Eduroam and setting identity privacy in Windows

classic Classic list List threaded Threaded
8 messages Options
| Threaded
Open this post in threaded view
|

Eduroam and setting identity privacy in Windows

Jim Potter-2
Hi all,

I've been tasked with addressing our FreeRadius servers for our eduroam
setup here. What I would like to achieve is authentication to happen
invisibly where possible - our laptops would perform machine
authentication, users would log in and would re-authenticate to wireless
invisibly (currently each user needs to set up the wireless connection on
each device the use - this is really bad from a user experience point of
view, especially for students using laptops from a bank). Has anyone else
had any success doing anything like this?

The big problem I have run in to is in fact not really FreeRadius at all,
rather the domain bound windows clients sending their credentials in the
wrong format. Computer authentication comes in the form
*host/mypc.bathspa.ac.uk
<http://mypc.bathspa.ac.uk>* and users in the format *DOMAIN\myusername, *not
*[hidden email] <[hidden email]>* as required by
eduroam.

I've updated the policy files on FreeRadius to authenticate the above
formats successfully, but if staff are to be able to use their devices on
remote eduroam sites, they need either their username ( at least their
anonymous ID/identity privacy name) to be sent in the format
*[hidden email]
<[hidden email]>*

Has anyone found a way of doing this?

thanks in advance,

Jim
Server Engineer
Bath Spa University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Eduroam and setting identity privacy in Windows

Matthew Newton-3
On Fri, 2019-02-08 at 16:36 +0000, Jim Potter wrote:
> What I would like to achieve is authentication to happen
> invisibly where possible - our laptops would perform machine
> authentication, users would log in and would re-authenticate to
> wireless invisibly (currently each user needs to set up the wireless
> connection on each device the use - this is really bad from a user
> experience point of view, especially for students using laptops from
> a bank). Has anyone else had any success doing anything like this?

So you probably need to set up EAP-TLS to authenticate using a
certificate, rather than logging in with a username/password.

Convenient if they're domain-joined, as the certificate handling is all
done for you.

> Computer authentication comes in the form
> host/mypc.bathspa.ac.uk and users in the format DOMAIN\myusername,
> not [hidden email] as required by eduroam.

You need to push group policy onto the Windows laptops to force them to
do this. It's certainly possible from what I remember, but you're
right, there's nothing you can do on FreeRADIUS to force this, it's a
Windows issue.

> I've updated the policy files on FreeRadius to authenticate the above
> formats successfully, but if staff are to be able to use their
> devices on remote eduroam sites, they need either their username ( at
> least their anonymous ID/identity privacy name) to be sent in the
> format [hidden email]

Exactly. Otherwise eduroam has nothing to go on when proxying the
authentication.

Also remember eduroam rules being you need to know who everyone is.
That generally means that you either use usernames and passwords (and
not a username per machine), or you use certificates and assign the
laptop for one person to use only. It pretty much rules out shared
laptops (unless they are used only on your own network, in which case
of course domain based login is fine as it will also stop them from
roaming.)

--
Matthew


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Eduroam and setting identity privacy in Windows

Jim Potter-2
Hi Matthew,

Thanks for the advice on this. Yes, I think the real problem here is the
eduroam username format ([hidden email]) not being compatible with the one
that windows generates (WINSDOMAIN\uid). I figure that even though this
isn't directly freeradius related, this forum is probably still the best
place to ask PEAP related questions.

I think part of our problem here is we're trying to use eduroam for
something it wasn't designed for. If it doesn't fit, hopefully I can
convince networks to set up something else suitable instead. One thing I
have noted in the eduroam T's and C's - connections must be traceable,
generally this is interpretted as user authentication, though machine
authentication is also acceptable as long as we record logins.

