[RADIATOR] we're sending empty realms to eduroam tlrs servers

Jethro R Binks jethro.binks at strath.ac.uk
Mon Jul 26 09:29:56 UTC 2021


On Fri, 23 Jul 2021, Ullfig, Roberto Alfredo wrote:

> "move closer" is just the message the wifi client is printing out - a 
> very user-unfriendly message for forgetting to enter your domain. The 
> problem is that our regular WiFi requires just a netid (no domain) and 
> Eduroam requires the domain and it's a common configuration mixup for 
> our users. I think a good solution going forward would be to support the 
> domain in regular Wifi (while also supporting just the netid for current 
> configurations) and then advertise that in our documentation.

Or -- and this is commonplace in Europe but there seems to be a lot of 
intransigence US-side -- don't have a separate "regular WiFi" network - 
just use Eduroam for routine end user use.  Then eduroam automatically 
just works for everyone when they are travelling, since it's the same 
network they used back home.

Jethro.



> 
> ---
> Roberto Ullfig - rullfig at uic.edu
> Systems Administrator
> Enterprise Applications & Services | Technology Solutions
> University of Illinois - Chicago
> ________________________________
> From: radiator <radiator-bounces at lists.open.com.au> on behalf of Heikki Vatiainen <hvn at open.com.au>
> Sent: Friday, July 23, 2021 10:41 AM
> To: radiator at lists.open.com.au <radiator at lists.open.com.au>
> Subject: Re: [RADIATOR] we're sending empty realms to eduroam tlrs servers
> 
> On 23.7.2021 18.03, Ullfig, Roberto Alfredo wrote:
> > Can we specify the error message to return to the user with:
> >
> > RejectReason you must specify your domain...
> >
> > or must that be done on the wireless controller?
> 
> I think the wireless controller would need to take Reply-Message
> attribute contents from Access-Reject and somehow send it to the
> wireless client.
> 
> I'm not completely sure, but I don't think it's possible. The EAP
> messaging that goes over the wireless hop isn't capable to do it, I'd say.
> 
> One option might be to create a Handler for realmless users that
> authenticates them and then drops them to a VLAN which is a walled
> garden. There they would always be redirected to a web page with
> information about what they should do to get full access. It might be a
> bit heave solution though.
> 
> > Currently when a user fails to enter their domain the error message they
> > get says to "move closer".
> 
> Is that something you generate locally or does it come from somewhere
> else, such as, eduroam?
> 
> Thanks,
> Heikki
> 
> > ---
> > Roberto Ullfig - rullfig at uic.edu
> > Systems Administrator
> > Enterprise Applications & Services | Technology Solutions
> > University of Illinois - Chicago
> > ------------------------------------------------------------------------
> > *From:* radiator <radiator-bounces at lists.open.com.au> on behalf of
> > Heikki Vatiainen <hvn at open.com.au>
> > *Sent:* Wednesday, July 14, 2021 12:05 PM
> > *To:* radiator at lists.open.com.au <radiator at lists.open.com.au>
> > *Subject:* Re: [RADIATOR] we're sending empty realms to eduroam tlrs
> > servers
> >
> >
> > On 13.7.2021 22.38, Ullfig, Roberto Alfredo wrote:
> >> So I noticed a doc here for handling empty realms:
> >>
> >> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.geant.org%2Fpages%2Fviewpage.action%3FpageId%3D121346324&data=04%7C01%7Crullfig%40uic.edu%7C729062472404475be16308d946e9cede%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637618792275449703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=RNp0yd6TCOW%2Fbrz6V2Gai1Z8UEMiYi0RZTN82HXjNdc%3D&reserved=0
> > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.geant.org%2Fpages%2Fviewpage.action%3FpageId%3D121346324&data=04%7C01%7Crullfig%40uic.edu%7C729062472404475be16308d946e9cede%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637618792275449703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=RNp0yd6TCOW%2Fbrz6V2Gai1Z8UEMiYi0RZTN82HXjNdc%3D&reserved=0>
> >
> >>
> >> Are the Handlers executed in order from top to bottom?
> >
> > Yes. The handler order, Handler check items, '...' in <Handler ...>, and
> > Handler - Realm relationship is discussed in more detail here:
> >
> > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.radiatorsoftware.com%2Fradiator%2Fref%2FHandler.html&data=04%7C01%7Crullfig%40uic.edu%7C729062472404475be16308d946e9cede%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637618792275449703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7PeV5r7PeUvK4gsVkv90LQyC9JtQmAKyNBbfpXw9JSQ%3D&reserved=0
> > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.radiatorsoftware.com%2Fradiator%2Fref%2FHandler.html&data=04%7C01%7Crullfig%40uic.edu%7C729062472404475be16308d946e9cede%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637618792275449703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7PeV5r7PeUvK4gsVkv90LQyC9JtQmAKyNBbfpXw9JSQ%3D&reserved=0>
> >
> > Thanks,
> > Heikki
> >
> > --
> > Heikki Vatiainen <hvn at open.com.au>
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
> > EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
> > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
> > _______________________________________________
> > radiator mailing list
> > radiator at lists.open.com.au
> > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C729062472404475be16308d946e9cede%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637618792275449703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dp4a19ZL9cZ4h2L23R%2BOKSu4AGR6QPf%2FudEomA6Vok8%3D&reserved=0
> > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C729062472404475be16308d946e9cede%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637618792275449703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dp4a19ZL9cZ4h2L23R%2BOKSu4AGR6QPf%2FudEomA6Vok8%3D&reserved=0>
> >
> > _______________________________________________
> > radiator mailing list
> > radiator at lists.open.com.au
> > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C8131db3bc1fa4b65f06c08d94df08e78%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637626517841023119%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=84yoWdoCNRqG11z3xpzesjgTgHCRruX8dDnvO1ybEWw%3D&reserved=0
> >
> 
> --
> Heikki Vatiainen <hvn at open.com.au>
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
> EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C8131db3bc1fa4b65f06c08d94df08e78%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637626517841023119%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=84yoWdoCNRqG11z3xpzesjgTgHCRruX8dDnvO1ybEWw%3D&reserved=0
> 

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.


More information about the radiator mailing list