The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Daniele Albrizio <albrizio AT units.it>]

On 19/01/23 16:08, Chris Phillips (via cat-users Mailing List) wrote:

It’s been our experience that on windows the inner id realm is used on the outer-id.

 

And as Thomasz just sent, expected behaviour.

 

@Mathew Slowe: one technique we do suggest sites explore is add another suffix in AD that is not ‘.local’, but more accurately portrays the full domain.

Multiple Realms can be had and means an additional UPN.

 

If the namespace has collisions (ie students in this tree, staff in another) then consolidation to one common UPN is extremely hard such that TTLS is easier ..

This collision scenario has been solved by our institutions asking the NRO to register different (sub)domains for our institution.

They are units.it and ds.units.it

This might not be correct for the policy of all the NRO, so just ask.

Internally we map one domain to an openldap, the other to an AD backend.

Still, all domains must exist on the internet, you cannot just use .local1 and .local2

The definitive solution is to correctly manage digital identities and have only one backend type (also easing implementation of MFA, SIEM, etc...).

Hope this helps.

 

Chris.

 

 

 

 

 

 

From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> on behalf of Tomasz Wolniewicz <cat-users AT lists.geant.org>
Date: Thursday, January 19, 2023 at 9:24 AM
To: cat-users AT lists.geant.org <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] CAT fixes for Windows

________________________________

External This email originated from outside the organization. Use caution when following links as they could open malicious web sites.
________________________________



Indeed this does look close. Will look into it.

Tomasz


W dniu 19.01.2023 o 15:19, Matthew Slowe (via cat-users Mailing List) pisze:
> On 19/09/2022 11:06, Tomasz Wolniewicz (via cat-users Mailing List)
> wrote:
>> 1. For PEAP - there was a problem manifesting itself for
>> organisations which have defined the empty username part of the outer
>> name. This was causing an installation error.
>
> Hi Tomasz,
>
> I have a member organisation that's using the "Enable Anonymous Outer
> Identity" setting (set to an empty string, so we expect "@example.edu"
> as an outer identity).
>
> During install users enter an internal only UPN into the username box
> (eg. user AT example.local) to be used in the Inner credential exchange.
> This works fine on macos, iOS and Android.
>
> They're reporting a problem on Windows (specifically Windows 10 but
> may not be limited to that) where it's setting the "Enable Identity
> Privacy" setting in the PEAP settings but the outer username is being
> sent as:
>
>     @example.local
>
> It appears to be getting it _half_ right... anonymous yes, but wrong
> outer realm!
>
> Not sure if this is related to your fixes in September, but it's
> suspiciously close!
>
> Any ideas?
>
> Thanks,

--
Tomasz Wolniewicz
           twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uniwersyteckie Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika         Nicolaus Copernicus University,
pl. Rapackiego 1, Torun                pl. Rapackiego 1, Torun, Poland
             tel: +48-56-611-2750; tel kom.: +48-693-032-576

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

-- 
-------------------------------------------
Daniele Albrizio
Università degli Studi di Trieste | University of Trieste
Ufficio Reti e Telefonia | Networks and Telephony Office
Via Alfonso Valerio 12 - 34127 Trieste (Italy)
daniele.albrizio AT units.it
Tel. | Ph. +39 040 558 3319

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature