Eduroam and setting identity privacy in Windows

Sat Feb 9 10:05:23 CET 2019

Hi Matthew,

Thanks for the advice on this. Yes, I think the real problem here is the
eduroam username format (uid at domain.com) not being compatible with the one
that windows generates (WINSDOMAIN\uid). I figure that even though this
isn't directly freeradius related, this forum is probably still the best
place to ask PEAP related questions.

I think part of our problem here is we're trying to use eduroam for
something it wasn't designed for. If it doesn't fit, hopefully I can
convince networks to set up something else suitable instead. One thing I
have noted in the eduroam T's and C's - connections must be traceable,
generally this is interpretted as user authentication, though machine
authentication is also acceptable as long as we record logins.

I'll let you know how I get on with all this.

cheers

Jim

On Fri, 8 Feb 2019 at 16:47, Matthew Newton <mcn at freeradius.org> wrote:

> On Fri, 2019-02-08 at 16:36 +0000, Jim Potter wrote:
> > What I would like to achieve is authentication to happen
> > invisibly where possible - our laptops would perform machine
> > authentication, users would log in and would re-authenticate to
> > wireless invisibly (currently each user needs to set up the wireless
> > connection on each device the use - this is really bad from a user
> > experience point of view, especially for students using laptops from
> > a bank). Has anyone else had any success doing anything like this?
>
> So you probably need to set up EAP-TLS to authenticate using a
> certificate, rather than logging in with a username/password.
>
> Convenient if they're domain-joined, as the certificate handling is all
> done for you.
>
> > Computer authentication comes in the form
> > host/mypc.bathspa.ac.uk and users in the format DOMAIN\myusername,
> > not myusername at bathspa.ac.uk as required by eduroam.
>
> You need to push group policy onto the Windows laptops to force them to
> do this. It's certainly possible from what I remember, but you're
> right, there's nothing you can do on FreeRADIUS to force this, it's a
> Windows issue.
>
> > I've updated the policy files on FreeRadius to authenticate the above
> > formats successfully, but if staff are to be able to use their
> > devices on remote eduroam sites, they need either their username ( at
> > least their anonymous ID/identity privacy name) to be sent in the
> > format someone at bathspa.ac.uk
>
> Exactly. Otherwise eduroam has nothing to go on when proxying the
> authentication.
>
> Also remember eduroam rules being you need to know who everyone is.
> That generally means that you either use usernames and passwords (and
> not a username per machine), or you use certificates and assign the
> laptop for one person to use only. It pretty much rules out shared
> laptops (unless they are used only on your own network, in which case
> of course domain based login is fine as it will also stop them from
> roaming.)
>
> --
> Matthew
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-- 
thanks,

Jim Potter
User Platform Engineer
IT Services
Bath Spa University

T: 01225 876220
Visit www.bathspa.ac.uk
Join us on: Facebook <http://www.facebook.com/bath.spa.university>| Twitter
<https://twitter.com/#!/BathSpaUni>| YouTube
<http://www.youtube.com/BathSpaUniversity>| LinkedIn
<http://www.linkedin.com/company/bath-spa-university>
Newton Park, Bath, BA2 9BN

Think before you print

Disclaimer
If you have received this message in error, please notify us and remove it
from your system. Any views or opinions expressed in personal emails are
solely those of the author and do not necessarily represent those of Bath
Spa University. Neither Bath Spa University nor the sender accepts any
responsibility for viruses and it is your responsibility to scan this email
and any attachments for viruses.