Skip to Content.

cat-users - RE: [[cat-users]] Question in regards anonymous identity

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


RE: [[cat-users]] Question in regards anonymous identity


Chronological Thread 
    < Chronological >      < Thread >
  • From: Oberli Patrick <patrick.oberli AT hsr.ch>
  • To: Stefan Winter <stefan.winter AT restena.lu>, "db AT alaska.edu" <db AT alaska.edu>, list <cat-users AT lists.geant.org>
  • Subject: RE: [[cat-users]] Question in regards anonymous identity
  • Date: Thu, 4 Jul 2019 11:09:48 +0000
  • Accept-language: en-US, de-CH
  • Authentication-results: mx2.hsr.ch; none

That is absolutely correct, but I don't see any reason why they should be able to use the free service anonymously.

 

Thanks for explaining what that checkbox actually does, that should solve my issue. I have to check it the next time if it works as expected on Android.

 

Kind regards

Patrick

 

From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> On Behalf Of Stefan Winter
Sent: Thursday, July 4, 2019 11:47 AM
To: Oberli Patrick <patrick.oberli AT hsr.ch>; db AT alaska.edu; list <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] Question in regards anonymous identity

 

Hello,

> Yes exactly, the outer identity.
>
> I prefer to see who is trying to associate, as this will make
> troubleshooting on the Radius proxys way easier.

Your users' true identifiers will then be exposed on EVERY hotspot
world-wide, every single time they use the network. That same
information is also in clear-text in the RADIUS datagram and can be
sniffed by anyone on the path.

At the same time any roaming guests you have will still be anonymous (if
their admin chose so), so you only get that insight for your own users.

I.e. you gain a very small amount of debugging capability, at the
expense of ruining your user's privacy every single time they use an
eduroam hotspot.

It is of course your decision whether that's a reasonable trade-off. For
me, it wouldn't be.

If you want to do this, simply DISable the checkbox "Enable Anonymous
Outer Identity". The installers will then set outer=inner.

Greetings,

Stefan Winter

>
>  
>
> Thanks
>
> Patrick
>
>  
>
> *From:*IAM David Bantz <dabantz AT alaska.edu>
> *Sent:* Wednesday, July 3, 2019 9:12 PM
> *To:* Oberli Patrick <patrick.oberli AT hsr.ch>; list
> <cat-users AT lists.geant.org>
> *Subject:* Re: [[cat-users]] Question in regards anonymous identity
>
>  
>
> By "anonymous identity field" do you mean the "outer identity" that is
> used to route requests to the appropriate identity provider?
> "anonymous AT hr.sh <mailto:anonymous AT hr.sh>" would achieve that without
> revealing the individuals' usernames. Why do you like to expose your
> users' identities instead?
> Just curious, or perhaps confused.
>
>  
>
> David Bantz
>
> U Alaska
>
>  
>
> On Wed, Jul 3, 2019 at 12:16 AM Oberli Patrick <patrick.oberli AT hsr.ch
> <mailto:patrick.oberli AT hsr.ch>> wrote:
>
>     Hello together
>
>      
>
>     In regards to anonymous identities, I like to enforce them in my
>     school to be the same as the username@suffix. Is there some way to
>     achieve this with the new (and partly undocumented) options in the
>     CAT profile editor?
>
>     I recently had an issue with the Android installer, where the
>     anonymous identity field was left empty on the mobile phone, which
>     will not work with my radius configuration.
>
>      
>
>     Thanks and kind regards,
>
>      
>
>     IT-Infrastructure
>
>     Netzwerk- und Multimediateam
>
>     Patrick Oberli
>
>      
>
>     HSR Hochschule für Technik Rapperswil
>
>     Oberseestrasse 10
>
>     Postfach 1475
>
>     8640 Rapperswil
>
>     Tel: +41 55 222 4958
>
>     Email: poberli AT hsr.ch <mailto:poberli AT hsr.ch>
>
>     URL: http://www.hsr.ch <http://www.hsr.ch/>
>
>      
>
>     To unsubscribe, send this message: mailto:sympa AT lists.geant.org
>     <mailto:sympa AT lists.geant.org>?subject=unsubscribe%20cat-users
>     Or use the following link:
>     https://lists.geant.org/sympa/sigrequest/cat-users
>
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users

 

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

 


Archive powered by MHonArc 2.6.19.

Top of Page