"double" realm problem

mr typo euroregistrar at gmail.com
Wed Oct 7 15:03:30 CEST 2009


hey,
yes we are talking about eduroam and  after reading your post, it seems like
that it is the best
to deny such users.

thanks alot

-euroreg

On Wed, Oct 7, 2009 at 2:44 PM, Stefan Winter <stefan.winter at restena.lu>wrote:

> Hi,
>
> > problem is, that we are a university, so they are "our" people.
> > tousands of students and teachers. if we deny those users, our
> > helpdesk will get more work.
> > is there a way to remove the double entries or do i have to block those?
>
> Any chance we are talking about eduroam? In this case: doing something
> locally to make it work for these users even with misconfigured devices
> is *not* going to do any good, and you will have helpdesk trouble as
> soon as your users roam.
>
> The rationale being straightforward: you "fix" your local realm
> stripping, misconfigured clients are happy on your campus. Then they go
> to other hotspots without your magic fixes, and roaming will break. At
> some point they come back and whine, and you have to negotiate with the
> remote side logs to figure their weird settings prevented them from
> roaming. Then you still have to re-config the devices.
>
> Not to mention that it damages the eduroam brand, since these people
> will believe "roaming doesn't work".
>
> Contrary to that, changing one setting once on those few(I guess - not
> everyone on your campus uses Nokia cell phones, do they?) misconfigured
> clients will fix the issue permanently and globally. I'm shepherding
> about 10000 end-users myself on an eduroam IdP setup, and a HOWTO for
> Symbian which highlights neuralgic parts seems to work for me (at least
> I don't drown in user requests, and still have time to read and write
> freeradius-users :-) ).
>
> Greetings,
>
> Stefan Winter
>
> >
> > -euroreg
> >
> > On Wed, Oct 7, 2009 at 1:50 PM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk
> > <mailto:A.L.M.Buxey at lboro.ac.uk>> wrote:
> >
> >     Hi,
> >
> >     > we do have one realm configured domainname.com
> >     <http://domainname.com> which works perfectly. every
> >     > user who wants to authenticate with a different realm is proxied
> >     to an
> >     > outside radius. server. the setup works fine.
> >     >
> >     > we do have some mobile devices who send something like:
> >     > username at company.com
> >     <mailto:username at company.com>@wlan.mnc003.mc <http://wlan.mnc003.mc>
> >     > username at company.com <mailto:username at company.com>@Verisign...
> >
> >     as Stefan says - this looks suspiciously like Nokia Symbian clients.
> >     if the client hasnt been configured correctly it will send the CN
> >     of the certificate as the realm details...and other things - so
> >     you get
> >     that double realm issue... which might get to you via external
> proxy..
> >     or might not.
> >
> >     reject if you see more than one @ - or, if these are your people,
> >     find them and fix their client. (in case of Nokia, its ensure that
> the
> >     realm is specified rather than left to default setting.
> >
> >     alan
> >     -
> >     List info/subscribe/unsubscribe? See
> >     http://www.freeradius.org/list/users.html
> >
> >
> > ------------------------------------------------------------------------
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
> la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091007/f0b1ba22/attachment.html>


More information about the Freeradius-Users mailing list