Using machine auth from a remote eduroam site

Alan Buxey alan.buxey at
Mon Mar 26 19:42:49 CEST 2018


just a quick point that whilst host/ works locally, these are not
legitimate for global eduroam usage - they dont have correct realm
syntax for proxying around the
world so the auth will work at home but not away - unless you specify
a 2nd profile (eg in GPO) offering a 'user auth' (e.g. PEAP) method.
of course, since its
via GPO you can already have the profile pretty much populated
(correct CA, RADIUS server being checked etc) - just ask for user/pass
in correct format - ie user

i've authed users and machines against AD without worrying about the
branch - they should be findable with a global auth - however, the
username is NOT going to be in
Stripped-User-Name - as there is no matching realm you have and
therefore that is not you need to use the usual  'if
this exists use this else use this' syntax eg
%{%{Stripped-User-Name}:%{User-Name}} - theres also the nt_domain_hack
in mschap to check/set -   you need to run in debug mode for an
EAP-TLS client to check what is coming in and key off the
relevant part.

in previous role, we were moving away to EAP-TLS for these sorts of
things - quicker auths, less hit on AD, no need to use AD for authZ
etc.  less moving parts to go wrong :)


More information about the Freeradius-Users mailing list