[RADIATOR] we're sending empty realms to eduroam tlrs servers

Ullfig, Roberto Alfredo rullfig at uic.edu
Fri Jul 23 15:54:08 UTC 2021


"move closer" is just the message the wifi client is printing out - a very user-unfriendly message for forgetting to enter your domain. The problem is that our regular WiFi requires just a netid (no domain) and Eduroam requires the domain and it's a common configuration mixup for our users. I think a good solution going forward would be to support the domain in regular Wifi (while also supporting just the netid for current configurations) and then advertise that in our documentation.

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: radiator <radiator-bounces at lists.open.com.au> on behalf of Heikki Vatiainen <hvn at open.com.au>
Sent: Friday, July 23, 2021 10:41 AM
To: radiator at lists.open.com.au <radiator at lists.open.com.au>
Subject: Re: [RADIATOR] we're sending empty realms to eduroam tlrs servers

On 23.7.2021 18.03, Ullfig, Roberto Alfredo wrote:
> Can we specify the error message to return to the user with:
>
> RejectReason you must specify your domain...
>
> or must that be done on the wireless controller?

I think the wireless controller would need to take Reply-Message
attribute contents from Access-Reject and somehow send it to the
wireless client.

I'm not completely sure, but I don't think it's possible. The EAP
messaging that goes over the wireless hop isn't capable to do it, I'd say.

One option might be to create a Handler for realmless users that
authenticates them and then drops them to a VLAN which is a walled
garden. There they would always be redirected to a web page with
information about what they should do to get full access. It might be a
bit heave solution though.

> Currently when a user fails to enter their domain the error message they
> get says to "move closer".

Is that something you generate locally or does it come from somewhere
else, such as, eduroam?

Thanks,
Heikki

> ---
> Roberto Ullfig - rullfig at uic.edu
> Systems Administrator
> Enterprise Applications & Services | Technology Solutions
> University of Illinois - Chicago
> ------------------------------------------------------------------------
> *From:* radiator <radiator-bounces at lists.open.com.au> on behalf of
> Heikki Vatiainen <hvn at open.com.au>
> *Sent:* Wednesday, July 14, 2021 12:05 PM
> *To:* radiator at lists.open.com.au <radiator at lists.open.com.au>
> *Subject:* Re: [RADIATOR] we're sending empty realms to eduroam tlrs
> servers
>
>
> On 13.7.2021 22.38, Ullfig, Roberto Alfredo wrote:
>> So I noticed a doc here for handling empty realms:
>>
>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.geant.org%2Fpages%2Fviewpage.action%3FpageId%3D121346324&data=04%7C01%7Crullfig%40uic.edu%7C729062472404475be16308d946e9cede%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637618792275449703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=RNp0yd6TCOW%2Fbrz6V2Gai1Z8UEMiYi0RZTN82HXjNdc%3D&reserved=0
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.geant.org%2Fpages%2Fviewpage.action%3FpageId%3D121346324&data=04%7C01%7Crullfig%40uic.edu%7C729062472404475be16308d946e9cede%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637618792275449703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=RNp0yd6TCOW%2Fbrz6V2Gai1Z8UEMiYi0RZTN82HXjNdc%3D&reserved=0>
>
>>
>> Are the Handlers executed in order from top to bottom?
>
> Yes. The handler order, Handler check items, '...' in <Handler ...>, and
> Handler - Realm relationship is discussed in more detail here:
>
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.radiatorsoftware.com%2Fradiator%2Fref%2FHandler.html&data=04%7C01%7Crullfig%40uic.edu%7C729062472404475be16308d946e9cede%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637618792275449703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7PeV5r7PeUvK4gsVkv90LQyC9JtQmAKyNBbfpXw9JSQ%3D&reserved=0
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.radiatorsoftware.com%2Fradiator%2Fref%2FHandler.html&data=04%7C01%7Crullfig%40uic.edu%7C729062472404475be16308d946e9cede%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637618792275449703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7PeV5r7PeUvK4gsVkv90LQyC9JtQmAKyNBbfpXw9JSQ%3D&reserved=0>
>
> Thanks,
> Heikki
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
> EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C729062472404475be16308d946e9cede%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637618792275449703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dp4a19ZL9cZ4h2L23R%2BOKSu4AGR6QPf%2FudEomA6Vok8%3D&reserved=0
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C729062472404475be16308d946e9cede%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637618792275449703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dp4a19ZL9cZ4h2L23R%2BOKSu4AGR6QPf%2FudEomA6Vok8%3D&reserved=0>
>
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C8131db3bc1fa4b65f06c08d94df08e78%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637626517841023119%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=84yoWdoCNRqG11z3xpzesjgTgHCRruX8dDnvO1ybEWw%3D&reserved=0
>

--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
radiator at lists.open.com.au
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C8131db3bc1fa4b65f06c08d94df08e78%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637626517841023119%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=84yoWdoCNRqG11z3xpzesjgTgHCRruX8dDnvO1ybEWw%3D&reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20210723/94376a1a/attachment-0001.html>


More information about the radiator mailing list