Using machine auth from a remote eduroam site

Graham Clinch g.clinch at
Mon Mar 26 21:52:34 CEST 2018

Hi Alex,

> We now want to enable our managed laptops to  connect to eduroam at a
> remote site using machine authentication using EAP-TTLS.
> I've got part of the way in that I can see an inbound request from
> host/<fqdn of laptop> and a failure

Have you found a Windows knob to append an NAI-style realm to the the 
advertised username of 'host/'?  I'd be very 
interested to know more if you had!  If not I guess you'll be looking to 
the remote site to proxy around the side of the eduroam national 
proxies?  (I have a feeling that is frowned upon by the eduroam tech-specs?)

We use PEAP/MSCHAPv2 throughout for both User- and Host- authentication, 
with only a single mschap instance - it feels to me like you could be 
missing rewriting the computer's 'username' to 'computername$'.

Our configuration has diverged substantially from the stock freeradius 
configuration, but here's a hopefully useful snippet:

server peap-inner {
     authorize {

         if (!ok) {
             update request {
                 &Module-Failure-Message += 'Inner realm not local'

         # Only lancs.local computer accounts can authenticate without a 
         if (&Realm == "NULL") {
             if (&User-Name =~ /^host\/(.+)\.lancs\.local$/) {
                 update request {
                     &Stripped-User-Name := "%{1}$"
             } else {
                 update request {
                     &Module-Failure-Message += 'Only lancs.local 
computer account authentication is available without an NAI realm'


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4004 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the Freeradius-Users mailing list