I'll let you know how I get on with all this.

cheers

Jim

On Fri, 8 Feb 2019 at 16:47, Matthew Newton <[hidden email]> wrote:

> On Fri, 2019-02-08 at 16:36 +0000, Jim Potter wrote:
> > What I would like to achieve is authentication to happen
> > invisibly where possible - our laptops would perform machine
> > authentication, users would log in and would re-authenticate to
> > wireless invisibly (currently each user needs to set up the wireless
> > connection on each device the use - this is really bad from a user
> > experience point of view, especially for students using laptops from
> > a bank). Has anyone else had any success doing anything like this?
>
> So you probably need to set up EAP-TLS to authenticate using a
> certificate, rather than logging in with a username/password.
>
> Convenient if they're domain-joined, as the certificate handling is all
> done for you.
>
> > Computer authentication comes in the form
> > host/mypc.bathspa.ac.uk and users in the format DOMAIN\myusername,
> > not [hidden email] as required by eduroam.
>
> You need to push group policy onto the Windows laptops to force them to
> do this. It's certainly possible from what I remember, but you're
> right, there's nothing you can do on FreeRADIUS to force this, it's a
> Windows issue.
>
> > I've updated the policy files on FreeRadius to authenticate the above
> > formats successfully, but if staff are to be able to use their
> > devices on remote eduroam sites, they need either their username ( at
> > least their anonymous ID/identity privacy name) to be sent in the
> > format [hidden email]
>
> Exactly. Otherwise eduroam has nothing to go on when proxying the
> authentication.
>
> Also remember eduroam rules being you need to know who everyone is.
> That generally means that you either use usernames and passwords (and
> not a username per machine), or you use certificates and assign the
> laptop for one person to use only. It pretty much rules out shared
> laptops (unless they are used only on your own network, in which case
> of course domain based login is fine as it will also stop them from
> roaming.)
>
> --
> Matthew
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



--
thanks,

Jim Potter
User Platform Engineer
IT Services
Bath Spa University

T: 01225 876220
Visit www.bathspa.ac.uk
Join us on: Facebook <http://www.facebook.com/bath.spa.university>| Twitter
<https://twitter.com/#!/BathSpaUni>| YouTube
<http://www.youtube.com/BathSpaUniversity>| LinkedIn
<http://www.linkedin.com/company/bath-spa-university>
Newton Park, Bath, BA2 9BN

Think before you print

Disclaimer
If you have received this message in error, please notify us and remove it
from your system. Any views or opinions expressed in personal emails are
solely those of the author and do not necessarily represent those of Bath
Spa University. Neither Bath Spa University nor the sender accepts any
responsibility for viruses and it is your responsibility to scan this email
and any attachments for viruses.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Eduroam and setting identity privacy in Windows

Alan Buxey
Will, as you've said, it will work locally, you can ensure that with your
own policies. It's just that it won't work at other remote eduroam sites
(much like when users are allowed locally to login with just username
without realm 'for convenience')

Using certificates , that have correct realm info, is the only way to avoid
users needing to know right format of username and password etc. That can
be done by group policy or via user self driven certificate onboarding
process

alan

On Sat, 9 Feb 2019, 09:05 Jim Potter <[hidden email] wrote:

