Using machine auth from a remote eduroam site

Alex Sharaz alex.sharaz at york.ac.uk
Mon Mar 26 23:16:04 CEST 2018 

What we were originally doing wa using eap-ttls. In windows we could
set the outer UserName to be @york.ac.uk and the inner UserName to be
itsyork/<userid> ... problem was that it worked for wired 802.1x but
not wifi dot1x. We're nowtrying a Securew2 driver to get round the
issue wih the windows built in  eap-ttls setup.

What our desktop people have done is do a machine auth using eap-ttls
with outer username=@york.ac.uk.  This does get as far as our ORPS
systems from a remote eduroam site  and  the only thing wrong is at
the mschap level which I guess is due to my use of stripped user name.

Why not use EAP-TLS ? because although  I have a cloudpath one stop
server for cert management its not a windows PKI so they're waiting
until one is available. They are planning on using TLS when that PKI
is available.


Rgds
A

On 26 March 2018 at 21:04, Alan DeKok <aland at deployingradius.com> wrote:
> On Mar 26, 2018, at 3:52 PM, Graham Clinch <g.clinch at lancaster.ac.uk> wrote:
>> Have you found a Windows knob to append an NAI-style realm to the the advertised username of 'host/computer.ad.domain'?
>
>   Windows has essentially zero configuration for this.
>
>   TBH, I wouldn't recommend authenticating machines to Eduroam.  It's *much* better to authenticate people.
>
>   Plus, you can specify an NAI like "user at domain" for people.  You can't really do that for hosts.
>
>>  I'd be very interested to know more if you had!  If not I guess you'll be looking to the remote site to proxy around the side of the eduroam national proxies?  (I have a feeling that is frowned upon by the eduroam tech-specs?)
>
>   It's possible.  But, the ore unusual your configuration, the less likely it is to work everywhere.
>
>> We use PEAP/MSCHAPv2 throughout for both User- and Host- authentication, with only a single mschap instance - it feels to me like you could be missing rewriting the computer's 'username' to 'computername$'.
>
>   Don't re-write User-Names in a proxy.  It will break EAP.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list