The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Alan Buxey <alan.buxey AT gmail.com>]

hi,

who would be using the free service anonymously?   visitors? they have
the right to privacy (hello GDPR and how useful eduroam+anonymous is)
- the home
organisation knows exactly who that person is if there is some issue 
(abuse/etc)

your own users? well, they are you own users! - so you have , in your
RADIUS server, the exact identity (the innerID) of who operates that
wireless client
so there is no need to abuse their configuration - its up to you how
that is logged and revealed in your management systems

alan


On Thu, 4 Jul 2019 at 12:10, Oberli Patrick <patrick.oberli AT hsr.ch> wrote:
>
> That is absolutely correct, but I don't see any reason why they should be 
> able to use the free service anonymously.
>
>
>
> Thanks for explaining what that checkbox actually does, that should solve 
> my issue. I have to check it the next time if it works as expected on 
> Android.
>
>
>
> Kind regards
>
> Patrick
>
>
>
> From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> 
> On Behalf Of Stefan Winter
> Sent: Thursday, July 4, 2019 11:47 AM
> To: Oberli Patrick <patrick.oberli AT hsr.ch>; db AT alaska.edu; list 
> <cat-users AT lists.geant.org>
> Subject: Re: [[cat-users]] Question in regards anonymous identity
>
>
>
> Hello,
>
> > Yes exactly, the outer identity.
> >
> > I prefer to see who is trying to associate, as this will make
> > troubleshooting on the Radius proxys way easier.
>
> Your users' true identifiers will then be exposed on EVERY hotspot
> world-wide, every single time they use the network. That same
> information is also in clear-text in the RADIUS datagram and can be
> sniffed by anyone on the path.
>
> At the same time any roaming guests you have will still be anonymous (if
> their admin chose so), so you only get that insight for your own users.
>
> I.e. you gain a very small amount of debugging capability, at the
> expense of ruining your user's privacy every single time they use an
> eduroam hotspot.
>
> It is of course your decision whether that's a reasonable trade-off. For
> me, it wouldn't be.
>
> If you want to do this, simply DISable the checkbox "Enable Anonymous
> Outer Identity". The installers will then set outer=inner.
>
> Greetings,
>
> Stefan Winter
>
> >
> >
> >
> > Thanks
> >
> > Patrick
> >
> >
> >
> > *From:*IAM David Bantz <dabantz AT alaska.edu>
> > *Sent:* Wednesday, July 3, 2019 9:12 PM
> > *To:* Oberli Patrick <patrick.oberli AT hsr.ch>; list
> > <cat-users AT lists.geant.org>
> > *Subject:* Re: [[cat-users]] Question in regards anonymous identity
> >
> >
> >
> > By "anonymous identity field" do you mean the "outer identity" that is
> > used to route requests to the appropriate identity provider?
> > "anonymous AT hr.sh <mailto:anonymous AT hr.sh>" would achieve that without
> > revealing the individuals' usernames. Why do you like to expose your
> > users' identities instead?
> > Just curious, or perhaps confused.
> >
> >
> >
> > David Bantz
> >
> > U Alaska
> >
> >
> >
> > On Wed, Jul 3, 2019 at 12:16 AM Oberli Patrick <patrick.oberli AT hsr.ch
> > <mailto:patrick.oberli AT hsr.ch>> wrote:
> >
> >     Hello together
> >
> >
> >
> >     In regards to anonymous identities, I like to enforce them in my
> >     school to be the same as the username@suffix. Is there some way to
> >     achieve this with the new (and partly undocumented) options in the
> >     CAT profile editor?
> >
> >     I recently had an issue with the Android installer, where the
> >     anonymous identity field was left empty on the mobile phone, which
> >     will not work with my radius configuration.
> >
> >
> >
> >     Thanks and kind regards,
> >
> >
> >
> >     IT-Infrastructure
> >
> >     Netzwerk- und Multimediateam
> >
> >     Patrick Oberli
> >
> >
> >
> >     HSR Hochschule für Technik Rapperswil
> >
> >     Oberseestrasse 10
> >
> >     Postfach 1475
> >
> >     8640 Rapperswil
> >
> >     Tel: +41 55 222 4958
> >
> >     Email: poberli AT hsr.ch <mailto:poberli AT hsr.ch>
> >
> >     URL: http://www.hsr.ch <http://www.hsr.ch/>
> >
> >
> >
> >     To unsubscribe, send this message: mailto:sympa AT lists.geant.org
> >     <mailto:sympa AT lists.geant.org>?subject=unsubscribe%20cat-users
> >     Or use the following link:
> >     https://lists.geant.org/sympa/sigrequest/cat-users
> >
> > To unsubscribe, send this message:
> > mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> > Or use the following link:
> > https://lists.geant.org/sympa/sigrequest/cat-users
>
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche
> 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>
>
>
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link: 
> https://lists.geant.org/sympa/sigrequest/cat-users