"double" realm problem
mr typo
euroregistrar at gmail.com
Wed Oct 7 15:03:30 CEST 2009
hey,
yes we are talking about eduroam and after reading your post, it seems like
that it is the best
to deny such users.
thanks alot
-euroreg
On Wed, Oct 7, 2009 at 2:44 PM, Stefan Winter <stefan.winter at restena.lu>wrote:
> Hi,
>
> > problem is, that we are a university, so they are "our" people.
> > tousands of students and teachers. if we deny those users, our
> > helpdesk will get more work.
> > is there a way to remove the double entries or do i have to block those?
>
> Any chance we are talking about eduroam? In this case: doing something
> locally to make it work for these users even with misconfigured devices
> is *not* going to do any good, and you will have helpdesk trouble as
> soon as your users roam.
>
> The rationale being straightforward: you "fix" your local realm
> stripping, misconfigured clients are happy on your campus. Then they go
> to other hotspots without your magic fixes, and roaming will break. At
> some point they come back and whine, and you have to negotiate with the
> remote side logs to figure their weird settings prevented them from
> roaming. Then you still have to re-config the devices.
>
> Not to mention that it damages the eduroam brand, since these people
> will believe "roaming doesn't work".
>
> Contrary to that, changing one setting once on those few(I guess - not
> everyone on your campus uses Nokia cell phones, do they?) misconfigured
> clients will fix the issue permanently and globally. I'm shepherding
> about 10000 end-users myself on an eduroam IdP setup, and a HOWTO for
> Symbian which highlights neuralgic parts seems to work for me (at least
> I don't drown in user requests, and still have time to read and write
> freeradius-users :-) ).
>
> Greetings,
>
> Stefan Winter
>
> >
> > -euroreg
> >
> > On Wed, Oct 7, 2009 at 1:50 PM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk
> > <mailto:A.L.M.Buxey at lboro.ac.uk>> wrote:
> >
> > Hi,
> >
> > > we do have one realm configured domainname.com
> > <http://domainname.com> which works perfectly. every
> > > user who wants to authenticate with a different realm is proxied
> > to an
> > > outside radius. server. the setup works fine.
> > >
> > > we do have some mobile devices who send something like:
> > > username at company.com
> > <mailto:username at company.com>@wlan.mnc003.mc <http://wlan.mnc003.mc>
> > > username at company.com <mailto:username at company.com>@Verisign...
> >
> > as Stefan says - this looks suspiciously like Nokia Symbian clients.
> > if the client hasnt been configured correctly it will send the CN
> > of the certificate as the realm details...and other things - so
> > you get
> > that double realm issue... which might get to you via external
> proxy..
> > or might not.
> >
> > reject if you see more than one @ - or, if these are your people,
> > find them and fix their client. (in case of Nokia, its ensure that
> the
> > realm is specified rather than left to default setting.
> >
> > alan
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> > ------------------------------------------------------------------------
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
> la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091007/f0b1ba22/attachment.html>
More information about the Freeradius-Users
mailing list