Using machine auth from a remote eduroam site

[Alan DeKok]

On Mar 26, 2018, at 3:52 PM, Graham Clinch <g.clinch at lancaster.ac.uk> wrote:
> Have you found a Windows knob to append an NAI-style realm to the the advertised username of 'host/computer.ad.domain'?

  Windows has essentially zero configuration for this.

  TBH, I wouldn't recommend authenticating machines to Eduroam.  It's *much* better to authenticate people.

  Plus, you can specify an NAI like "user at domain" for people.  You can't really do that for hosts.

>  I'd be very interested to know more if you had!  If not I guess you'll be looking to the remote site to proxy around the side of the eduroam national proxies?  (I have a feeling that is frowned upon by the eduroam tech-specs?)

  It's possible.  But, the ore unusual your configuration, the less likely it is to work everywhere.

> We use PEAP/MSCHAPv2 throughout for both User- and Host- authentication, with only a single mschap instance - it feels to me like you could be missing rewriting the computer's 'username' to 'computername$'.

  Don't re-write User-Names in a proxy.  It will break EAP.

  Alan DeKok.