What we were originally doing wa using eap-ttls. In windows we could set the outer UserName to be @york.ac.uk and the inner UserName to be itsyork/<userid> ... problem was that it worked for wired 802.1x but not wifi dot1x. We're nowtrying a Securew2 driver to get round the issue wih the windows built in eap-ttls setup. What our desktop people have done is do a machine auth using eap-ttls with outer username=@york.ac.uk. This does get as far as our ORPS systems from a remote eduroam site and the only thing wrong is at the mschap level which I guess is due to my use of stripped user name. Why not use EAP-TLS ? because although I have a cloudpath one stop server for cert management its not a windows PKI so they're waiting until one is available. They are planning on using TLS when that PKI is available. Rgds A On 26 March 2018 at 21:04, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 26, 2018, at 3:52 PM, Graham Clinch <g.clinch@lancaster.ac.uk> wrote:
Have you found a Windows knob to append an NAI-style realm to the the advertised username of 'host/computer.ad.domain'?
Windows has essentially zero configuration for this.
TBH, I wouldn't recommend authenticating machines to Eduroam. It's *much* better to authenticate people.
Plus, you can specify an NAI like "user@domain" for people. You can't really do that for hosts.
I'd be very interested to know more if you had! If not I guess you'll be looking to the remote site to proxy around the side of the eduroam national proxies? (I have a feeling that is frowned upon by the eduroam tech-specs?)
It's possible. But, the ore unusual your configuration, the less likely it is to work everywhere.
We use PEAP/MSCHAPv2 throughout for both User- and Host- authentication, with only a single mschap instance - it feels to me like you could be missing rewriting the computer's 'username' to 'computername$'.
Don't re-write User-Names in a proxy. It will break EAP.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html