The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi,

The realm (or domain) comes in two flavours. First it serves for traffic routing to the proper radius server, but secondly it is typically also the part of the actual username of the user. While the routing part is case insensitive, the username need not be. If the particular authentication back-end requires the domain part of the username to be upper-case then it may cause a problem. In principle it could also happen that while the routing will work correctly and reach the proper radius server, this server might not like the realm is the case does not match (this could be a local configuration issue).

Therefore it could be true that for a particular institutions the domain must be upper-case, but this is up to the user to put it in such an identifier while setting up eduroam.

 

if the radius server is happy to receive the outer name in the form anonymous AT UMK.PL and the inner name as twoln AT UMK.PL then there is an easy way to force users into putting in correct data. In CAT admin interface you need to set realm value to be upper case and then you should set the checkboxe "Enforce realm suffix in username" and "Enforce exact realm in username" as well if this is appropriate for your institution.This second checkbox is supposed to cause the CAT configuration script to add the suffix into the input field and make sure that it will stay this way. Unfortunately that this prompting functionality in Linux script got removed in recent updates. In the case when zenity forms are used it is not possible to fix, but for other interfaces we can probably do better.

Tomasz

W dniu 30.01.2025 o 10:02, ALBRIZIO DANIELE (via cat-users Mailing List) pisze:

Sorry, can't understand the issue.

I suppose you are talking about user realm (that in eduroam is in some part and way mapped to the institution official domain bat has a slightly different meaning).

Domain names are are born case insensitive (RFC 1035 and RFC 4343) .

Case casting if needed should be handled on the radius or authentication back end side in my opinion.

I'm confident you are aware of the "force realm" option of CAT installers that can be used to "fix" the realm representation as long as you don't have too much realms to address.

Am I missing something?

On Thu, 2025-01-30 at 07:42 +0000, Bjørn Panyella Pedersen wrote:

        The
          pymol script should ensure to set the DOMAIN for the username
          with capital letters, even if the user do not use capital
          letters.
        cf.
        
          https://askubuntu.com/questions/1529231/cant-connect-to-eduroam-with-ubuntu-24-04
        
          
        
        best
        -Bjørn
        To
          unsubscribe, send this message:
          mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
          Or use the following link:
          https://lists.geant.org/sympa/sigrequest/cat-users

-- 

---

Daniele Albrizio

Ufficio Reti e Telefonia | Networks and Telephony Office
Università degli Studi di Trieste | University of Trieste
Via Alfonso Valerio 12 - 34127 Trieste (Italy)
daniele.albrizio AT units.it
Tel. | Ph. +39 040 558 3319

Ufficio Reti e Telefonia | Networks and Telephony Office
Tel. | Ph. +39 040 558 3331

-- 
Tomasz Wolniewicz

Attachment: smime.p7s
Description: Kryptograficzna sygnatura S/MIME