> Hi Matthew,
>
> Thanks for the advice on this. Yes, I think the real problem here is the
> eduroam username format ([hidden email]) not being compatible with the one
> that windows generates (WINSDOMAIN\uid). I figure that even though this
> isn't directly freeradius related, this forum is probably still the best
> place to ask PEAP related questions.
>
> I think part of our problem here is we're trying to use eduroam for
> something it wasn't designed for. If it doesn't fit, hopefully I can
> convince networks to set up something else suitable instead. One thing I
> have noted in the eduroam T's and C's - connections must be traceable,
> generally this is interpretted as user authentication, though machine
> authentication is also acceptable as long as we record logins.
>
> I'll let you know how I get on with all this.
>
> cheers
>
> Jim
>
> On Fri, 8 Feb 2019 at 16:47, Matthew Newton <[hidden email]> wrote:
>
> > On Fri, 2019-02-08 at 16:36 +0000, Jim Potter wrote:
> > > What I would like to achieve is authentication to happen
> > > invisibly where possible - our laptops would perform machine
> > > authentication, users would log in and would re-authenticate to
> > > wireless invisibly (currently each user needs to set up the wireless
> > > connection on each device the use - this is really bad from a user
> > > experience point of view, especially for students using laptops from
> > > a bank). Has anyone else had any success doing anything like this?
> >
> > So you probably need to set up EAP-TLS to authenticate using a
> > certificate, rather than logging in with a username/password.
> >
> > Convenient if they're domain-joined, as the certificate handling is all
> > done for you.
> >
> > > Computer authentication comes in the form
> > > host/mypc.bathspa.ac.uk and users in the format DOMAIN\myusername,
> > > not [hidden email] as required by eduroam.
> >
> > You need to push group policy onto the Windows laptops to force them to
> > do this. It's certainly possible from what I remember, but you're
> > right, there's nothing you can do on FreeRADIUS to force this, it's a
> > Windows issue.
> >
> > > I've updated the policy files on FreeRadius to authenticate the above
> > > formats successfully, but if staff are to be able to use their
> > > devices on remote eduroam sites, they need either their username ( at
> > > least their anonymous ID/identity privacy name) to be sent in the
> > > format [hidden email]
> >
> > Exactly. Otherwise eduroam has nothing to go on when proxying the
> > authentication.
> >
> > Also remember eduroam rules being you need to know who everyone is.
> > That generally means that you either use usernames and passwords (and
> > not a username per machine), or you use certificates and assign the
> > laptop for one person to use only. It pretty much rules out shared
> > laptops (unless they are used only on your own network, in which case
> > of course domain based login is fine as it will also stop them from
> > roaming.)
> >
> > --
> > Matthew
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
>
> --
> thanks,
>
> Jim Potter
> User Platform Engineer
> IT Services
> Bath Spa University
>
> T: 01225 876220
> Visit www.bathspa.ac.uk
> Join us on: Facebook <http://www.facebook.com/bath.spa.university>|
> Twitter
> <https://twitter.com/#!/BathSpaUni>| YouTube
> <http://www.youtube.com/BathSpaUniversity>| LinkedIn
> <http://www.linkedin.com/company/bath-spa-university>
> Newton Park, Bath, BA2 9BN
>
> Think before you print
>
> Disclaimer
> If you have received this message in error, please notify us and remove it
> from your system. Any views or opinions expressed in personal emails are
> solely those of the author and do not necessarily represent those of Bath
> Spa University. Neither Bath Spa University nor the sender accepts any
> responsibility for viruses and it is your responsibility to scan this email
> and any attachments for viruses.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Eduroam and setting identity privacy in Windows

Jim Potter-2
Ok, certificates is an avenue I hadn't considered... I wasn't aware that
this was an option with eduroam (I'd just assumed we had to use PEAP). Have
you set something like this with eduroam in the past, or do you know if any
other universities have had this working?

So by setting the realm in the certificates, will the eduroam radius
servers forward the request correctly? I think I need to read up on this.

thanks for the lead!

Jim

On Sat, 9 Feb 2019 at 14:23, Alan Buxey <[hidden email]> wrote:

