hey, yes we are talking about eduroam and after reading your post, it seems like that it is the best to deny such users.
thanks alot -euroreg On Wed, Oct 7, 2009 at 2:44 PM, Stefan Winter <stefan.win...@restena.lu>wrote: > Hi, > > > problem is, that we are a university, so they are "our" people. > > tousands of students and teachers. if we deny those users, our > > helpdesk will get more work. > > is there a way to remove the double entries or do i have to block those? > > Any chance we are talking about eduroam? In this case: doing something > locally to make it work for these users even with misconfigured devices > is *not* going to do any good, and you will have helpdesk trouble as > soon as your users roam. > > The rationale being straightforward: you "fix" your local realm > stripping, misconfigured clients are happy on your campus. Then they go > to other hotspots without your magic fixes, and roaming will break. At > some point they come back and whine, and you have to negotiate with the > remote side logs to figure their weird settings prevented them from > roaming. Then you still have to re-config the devices. > > Not to mention that it damages the eduroam brand, since these people > will believe "roaming doesn't work". > > Contrary to that, changing one setting once on those few(I guess - not > everyone on your campus uses Nokia cell phones, do they?) misconfigured > clients will fix the issue permanently and globally. I'm shepherding > about 10000 end-users myself on an eduroam IdP setup, and a HOWTO for > Symbian which highlights neuralgic parts seems to work for me (at least > I don't drown in user requests, and still have time to read and write > freeradius-users :-) ). > > Greetings, > > Stefan Winter > > > > > -euroreg > > > > On Wed, Oct 7, 2009 at 1:50 PM, Alan Buxey <a.l.m.bu...@lboro.ac.uk > > <mailto:a.l.m.bu...@lboro.ac.uk>> wrote: > > > > Hi, > > > > > we do have one realm configured domainname.com > > <http://domainname.com> which works perfectly. every > > > user who wants to authenticate with a different realm is proxied > > to an > > > outside radius. server. the setup works fine. > > > > > > we do have some mobile devices who send something like: > > > usern...@company.com > > <mailto:usern...@company.com>@wlan.mnc003.mc <http://wlan.mnc003.mc> > > > usern...@company.com <mailto:usern...@company.com>@Verisign... > > > > as Stefan says - this looks suspiciously like Nokia Symbian clients. > > if the client hasnt been configured correctly it will send the CN > > of the certificate as the realm details...and other things - so > > you get > > that double realm issue... which might get to you via external > proxy.. > > or might not. > > > > reject if you see more than one @ - or, if these are your people, > > find them and fix their client. (in case of Nokia, its ensure that > the > > realm is specified rather than left to default setting. > > > > alan > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > ------------------------------------------------------------------------ > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > -- > Stefan WINTER > Ingenieur de Recherche > Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de > la Recherche > 6, rue Richard Coudenhove-Kalergi > L-1359 Luxembourg > > Tel: +352 424409 1 > Fax: +352 422473 > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html