11 Feb
2019
11 Feb
'19
5:56 a.m.
We use eap-tls on eduroam .... works just fine, Either set cert CN to include your realm or set anonymous identity =@realm Rgds A On Mon, 11 Feb 2019 at 09:14, Jim Potter <j.potter@bathspa.ac.uk> wrote: > Ok, certificates is an avenue I hadn't considered... I wasn't aware that > this was an option with eduroam (I'd just assumed we had to use PEAP). Have > you set something like this with eduroam in the past, or do you know if any > other universities have had this working? > > So by setting the realm in the certificates, will the eduroam radius > servers forward the request correctly? I think I need to read up on this. > > thanks for the lead! > > Jim > > On Sat, 9 Feb 2019 at 14:23, Alan Buxey <alan.buxey@gmail.com> wrote: > > > Will, as you've said, it will work locally, you can ensure that with your > > own policies. It's just that it won't work at other remote eduroam sites > > (much like when users are allowed locally to login with just username > > without realm 'for convenience') > > > > Using certificates , that have correct realm info, is the only way to > avoid > > users needing to know right format of username and password etc. That can > > be done by group policy or via user self driven certificate onboarding > > process > > > > alan > > > > On Sat, 9 Feb 2019, 09:05 Jim Potter <j.potter@bathspa.ac.uk wrote: > > > > > Hi Matthew, > > > > > > Thanks for the advice on this. Yes, I think the real problem here is > the > > > eduroam username format (uid@domain.com) not being compatible with the > > one > > > that windows generates (WINSDOMAIN\uid). I figure that even though this > > > isn't directly freeradius related, this forum is probably still the > best > > > place to ask PEAP related questions. > > > > > > I think part of our problem here is we're trying to use eduroam for > > > something it wasn't designed for. If it doesn't fit, hopefully I can > > > convince networks to set up something else suitable instead. One thing > I > > > have noted in the eduroam T's and C's - connections must be traceable, > > > generally this is interpretted as user authentication, though machine > > > authentication is also acceptable as long as we record logins. > > > > > > I'll let you know how I get on with all this. > > > > > > cheers > > > > > > Jim > > > > > > On Fri, 8 Feb 2019 at 16:47, Matthew Newton <mcn@freeradius.org> > wrote: > > > > > > > On Fri, 2019-02-08 at 16:36 +0000, Jim Potter wrote: > > > > > What I would like to achieve is authentication to happen > > > > > invisibly where possible - our laptops would perform machine > > > > > authentication, users would log in and would re-authenticate to > > > > > wireless invisibly (currently each user needs to set up the > wireless > > > > > connection on each device the use - this is really bad from a user > > > > > experience point of view, especially for students using laptops > from > > > > > a bank). Has anyone else had any success doing anything like this? > > > > > > > > So you probably need to set up EAP-TLS to authenticate using a > > > > certificate, rather than logging in with a username/password. > > > > > > > > Convenient if they're domain-joined, as the certificate handling is > all > > > > done for you. > > > > > > > > > Computer authentication comes in the form > > > > > host/mypc.bathspa.ac.uk and users in the format DOMAIN\myusername, > > > > > not myusername@bathspa.ac.uk as required by eduroam. > > > > > > > > You need to push group policy onto the Windows laptops to force them > to > > > > do this. It's certainly possible from what I remember, but you're > > > > right, there's nothing you can do on FreeRADIUS to force this, it's a > > > > Windows issue. > > > > > > > > > I've updated the policy files on FreeRadius to authenticate the > above > > > > > formats successfully, but if staff are to be able to use their > > > > > devices on remote eduroam sites, they need either their username ( > at > > > > > least their anonymous ID/identity privacy name) to be sent in the > > > > > format someone@bathspa.ac.uk > > > > > > > > Exactly. Otherwise eduroam has nothing to go on when proxying the > > > > authentication. > > > > > > > > Also remember eduroam rules being you need to know who everyone is. > > > > That generally means that you either use usernames and passwords (and > > > > not a username per machine), or you use certificates and assign the > > > > laptop for one person to use only. It pretty much rules out shared > > > > laptops (unless they are used only on your own network, in which case > > > > of course domain based login is fine as it will also stop them from > > > > roaming.) > > > > > > > > -- > > > > Matthew > > > > > > > > > > > > - > > > > List info/subscribe/unsubscribe? See > > > > http://www.freeradius.org/list/users.html > > > > > > > > > > > > -- > > > thanks, > > > > > > Jim Potter > > > User Platform Engineer > > > IT Services > > > Bath Spa University > > > > > > T: 01225 876220 > > > Visit www.bathspa.ac.uk > > > Join us on: Facebook <http://www.facebook.com/bath.spa.university>| > > > Twitter > > > <https://twitter.com/#!/BathSpaUni>| YouTube > > > <http://www.youtube.com/BathSpaUniversity>| LinkedIn > > > <http://www.linkedin.com/company/bath-spa-university> > > > Newton Park, Bath, BA2 9BN > > > > > > Think before you print > > > > > > Disclaimer > > > If you have received this message in error, please notify us and remove > > it > > > from your system. Any views or opinions expressed in personal emails > are > > > solely those of the author and do not necessarily represent those of > Bath > > > Spa University. Neither Bath Spa University nor the sender accepts any > > > responsibility for viruses and it is your responsibility to scan this > > email > > > and any attachments for viruses. > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > -- > thanks, > > Jim Potter > User Platform Engineer > IT Services > Bath Spa University > > T: 01225 876220 > Visit www.bathspa.ac.uk > Join us on: Facebook <http://www.facebook.com/bath.spa.university>| > Twitter > <https://twitter.com/#!/BathSpaUni>| YouTube > <http://www.youtube.com/BathSpaUniversity>| LinkedIn > <http://www.linkedin.com/company/bath-spa-university> > Newton Park, Bath, BA2 9BN > > Think before you print > > Disclaimer > If you have received this message in error, please notify us and remove it > from your system. Any views or opinions expressed in personal emails are > solely those of the author and do not necessarily represent those of Bath > Spa University. Neither Bath Spa University nor the sender accepts any > responsibility for viruses and it is your responsibility to scan this email > and any attachments for viruses. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html