Using machine auth from a remote eduroam site

Alex Sharaz alex.sharaz at
Mon Mar 26 23:16:04 CEST 2018

What we were originally doing wa using eap-ttls. In windows we could
set the outer UserName to be and the inner UserName to be
itsyork/<userid> ... problem was that it worked for wired 802.1x but
not wifi dot1x. We're nowtrying a Securew2 driver to get round the
issue wih the windows built in  eap-ttls setup.

What our desktop people have done is do a machine auth using eap-ttls
with outer  This does get as far as our ORPS
systems from a remote eduroam site  and  the only thing wrong is at
the mschap level which I guess is due to my use of stripped user name.

Why not use EAP-TLS ? because although  I have a cloudpath one stop
server for cert management its not a windows PKI so they're waiting
until one is available. They are planning on using TLS when that PKI
is available.


On 26 March 2018 at 21:04, Alan DeKok <aland at> wrote:
> On Mar 26, 2018, at 3:52 PM, Graham Clinch <g.clinch at> wrote:
>> Have you found a Windows knob to append an NAI-style realm to the the advertised username of 'host/'?
>   Windows has essentially zero configuration for this.
>   TBH, I wouldn't recommend authenticating machines to Eduroam.  It's *much* better to authenticate people.
>   Plus, you can specify an NAI like "user at domain" for people.  You can't really do that for hosts.
>>  I'd be very interested to know more if you had!  If not I guess you'll be looking to the remote site to proxy around the side of the eduroam national proxies?  (I have a feeling that is frowned upon by the eduroam tech-specs?)
>   It's possible.  But, the ore unusual your configuration, the less likely it is to work everywhere.
>> We use PEAP/MSCHAPv2 throughout for both User- and Host- authentication, with only a single mschap instance - it feels to me like you could be missing rewriting the computer's 'username' to 'computername$'.
>   Don't re-write User-Names in a proxy.  It will break EAP.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list