On Fri, 2019-02-08 at 16:36 +0000, Jim Potter wrote:
What I would like to achieve is authentication to happen invisibly where possible - our laptops would perform machine authentication, users would log in and would re-authenticate to wireless invisibly (currently each user needs to set up the wireless connection on each device the use - this is really bad from a user experience point of view, especially for students using laptops from a bank). Has anyone else had any success doing anything like this?
So you probably need to set up EAP-TLS to authenticate using a certificate, rather than logging in with a username/password. Convenient if they're domain-joined, as the certificate handling is all done for you.
Computer authentication comes in the form host/mypc.bathspa.ac.uk and users in the format DOMAIN\myusername, not myusername@bathspa.ac.uk as required by eduroam.
You need to push group policy onto the Windows laptops to force them to do this. It's certainly possible from what I remember, but you're right, there's nothing you can do on FreeRADIUS to force this, it's a Windows issue.
I've updated the policy files on FreeRadius to authenticate the above formats successfully, but if staff are to be able to use their devices on remote eduroam sites, they need either their username ( at least their anonymous ID/identity privacy name) to be sent in the format someone@bathspa.ac.uk
Exactly. Otherwise eduroam has nothing to go on when proxying the authentication. Also remember eduroam rules being you need to know who everyone is. That generally means that you either use usernames and passwords (and not a username per machine), or you use certificates and assign the laptop for one person to use only. It pretty much rules out shared laptops (unless they are used only on your own network, in which case of course domain based login is fine as it will also stop them from roaming.) -- Matthew