Using machine auth from a remote eduroam site
Graham Clinch
g.clinch at lancaster.ac.uk
Mon Mar 26 21:52:34 CEST 2018
Hi Alex,
> We now want to enable our managed laptops to connect to eduroam at a
> remote site using machine authentication using EAP-TTLS.
>
> I've got part of the way in that I can see an inbound request from
> host/<fqdn of laptop> and a failure
Have you found a Windows knob to append an NAI-style realm to the the
advertised username of 'host/computer.ad.domain'? I'd be very
interested to know more if you had! If not I guess you'll be looking to
the remote site to proxy around the side of the eduroam national
proxies? (I have a feeling that is frowned upon by the eduroam tech-specs?)
We use PEAP/MSCHAPv2 throughout for both User- and Host- authentication,
with only a single mschap instance - it feels to me like you could be
missing rewriting the computer's 'username' to 'computername$'.
Our configuration has diverged substantially from the stock freeradius
configuration, but here's a hopefully useful snippet:
-=-
server peap-inner {
authorize {
filter_username
filter_inner_identity
suffix
if (!ok) {
update request {
&Module-Failure-Message += 'Inner realm not local'
}
reject
}
# Only lancs.local computer accounts can authenticate without a
realm
if (&Realm == "NULL") {
if (&User-Name =~ /^host\/(.+)\.lancs\.local$/) {
update request {
&Stripped-User-Name := "%{1}$"
}
} else {
update request {
&Module-Failure-Message += 'Only lancs.local
computer account authentication is available without an NAI realm'
}
reject
}
[...]
-=-
Graham
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4004 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180326/2e95f464/attachment.bin>
More information about the Freeradius-Users
mailing list