> Will, as you've said, it will work locally, you can ensure that with your
> own policies. It's just that it won't work at other remote eduroam sites
> (much like when users are allowed locally to login with just username
> without realm 'for convenience')
>
> Using certificates , that have correct realm info, is the only way to avoid
> users needing to know right format of username and password etc. That can
> be done by group policy or via user self driven certificate onboarding
> process
>
> alan
>
> On Sat, 9 Feb 2019, 09:05 Jim Potter <[hidden email] wrote:
>
> > Hi Matthew,
> >
> > Thanks for the advice on this. Yes, I think the real problem here is the
> > eduroam username format ([hidden email]) not being compatible with the
> one
> > that windows generates (WINSDOMAIN\uid). I figure that even though this
> > isn't directly freeradius related, this forum is probably still the best
> > place to ask PEAP related questions.
> >
> > I think part of our problem here is we're trying to use eduroam for
> > something it wasn't designed for. If it doesn't fit, hopefully I can
> > convince networks to set up something else suitable instead. One thing I
> > have noted in the eduroam T's and C's - connections must be traceable,
> > generally this is interpretted as user authentication, though machine
> > authentication is also acceptable as long as we record logins.
> >
> > I'll let you know how I get on with all this.
> >
> > cheers
> >
> > Jim
> >
> > On Fri, 8 Feb 2019 at 16:47, Matthew Newton <[hidden email]> wrote:
> >
> > > On Fri, 2019-02-08 at 16:36 +0000, Jim Potter wrote:
> > > > What I would like to achieve is authentication to happen
> > > > invisibly where possible - our laptops would perform machine
> > > > authentication, users would log in and would re-authenticate to
> > > > wireless invisibly (currently each user needs to set up the wireless
> > > > connection on each device the use - this is really bad from a user
> > > > experience point of view, especially for students using laptops from
> > > > a bank). Has anyone else had any success doing anything like this?
> > >
> > > So you probably need to set up EAP-TLS to authenticate using a
> > > certificate, rather than logging in with a username/password.
> > >
> > > Convenient if they're domain-joined, as the certificate handling is all
> > > done for you.
> > >
> > > > Computer authentication comes in the form
> > > > host/mypc.bathspa.ac.uk and users in the format DOMAIN\myusername,
> > > > not [hidden email] as required by eduroam.
> > >
> > > You need to push group policy onto the Windows laptops to force them to
> > > do this. It's certainly possible from what I remember, but you're
> > > right, there's nothing you can do on FreeRADIUS to force this, it's a
> > > Windows issue.
> > >
> > > > I've updated the policy files on FreeRadius to authenticate the above
> > > > formats successfully, but if staff are to be able to use their
> > > > devices on remote eduroam sites, they need either their username ( at
> > > > least their anonymous ID/identity privacy name) to be sent in the
> > > > format [hidden email]
> > >
> > > Exactly. Otherwise eduroam has nothing to go on when proxying the
> > > authentication.
> > >
> > > Also remember eduroam rules being you need to know who everyone is.
> > > That generally means that you either use usernames and passwords (and
> > > not a username per machine), or you use certificates and assign the
> > > laptop for one person to use only. It pretty much rules out shared
> > > laptops (unless they are used only on your own network, in which case
> > > of course domain based login is fine as it will also stop them from
> > > roaming.)
> > >
> > > --
> > > Matthew
> > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> >
> >
> >
> > --
> > thanks,
> >
> > Jim Potter
> > User Platform Engineer
> > IT Services
> > Bath Spa University
> >
> > T: 01225 876220
> > Visit www.bathspa.ac.uk
> > Join us on: Facebook <http://www.facebook.com/bath.spa.university>|
> > Twitter
> > <https://twitter.com/#!/BathSpaUni>| YouTube
> > <http://www.youtube.com/BathSpaUniversity>| LinkedIn
> > <http://www.linkedin.com/company/bath-spa-university>
> > Newton Park, Bath, BA2 9BN
> >
> > Think before you print
> >
> > Disclaimer
> > If you have received this message in error, please notify us and remove
> it
> > from your system. Any views or opinions expressed in personal emails are
> > solely those of the author and do not necessarily represent those of Bath
> > Spa University. Neither Bath Spa University nor the sender accepts any
> > responsibility for viruses and it is your responsibility to scan this
> email
> > and any attachments for viruses.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



--
thanks,

Jim Potter
User Platform Engineer
IT Services
Bath Spa University

T: 01225 876220
Visit www.bathspa.ac.uk
Join us on: Facebook <http://www.facebook.com/bath.spa.university>| Twitter
<https://twitter.com/#!/BathSpaUni>| YouTube
<http://www.youtube.com/BathSpaUniversity>| LinkedIn
<http://www.linkedin.com/company/bath-spa-university>
Newton Park, Bath, BA2 9BN

Think before you print

Disclaimer
If you have received this message in error, please notify us and remove it
from your system. Any views or opinions expressed in personal emails are
solely those of the author and do not necessarily represent those of Bath
Spa University. Neither Bath Spa University nor the sender accepts any
responsibility for viruses and it is your responsibility to scan this email
and any attachments for viruses.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Eduroam and setting identity privacy in Windows

Users mailing list
We use eap-tls on eduroam .... works just fine, Either set cert CN to
include your realm or set anonymous identity =@realm

Rgds
A

On Mon, 11 Feb 2019 at 09:14, Jim Potter <[hidden email]> wrote:

