[RADIATOR] we're sending empty realms to eduroam tlrs servers

Dubravko Penezic dpenezic at srce.hr
Mon Jul 26 09:47:02 UTC 2021


Hi all,

many thing was said before and I would like to add few other things .

* till now neither wpa supplicant software  solution isnt able to show
user Reply-Message after Reject (that will help us a lot if would be
possible, because we (eduroam) have some other issue we would like to solve

* RADIATOR is highly configurable software application , so you may do
many things beyond standard configuration (I personally use that feature
a lot)

* I test username of RADIUS request on start of any single request and
have some decision tree what to do if some format of username appear
(base on type of request, AP IP , etc).

* we suggest on national level that all institution in academic and
educational field use only eduroam , with 802.1q you may add additional
network privilege (we dont suggest to use that), instead we suggest to
use VPN for additional privilages, becouse that will work on any network

Hope that help.

Regards,
Dubravko Penezic


On 7/26/21 11:29 AM, Jethro R Binks wrote:
> On Fri, 23 Jul 2021, Ullfig, Roberto Alfredo wrote:
> 
>> "move closer" is just the message the wifi client is printing out - a 
>> very user-unfriendly message for forgetting to enter your domain. The 
>> problem is that our regular WiFi requires just a netid (no domain) and 
>> Eduroam requires the domain and it's a common configuration mixup for 
>> our users. I think a good solution going forward would be to support the 
>> domain in regular Wifi (while also supporting just the netid for current 
>> configurations) and then advertise that in our documentation.
> 
> Or -- and this is commonplace in Europe but there seems to be a lot of 
> intransigence US-side -- don't have a separate "regular WiFi" network - 
> just use Eduroam for routine end user use.  Then eduroam automatically 
> just works for everyone when they are travelling, since it's the same 
> network they used back home.
> 
> Jethro.
> 
> 
> 
>>
>> ---
>> Roberto Ullfig - rullfig at uic.edu
>> Systems Administrator
>> Enterprise Applications & Services | Technology Solutions
>> University of Illinois - Chicago
>> ________________________________
>> From: radiator <radiator-bounces at lists.open.com.au> on behalf of Heikki Vatiainen <hvn at open.com.au>
>> Sent: Friday, July 23, 2021 10:41 AM
>> To: radiator at lists.open.com.au <radiator at lists.open.com.au>
>> Subject: Re: [RADIATOR] we're sending empty realms to eduroam tlrs servers
>>
>> On 23.7.2021 18.03, Ullfig, Roberto Alfredo wrote:
>>> Can we specify the error message to return to the user with:
>>>
>>> RejectReason you must specify your domain...
>>>
>>> or must that be done on the wireless controller?
>>
>> I think the wireless controller would need to take Reply-Message
>> attribute contents from Access-Reject and somehow send it to the
>> wireless client.
>>
>> I'm not completely sure, but I don't think it's possible. The EAP
>> messaging that goes over the wireless hop isn't capable to do it, I'd say.
>>
>> One option might be to create a Handler for realmless users that
>> authenticates them and then drops them to a VLAN which is a walled
>> garden. There they would always be redirected to a web page with
>> information about what they should do to get full access. It might be a
>> bit heave solution though.
>>
>>> Currently when a user fails to enter their domain the error message they
>>> get says to "move closer".
>>
>> Is that something you generate locally or does it come from somewhere
>> else, such as, eduroam?
>>
>> Thanks,
>> Heikki
>>
>>> ---
>>> Roberto Ullfig - rullfig at uic.edu
>>> Systems Administrator
>>> Enterprise Applications & Services | Technology Solutions
>>> University of Illinois - Chicago
>>> ------------------------------------------------------------------------
>>> *From:* radiator <radiator-bounces at lists.open.com.au> on behalf of
>>> Heikki Vatiainen <hvn at open.com.au>
>>> *Sent:* Wednesday, July 14, 2021 12:05 PM
>>> *To:* radiator at lists.open.com.au <radiator at lists.open.com.au>
>>> *Subject:* Re: [RADIATOR] we're sending empty realms to eduroam tlrs
>>> servers
>>>
>>>
>>> On 13.7.2021 22.38, Ullfig, Roberto Alfredo wrote:
>>>> So I noticed a doc here for handling empty realms:
>>>>
>>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.geant.org%2Fpages%2Fviewpage.action%3FpageId%3D121346324&data=04%7C01%7Crullfig%40uic.edu%7C729062472404475be16308d946e9cede%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637618792275449703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=RNp0yd6TCOW%2Fbrz6V2Gai1Z8UEMiYi0RZTN82HXjNdc%3D&reserved=0
>>> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.geant.org%2Fpages%2Fviewpage.action%3FpageId%3D121346324&data=04%7C01%7Crullfig%40uic.edu%7C729062472404475be16308d946e9cede%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637618792275449703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=RNp0yd6TCOW%2Fbrz6V2Gai1Z8UEMiYi0RZTN82HXjNdc%3D&reserved=0>
>>>
>>>>
>>>> Are the Handlers executed in order from top to bottom?
>>>
>>> Yes. The handler order, Handler check items, '...' in <Handler ...>, and
>>> Handler - Realm relationship is discussed in more detail here:
>>>
>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.radiatorsoftware.com%2Fradiator%2Fref%2FHandler.html&data=04%7C01%7Crullfig%40uic.edu%7C729062472404475be16308d946e9cede%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637618792275449703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7PeV5r7PeUvK4gsVkv90LQyC9JtQmAKyNBbfpXw9JSQ%3D&reserved=0
>>> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.radiatorsoftware.com%2Fradiator%2Fref%2FHandler.html&data=04%7C01%7Crullfig%40uic.edu%7C729062472404475be16308d946e9cede%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637618792275449703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7PeV5r7PeUvK4gsVkv90LQyC9JtQmAKyNBbfpXw9JSQ%3D&reserved=0>
>>>
>>> Thanks,
>>> Heikki
>>>
>>> --
>>> Heikki Vatiainen <hvn at open.com.au>
>>>
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
>>> EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
>>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at lists.open.com.au
>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C729062472404475be16308d946e9cede%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637618792275449703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dp4a19ZL9cZ4h2L23R%2BOKSu4AGR6QPf%2FudEomA6Vok8%3D&reserved=0
>>> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C729062472404475be16308d946e9cede%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637618792275449703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dp4a19ZL9cZ4h2L23R%2BOKSu4AGR6QPf%2FudEomA6Vok8%3D&reserved=0>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at lists.open.com.au
>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C8131db3bc1fa4b65f06c08d94df08e78%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637626517841023119%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=84yoWdoCNRqG11z3xpzesjgTgHCRruX8dDnvO1ybEWw%3D&reserved=0
>>>
>>
>> --
>> Heikki Vatiainen <hvn at open.com.au>
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
>> EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
>> _______________________________________________
>> radiator mailing list
>> radiator at lists.open.com.au
>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C8131db3bc1fa4b65f06c08d94df08e78%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637626517841023119%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=84yoWdoCNRqG11z3xpzesjgTgHCRruX8dDnvO1ybEWw%3D&reserved=0
>>
> 
> .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
> Jethro R Binks, Network Manager,
> Information Services Directorate, University Of Strathclyde, Glasgow, UK
> 
> The University of Strathclyde is a charitable body, registered in
> Scotland, number SC015263.
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator
> 



More information about the radiator mailing list