cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] CAT fixes for Windows

From: Chris Phillips <Chris.Phillips AT canarie.ca>
To: Tomasz Wolniewicz <twoln AT umk.pl>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] CAT fixes for Windows
Date: Thu, 19 Jan 2023 15:08:19 +0000
Accept-language: en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=canarie.ca; dmarc=pass action=none header.from=canarie.ca; dkim=pass header.d=canarie.ca; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=R0IYMx2UQpiwdK+EGrGYf72rtiKTuNmhsURaV68sFZk=; b=bEVaplbS2uBy6+sumz4llHvirIyf7M3YHMcbGbwX4pjeHTiBpVEdPCDi27GOnL8p1N2e3jZFGAfKmPJaP7Q7o6mGXxqddYBzOYtZgbm/Ux1U4vWjpjNcu18czytP/bPmsGCN7iWbxtaaHXZfigz2bktCklOoZHyVhd9R/Lr7UCmHonTA2EZt9zRWf7t1dvS/XBNX+POq1Db0HeBe7ACyMzFaUSogU/9qZpsM7dnXWPtpdjNu/KD43XJKoSm2d9BHoC72FVwfdXQ3Pc1V3xJXj2Rxlkhsh51c7TXMGSkvkjFtJmuYrA2akVmlldVACg18v1sZD7NZmw9pC6NDWnexqA==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dxhl0HJuHj1sMwV9SRkRkXtDEYaKPIgdXl7XMUnmfBt2GkBrQW2cdbENdmk0fHwKfthh3/B1LxdqcND0j9F/QqNyc3Bn6886Bj9k1K905PCyP4P/le5n8m21Nvbax8GN8Vcr9pzmRBg1inSq/g0cjG9Jw1sqXFHy2C1Z2JDc2k1GosKlvtahDWFRLNjHEm9YFywxXEfTTj2Taa3YONvrS/nrc/q8bbvzcDEZdve8MuHrP4tKOJFxpQl/Tll6VNX+aOibEIbATfuIzAO3m416o7Vg7+3OkiCtkpL+My0iy8psTmY6COSWoMYgdY8lQy5LN58tY+SO9q4pu2AbYixkuA==
Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=canarie.ca;

It’s been our experience that on windows the inner id realm is used on the outer-id.

And as Thomasz just sent, expected behaviour.

@Mathew Slowe: one technique we do suggest sites explore is add another suffix in AD that is not ‘.local’, but more accurately portrays the full domain.

Multiple Realms can be had and means an additional UPN.

If the namespace has collisions (ie students in this tree, staff in another) then consolidation to one common UPN is extremely hard such that TTLS is easier ..

Hope this helps.

Chris.

From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> on behalf of Tomasz Wolniewicz <cat-users AT lists.geant.org>
Date: Thursday, January 19, 2023 at 9:24 AM
To: cat-users AT lists.geant.org <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] CAT fixes for Windows

________________________________

External This email originated from outside the organization. Use caution when following links as they could open malicious web sites.
________________________________

Indeed this does look close. Will look into it.

Tomasz

W dniu 19.01.2023 o 15:19, Matthew Slowe (via cat-users Mailing List) pisze:
> On 19/09/2022 11:06, Tomasz Wolniewicz (via cat-users Mailing List)
> wrote:
>> 1. For PEAP - there was a problem manifesting itself for
>> organisations which have defined the empty username part of the outer
>> name. This was causing an installation error.
>
> Hi Tomasz,
>
> I have a member organisation that's using the "Enable Anonymous Outer
> Identity" setting (set to an empty string, so we expect " AT example.edu"
> as an outer identity).
>
> During install users enter an internal only UPN into the username box
> (eg. user AT example.local) to be used in the Inner credential exchange.
> This works fine on macos, iOS and Android.
>
> They're reporting a problem on Windows (specifically Windows 10 but
> may not be limited to that) where it's setting the "Enable Identity
> Privacy" setting in the PEAP settings but the outer username is being
> sent as:
>
>     @example.local
>
> It appears to be getting it _half_ right... anonymous yes, but wrong
> outer realm!
>
> Not sure if this is related to your fixes in September, but it's
> suspiciously close!
>
> Any ideas?
>
> Thanks,

--
Tomasz Wolniewicz
           twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uniwersyteckie Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika         Nicolaus Copernicus University,
pl. Rapackiego 1, Torun                pl. Rapackiego 1, Torun, Poland
             tel: +48-56-611-2750; tel kom.: +48-693-032-576

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Re: [[cat-users]] CAT fixes for Windows, Matthew Slowe, 01/19/2023
- Re: [[cat-users]] CAT fixes for Windows, Tomasz Wolniewicz, 01/19/2023
  - Re: [[cat-users]] CAT fixes for Windows, Chris Phillips, 01/19/2023
    - Re: [[cat-users]] CAT fixes for Windows, Daniele Albrizio, 01/20/2023
      - Re: [[cat-users]] CAT fixes for Windows, Matthew Slowe, 01/20/2023
- Re: [[cat-users]] CAT fixes for Windows, Tomasz Wolniewicz, 01/19/2023
  - Re: [[cat-users]] CAT fixes for Windows, Matthew Slowe, 01/19/2023