Hi Alex,
We now want to enable our managed laptops to connect to eduroam at a remote site using machine authentication using EAP-TTLS.
I've got part of the way in that I can see an inbound request from host/<fqdn of laptop> and a failure
Have you found a Windows knob to append an NAI-style realm to the the advertised username of 'host/computer.ad.domain'? I'd be very interested to know more if you had! If not I guess you'll be looking to the remote site to proxy around the side of the eduroam national proxies? (I have a feeling that is frowned upon by the eduroam tech-specs?) We use PEAP/MSCHAPv2 throughout for both User- and Host- authentication, with only a single mschap instance - it feels to me like you could be missing rewriting the computer's 'username' to 'computername$'. Our configuration has diverged substantially from the stock freeradius configuration, but here's a hopefully useful snippet: -=- server peap-inner { authorize { filter_username filter_inner_identity suffix if (!ok) { update request { &Module-Failure-Message += 'Inner realm not local' } reject } # Only lancs.local computer accounts can authenticate without a realm if (&Realm == "NULL") { if (&User-Name =~ /^host\/(.+)\.lancs\.local$/) { update request { &Stripped-User-Name := "%{1}$" } } else { update request { &Module-Failure-Message += 'Only lancs.local computer account authentication is available without an NAI realm' } reject } [...] -=- Graham