Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] CAT fixes for Windows

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] CAT fixes for Windows


Chronological Thread 
  • From: Matthew Slowe <matthew.slowe AT jisc.ac.uk>
  • To: cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] CAT fixes for Windows
  • Date: Thu, 19 Jan 2023 16:05:53 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Qkb0Lpkrn1mZJu/XiWgaBYh/Ltf/4UK+Gen0FNbcXVM=; b=KkPGwf/vpCe0AyG5daN6jEX850jHTTDbI1N3MNx/r6uUqtSuCGXJm61H42PsZhsIdM5BcpTdFJs6c37QqNLDPc9hePTAMMzjFKx8820oMMSA8bDeMpJN8sy9WFTm8Z8uVMjNvXK46i0bMhM/+UnrJ21LBFe8uzfnqALzccWedZVqyeU/009vpxXCxSAOytxkFWhGcLpXZjSvhAPuDT2yCjdN8tTlXUfIbFWVt3asWEUwxrYagMiJs18beoKROyuSSx7VR2QN8uSuaLqDfIlmj8MSzOAXQMaFwftA1/rotWBuxsT9kogGQYo4Iyxp6mYeY+sYcLfi+NXCaSF1rgqpDw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=i1izwJnDRD7L6FggmBUi0u2vckyPfKJrRG5C2st1INHGpxsGLmX8UfI0NyhWaIXqQQ/+pCMa9tZh6V2cFkLONx/xF+SZ5xH3mGzIKs8sWQDxeZvPjWRb1dBm4TEIRP25Wi69Zhq1tVlRXWNFOXm/K8z34X63QvawZxH1dAUcfQc97dZtocpHWN+vqTm/aL2HmcMlefmVtru6LKlKtr/6VJtUjqHRjJ2ixyHZodDZbStroY/PwWFDD5NDg5McrIC04aDrK2nxXUOIEZdm8/HHcy/5aqXbjCuVrgR4KcoRovG7yBTDmnaTckOtQzQSZV9cmBZeEcx0nYpW6lXJqM4MfQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=jisc.ac.uk;
  • Organization: Jisc

Tomasz and Chris,

Ah, and the "what do assumptions make?" adage comes back to bite...!

Thanks for correcting me... pain and suffering to follow.

Cheers,
Matthew

On 19/01/2023 14:59, Tomasz Wolniewicz (via cat-users Mailing List) wrote:
OK,

  I should read carefully before replying.

What you describe is indeed an expected behaviour. When you read the PEAP spec, it turns out that they only allow assigning the user part in the AnonymousUserName
and this is how Microssoft are implementing this. They just take the realm from the enetered user identifier, replacing the user part with the string set in AnonymousUserName. Everyone else obviously considers this to be silly and they are implementing PEAP allowing to set the full name, but in fact they are violating the original spec.

If your org want the behaviour they expect they should switch to TTLS. Here Microsof allows you to enter the full anonymous user.

Tomasz


W dniu 19.01.2023 o 15:19, Matthew Slowe (via cat-users Mailing List) pisze:
On 19/09/2022 11:06, Tomasz Wolniewicz (via cat-users Mailing List) wrote:
1. For PEAP - there was a problem manifesting itself for organisations which have defined the empty username part of the outer name. This was causing an installation error.

Hi Tomasz,

I have a member organisation that's using the "Enable Anonymous Outer Identity" setting (set to an empty string, so we expect " AT example.edu" as an outer identity).

During install users enter an internal only UPN into the username box (eg. user AT example.local) to be used in the Inner credential exchange. This works fine on macos, iOS and Android.

They're reporting a problem on Windows (specifically Windows 10 but may not be limited to that) where it's setting the "Enable Identity Privacy" setting in the PEAP settings but the outer username is being sent as:

    @example.local

It appears to be getting it _half_ right... anonymous yes, but wrong outer realm!

Not sure if this is related to your fixes in September, but it's suspiciously close!

Any ideas?

Thanks,


--
Matthew Slowe [he/him] (GPG: 0x6BE0CF7D04600314)
Principal technical consultant and infrastructure specialist, Jisc
Team: 01235 822185
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG




Archive powered by MHonArc 2.6.19.

Top of Page