> Ok, certificates is an avenue I hadn't considered... I wasn't aware that
> this was an option with eduroam (I'd just assumed we had to use PEAP). Have
> you set something like this with eduroam in the past, or do you know if any
> other universities have had this working?
>
> So by setting the realm in the certificates, will the eduroam radius
> servers forward the request correctly? I think I need to read up on this.
>
> thanks for the lead!
>
> Jim
>
> On Sat, 9 Feb 2019 at 14:23, Alan Buxey <[hidden email]> wrote:
>
> > Will, as you've said, it will work locally, you can ensure that with your
> > own policies. It's just that it won't work at other remote eduroam sites
> > (much like when users are allowed locally to login with just username
> > without realm 'for convenience')
> >
> > Using certificates , that have correct realm info, is the only way to
> avoid
> > users needing to know right format of username and password etc. That can
> > be done by group policy or via user self driven certificate onboarding
> > process
> >
> > alan
> >
> > On Sat, 9 Feb 2019, 09:05 Jim Potter <[hidden email] wrote:
> >
> > > Hi Matthew,
> > >
> > > Thanks for the advice on this. Yes, I think the real problem here is
> the
> > > eduroam username format ([hidden email]) not being compatible with the
> > one
> > > that windows generates (WINSDOMAIN\uid). I figure that even though this
> > > isn't directly freeradius related, this forum is probably still the
> best
> > > place to ask PEAP related questions.
> > >
> > > I think part of our problem here is we're trying to use eduroam for
> > > something it wasn't designed for. If it doesn't fit, hopefully I can
> > > convince networks to set up something else suitable instead. One thing
> I
> > > have noted in the eduroam T's and C's - connections must be traceable,
> > > generally this is interpretted as user authentication, though machine
> > > authentication is also acceptable as long as we record logins.
> > >
> > > I'll let you know how I get on with all this.
> > >
> > > cheers
> > >
> > > Jim
> > >
> > > On Fri, 8 Feb 2019 at 16:47, Matthew Newton <[hidden email]>
> wrote:
> > >
> > > > On Fri, 2019-02-08 at 16:36 +0000, Jim Potter wrote:
> > > > > What I would like to achieve is authentication to happen
> > > > > invisibly where possible - our laptops would perform machine
> > > > > authentication, users would log in and would re-authenticate to
> > > > > wireless invisibly (currently each user needs to set up the
> wireless
> > > > > connection on each device the use - this is really bad from a user
> > > > > experience point of view, especially for students using laptops
> from
> > > > > a bank). Has anyone else had any success doing anything like this?
> > > >
> > > > So you probably need to set up EAP-TLS to authenticate using a
> > > > certificate, rather than logging in with a username/password.
> > > >
> > > > Convenient if they're domain-joined, as the certificate handling is
> all
> > > > done for you.
> > > >
> > > > > Computer authentication comes in the form
> > > > > host/mypc.bathspa.ac.uk and users in the format DOMAIN\myusername,
> > > > > not [hidden email] as required by eduroam.
> > > >
> > > > You need to push group policy onto the Windows laptops to force them
> to
> > > > do this. It's certainly possible from what I remember, but you're
> > > > right, there's nothing you can do on FreeRADIUS to force this, it's a
> > > > Windows issue.
> > > >
> > > > > I've updated the policy files on FreeRadius to authenticate the
> above
> > > > > formats successfully, but if staff are to be able to use their
> > > > > devices on remote eduroam sites, they need either their username (
> at
> > > > > least their anonymous ID/identity privacy name) to be sent in the
> > > > > format [hidden email]
> > > >
> > > > Exactly. Otherwise eduroam has nothing to go on when proxying the
> > > > authentication.
> > > >
> > > > Also remember eduroam rules being you need to know who everyone is.
> > > > That generally means that you either use usernames and passwords (and
> > > > not a username per machine), or you use certificates and assign the
> > > > laptop for one person to use only. It pretty much rules out shared
> > > > laptops (unless they are used only on your own network, in which case
> > > > of course domain based login is fine as it will also stop them from
> > > > roaming.)
> > > >
> > > > --
> > > > Matthew
> > > >
> > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > >
> > >
> > >
> > > --
> > > thanks,
> > >
> > > Jim Potter
> > > User Platform Engineer
> > > IT Services
> > > Bath Spa University
> > >
> > > T: 01225 876220
> > > Visit www.bathspa.ac.uk
> > > Join us on: Facebook <http://www.facebook.com/bath.spa.university>|
> > > Twitter
> > > <https://twitter.com/#!/BathSpaUni>| YouTube
> > > <http://www.youtube.com/BathSpaUniversity>| LinkedIn
> > > <http://www.linkedin.com/company/bath-spa-university>
> > > Newton Park, Bath, BA2 9BN
> > >
> > > Think before you print
> > >
> > > Disclaimer
> > > If you have received this message in error, please notify us and remove
> > it
> > > from your system. Any views or opinions expressed in personal emails
> are
> > > solely those of the author and do not necessarily represent those of
> Bath
> > > Spa University. Neither Bath Spa University nor the sender accepts any
> > > responsibility for viruses and it is your responsibility to scan this
> > email
> > > and any attachments for viruses.
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
>
> --
> thanks,
>
> Jim Potter
> User Platform Engineer
> IT Services
> Bath Spa University
>
> T: 01225 876220
> Visit www.bathspa.ac.uk
> Join us on: Facebook <http://www.facebook.com/bath.spa.university>|
> Twitter
> <https://twitter.com/#!/BathSpaUni>| YouTube
> <http://www.youtube.com/BathSpaUniversity>| LinkedIn
> <http://www.linkedin.com/company/bath-spa-university>
> Newton Park, Bath, BA2 9BN
>
> Think before you print
>
> Disclaimer
> If you have received this message in error, please notify us and remove it
> from your system. Any views or opinions expressed in personal emails are
> solely those of the author and do not necessarily represent those of Bath
> Spa University. Neither Bath Spa University nor the sender accepts any
> responsibility for viruses and it is your responsibility to scan this email
> and any attachments for viruses.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Eduroam and setting identity privacy in Windows

