Using machine auth from a remote eduroam site

Scott Armitage S.P.Armitage at
Mon Mar 26 23:42:37 CEST 2018

> On 26 Mar 2018, at 22:16, Alex Sharaz via Freeradius-Users <freeradius-users at> wrote:
> What we were originally doing wa using eap-ttls. In windows we could
> set the outer UserName to be and the inner UserName to be
> itsyork/<userid> ... problem was that it worked for wired 802.1x but
> not wifi dot1x. We're nowtrying a Securew2 driver to get round the
> issue wih the windows built in  eap-ttls setup.
> What our desktop people have done is do a machine auth using eap-ttls
> with outer  This does get as far as our ORPS
> systems from a remote eduroam site  and  the only thing wrong is at
> the mschap level which I guess is due to my use of stripped user name.
> Why not use EAP-TLS ? because although  I have a cloudpath one stop
> server for cert management its not a windows PKI so they're waiting
> until one is available. They are planning on using TLS when that PKI
> is available.


At Loughborough for BYOD users we issue certs from cloudpath.  However, for managed windows machines we get the AD to issue a cert with machine-name at realm.
Then we have added the AD CA certs to the trusted CA list on the RADIUS server.  The certificate management on the managed devices is handled by the AD.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP
URL: <>

More information about the Freeradius-Users mailing list