On 26 Mar 2018, at 22:16, Alex Sharaz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
What we were originally doing wa using eap-ttls. In windows we could set the outer UserName to be @york.ac.uk and the inner UserName to be itsyork/<userid> ... problem was that it worked for wired 802.1x but not wifi dot1x. We're nowtrying a Securew2 driver to get round the issue wih the windows built in eap-ttls setup.
What our desktop people have done is do a machine auth using eap-ttls with outer username=@york.ac.uk. This does get as far as our ORPS systems from a remote eduroam site and the only thing wrong is at the mschap level which I guess is due to my use of stripped user name.
Why not use EAP-TLS ? because although I have a cloudpath one stop server for cert management its not a windows PKI so they're waiting until one is available. They are planning on using TLS when that PKI is available.
Alex, At Loughborough for BYOD users we issue certs from cloudpath. However, for managed windows machines we get the AD to issue a cert with machine-name@realm. Then we have added the AD CA certs to the trusted CA list on the RADIUS server. The certificate management on the managed devices is handled by the AD. Regards Scott