Alan Buxey
In reply to this post by Jim Potter-2
hi,

> Ok, certificates is an avenue I hadn't considered... I wasn't aware that
> this was an option with eduroam (I'd just assumed we had to use PEAP).

EAP-TLS, PEAP, EAP-TTLS, EAP-FAST, EAP-GTC, EAP-PWD etc all work over eduroam :)

> Have you set something like this with eduroam in the past, or do you know if any
> other universities have had this working?

yes and yes - quite a few Universities in UK (and elsewhere) using
EAP-TLS - and several moving
to it. most are using commercial deployment tools (with user self
service etc) - eg Cloudpath ES

> So by setting the realm in the certificates, will the eduroam radius
> servers forward the request correctly? I think I need to read up on this.

yes, realm set in the cert - most clients can also define an outerID
for the initial identifier

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Eduroam and setting identity privacy in Windows

Jim Potter-2
OK, this is great - I've had a look at the other options in Group policy
for setting up these connections, several of them look very promising.

Thanks again for everyone's advice, I'll let you know how I get on.

cheers,

Jim

On Tue, 12 Feb 2019 at 11:04, Alan Buxey <[hidden email]> wrote:

> hi,
>
> > Ok, certificates is an avenue I hadn't considered... I wasn't aware that
> > this was an option with eduroam (I'd just assumed we had to use PEAP).
>
> EAP-TLS, PEAP, EAP-TTLS, EAP-FAST, EAP-GTC, EAP-PWD etc all work over
> eduroam :)
>
> > Have you set something like this with eduroam in the past, or do you
> know if any
> > other universities have had this working?
>
> yes and yes - quite a few Universities in UK (and elsewhere) using
> EAP-TLS - and several moving
> to it. most are using commercial deployment tools (with user self
> service etc) - eg Cloudpath ES
>
> > So by setting the realm in the certificates, will the eduroam radius
> > servers forward the request correctly? I think I need to read up on this.
>
> yes, realm set in the cert - most clients can also define an outerID
> for the initial identifier
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



--
thanks,

Jim Potter
User Platform Engineer
IT Services
Bath Spa University

T: 01225 876220
Visit www.bathspa.ac.uk
Join us on: Facebook <http://www.facebook.com/bath.spa.university>| Twitter
<https://twitter.com/#!/BathSpaUni>| YouTube
<http://www.youtube.com/BathSpaUniversity>| LinkedIn
<http://www.linkedin.com/company/bath-spa-university>
Newton Park, Bath, BA2 9BN

Think before you print

Disclaimer
If you have received this message in error, please notify us and remove it
from your system. Any views or opinions expressed in personal emails are
solely those of the author and do not necessarily represent those of Bath
Spa University. Neither Bath Spa University nor the sender accepts any
responsibility for viruses and it is your responsibility to scan this email
and any attachments for viruses.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html