Using machine auth from a remote eduroam site
Alan Buxey
alan.buxey at gmail.com
Mon Mar 26 19:42:49 CEST 2018
hi,
just a quick point that whilst host/ works locally, these are not
legitimate for global eduroam usage - they dont have correct realm
syntax for proxying around the
world so the auth will work at home but not away - unless you specify
a 2nd profile (eg in GPO) offering a 'user auth' (e.g. PEAP) method.
of course, since its
via GPO you can already have the profile pretty much populated
(correct CA, RADIUS server being checked etc) - just ask for user/pass
in correct format - ie user
education.
i've authed users and machines against AD without worrying about the
branch - they should be findable with a global auth - however, the
username is NOT going to be in
Stripped-User-Name - as there is no matching realm you have and
therefore that is not populated...so you need to use the usual 'if
this exists use this else use this' syntax eg
%{%{Stripped-User-Name}:%{User-Name}} - theres also the nt_domain_hack
in mschap to check/set - you need to run in debug mode for an
EAP-TLS client to check what is coming in and key off the
relevant part.
in previous role, we were moving away to EAP-TLS for these sorts of
things - quicker auths, less hit on AD, no need to use AD for authZ
etc. less moving parts to go wrong :)
alan
More information about the Freeradius-Users
mailing list