paolo.cecchini AT uniurb.it
Subject: Re: [[cat-users]] CAT installer broken on TTLS PAP

 

Hello,

I appreciate that you are favoring reality instead of correctness, but if that check gets removed every other institution will receive more support calls from people who don't input the expected NAI domain on the installer.

Can this be a configuration item checked on by default, instead? "inner User-Name domain must match outer (anonymous) identifier's domain"

That is already configurable. You can require the user-entered ID to end in a specific realm (and that is then the same realm as the outer; we only ask for one realm and use it both for outer /and/ for this optional check).

If you unset this "check" checkbox (pun not intended) then the argument is that we shouldn't be performing /any/ checks. Right now we do run those basic checks the IdP didn't ask for; that's the (much smaller) problem space at hand here.

Greetings,

Stefan

 

Regards,

Alberto

 

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

 

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576