Eduroam and setting identity privacy in Windows

Alex Sharaz alex.sharaz at york.ac.uk
Mon Feb 11 11:56:46 CET 2019 

We use eap-tls on eduroam .... works just fine, Either set cert CN to
include your realm or set anonymous identity =@realm

Rgds
A

On Mon, 11 Feb 2019 at 09:14, Jim Potter <j.potter at bathspa.ac.uk> wrote:

> Ok, certificates is an avenue I hadn't considered... I wasn't aware that
> this was an option with eduroam (I'd just assumed we had to use PEAP). Have
> you set something like this with eduroam in the past, or do you know if any
> other universities have had this working?
>
> So by setting the realm in the certificates, will the eduroam radius
> servers forward the request correctly? I think I need to read up on this.
>
> thanks for the lead!
>
> Jim
>
> On Sat, 9 Feb 2019 at 14:23, Alan Buxey <alan.buxey at gmail.com> wrote:
>
> > Will, as you've said, it will work locally, you can ensure that with your
> > own policies. It's just that it won't work at other remote eduroam sites
> > (much like when users are allowed locally to login with just username
> > without realm 'for convenience')
> >
> > Using certificates , that have correct realm info, is the only way to
> avoid
> > users needing to know right format of username and password etc. That can
> > be done by group policy or via user self driven certificate onboarding
> > process
> >
> > alan
> >
> > On Sat, 9 Feb 2019, 09:05 Jim Potter <j.potter at bathspa.ac.uk wrote:
> >
> > > Hi Matthew,
> > >
> > > Thanks for the advice on this. Yes, I think the real problem here is
> the
> > > eduroam username format (uid at domain.com) not being compatible with the
> > one
> > > that windows generates (WINSDOMAIN\uid). I figure that even though this
> > > isn't directly freeradius related, this forum is probably still the
> best
> > > place to ask PEAP related questions.
> > >
> > > I think part of our problem here is we're trying to use eduroam for
> > > something it wasn't designed for. If it doesn't fit, hopefully I can
> > > convince networks to set up something else suitable instead. One thing
> I
> > > have noted in the eduroam T's and C's - connections must be traceable,
> > > generally this is interpretted as user authentication, though machine
> > > authentication is also acceptable as long as we record logins.
> > >
> > > I'll let you know how I get on with all this.
> > >
> > > cheers
> > >
> > > Jim
> > >
> > > On Fri, 8 Feb 2019 at 16:47, Matthew Newton <mcn at freeradius.org>
> wrote:
> > >
> > > > On Fri, 2019-02-08 at 16:36 +0000, Jim Potter wrote:
> > > > > What I would like to achieve is authentication to happen
> > > > > invisibly where possible - our laptops would perform machine
> > > > > authentication, users would log in and would re-authenticate to
> > > > > wireless invisibly (currently each user needs to set up the
> wireless
> > > > > connection on each device the use - this is really bad from a user
> > > > > experience point of view, especially for students using laptops
> from
> > > > > a bank). Has anyone else had any success doing anything like this?
> > > >
> > > > So you probably need to set up EAP-TLS to authenticate using a
> > > > certificate, rather than logging in with a username/password.
> > > >
> > > > Convenient if they're domain-joined, as the certificate handling is
> all
> > > > done for you.
> > > >
> > > > > Computer authentication comes in the form
> > > > > host/mypc.bathspa.ac.uk and users in the format DOMAIN\myusername,
> > > > > not myusername at bathspa.ac.uk as required by eduroam.
> > > >
> > > > You need to push group policy onto the Windows laptops to force them
> to
> > > > do this. It's certainly possible from what I remember, but you're
> > > > right, there's nothing you can do on FreeRADIUS to force this, it's a
> > > > Windows issue.
> > > >
> > > > > I've updated the policy files on FreeRadius to authenticate the
> above
> > > > > formats successfully, but if staff are to be able to use their
> > > > > devices on remote eduroam sites, they need either their username (
> at
> > > > > least their anonymous ID/identity privacy name) to be sent in the
> > > > > format someone at bathspa.ac.uk
> > > >
> > > > Exactly. Otherwise eduroam has nothing to go on when proxying the
> > > > authentication.
> > > >
> > > > Also remember eduroam rules being you need to know who everyone is.
> > > > That generally means that you either use usernames and passwords (and
> > > > not a username per machine), or you use certificates and assign the
> > > > laptop for one person to use only. It pretty much rules out shared
> > > > laptops (unless they are used only on your own network, in which case
> > > > of course domain based login is fine as it will also stop them from
> > > > roaming.)
> > > >
> > > > --
> > > > Matthew
> > > >
> > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > >
> > >
> > >
> > > --
> > > thanks,
> > >
> > > Jim Potter
> > > User Platform Engineer
> > > IT Services
> > > Bath Spa University
> > >
> > > T: 01225 876220
> > > Visit www.bathspa.ac.uk
> > > Join us on: Facebook <http://www.facebook.com/bath.spa.university>|
> > > Twitter
> > > <https://twitter.com/#!/BathSpaUni>| YouTube
> > > <http://www.youtube.com/BathSpaUniversity>| LinkedIn
> > > <http://www.linkedin.com/company/bath-spa-university>
> > > Newton Park, Bath, BA2 9BN
> > >
> > > Think before you print
> > >
> > > Disclaimer
> > > If you have received this message in error, please notify us and remove
> > it
> > > from your system. Any views or opinions expressed in personal emails
> are
> > > solely those of the author and do not necessarily represent those of
> Bath
> > > Spa University. Neither Bath Spa University nor the sender accepts any
> > > responsibility for viruses and it is your responsibility to scan this
> > email
> > > and any attachments for viruses.
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
>
> --
> thanks,
>
> Jim Potter
> User Platform Engineer
> IT Services
> Bath Spa University
>
> T: 01225 876220
> Visit www.bathspa.ac.uk
> Join us on: Facebook <http://www.facebook.com/bath.spa.university>|
> Twitter
> <https://twitter.com/#!/BathSpaUni>| YouTube
> <http://www.youtube.com/BathSpaUniversity>| LinkedIn
> <http://www.linkedin.com/company/bath-spa-university>
> Newton Park, Bath, BA2 9BN
>
> Think before you print
>
> Disclaimer
> If you have received this message in error, please notify us and remove it
> from your system. Any views or opinions expressed in personal emails are
> solely those of the author and do not necessarily represent those of Bath
> Spa University. Neither Bath Spa University nor the sender accepts any
> responsibility for viruses and it is your responsibility to scan this email
> and any attachments for viruses.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list