RE: Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request?
Oops. I stand corrected. I did not pay close attention because it just works in our ClearPass environment. Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Toivo Voll [mailto:to...@mail.usf.edu] Sent: Thursday, February 2, 2017 9:23 AM Subject: Re: Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request? Not EDUROAM, but in my environment the "username" from EAP-TLS gets pulled as a configurable field from the certificate, so other than selecting whether using the machine or user certificate on the client (user vs. machine auth), nothing is prepended or modified. We use SAN-DNS as the "username" field, and there the machine cert (assigned by AD) does not have a "host/" prefix, just the FQDN of the machine. When using EAP PEAP, if machine authentication is allowed, host/ is prepended to the username with machine auth, but not for user auth once the user logs in. This is using Windows 10, Cisco WLC 8.0.132, ISE 2.1 -- Toivo Voll On Wed, Feb 1, 2017 at 6:55 PM, Scot Colburn <colb...@ucar.edu<mailto:colb...@ucar.edu>> wrote: Is anybody else seeing Windows 10 prepending "host/" to eduroam usernames in EAP/TLS auth? We've had trouble getting our Windows 10 machines authenticating onto our eduroam SSID using EAP/TLS. We seem to have two outcomes, neither of which work: 1) if we create a "Manual Profile" then no authentication traffic ever hits the RADIUS server. 2) if we do NOT create a manual profile then an authentication request does hit the RADIUS server, but with "host/" prepended to the hostname. Our RADIUS server rejects the authentication with "host/" prepended; I imagine a roaming user would have often have the same issue. I have a theory: The eduroam auth requires a "realm" to be appended to the username so eduroam service-providers and federated RADIUS servers know to proxy a roaming RADIUS auth to the correct server. In our case, we append "@ucar.edu<http://ucar.edu>" to the username. Maybe that "@ucar.edu<http://ucar.edu/>" is provoking Windows10 to prepend the "host/" prefix. Authentication to our internal SSID without the "@ucar.edu<http://ucar.edu>" is working normally. Any clues? I think we can build a workaround to rewrite the username on the RADIUS server, but that won't help our roaming eduroam EAP/TLS users if other eduroam service-providers are having the same issue. Scot Colburn Network Engineer NCAR/UCAR/NETS/FRGP ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request?
Andmost of our FTE are distance students that would likely never use EDUROAM. Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Lee H Badman [mailto:lhbad...@syr.edu] Sent: Thursday, February 2, 2017 8:22 AM Subject: Re: Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request? Ah- the I2 freebie had me confused, as I assume everyone is one I2. Never had to think about the non I2 costs. Thanks for the information/reminder. -Lee Lee Badman | Network Architect Adjunct Instructor | CWNE #200 Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu SYRACUSE UNIVERSITY syr.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Philippe Hanset Sent: Thursday, February 02, 2017 8:03 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request? Lee, Let me give the official cost of eduroam: The cost of eduroam in the US is 10 cents per student per year with a minimum of $400 (Number of students reported at National Center for Education Statistics, under IPEDS, total student). The amount is charged to the institution. https://nces.ed.gov/ipeds/Home/UseTheData For Internet2 members, eduroam is included with the Internet2 membership (different than Internet2 connectors!) http://www.internet2.edu/communities-groups/members/higher-education/ Philippe Philippe Hanset, CEO www.anyroam.net<http://www.anyroam.net> www.eduroam.us<http://www.eduroam.us> GPG key id: 0xF2636F9C On Feb 2, 2017, at 7:52 AM, Lee H Badman <lhbad...@syr.edu<mailto:lhbad...@syr.edu>> wrote: Got me curious, Bruce. What costs are associated with Eduroam? Lee Lee Badman Network Architect/Wireless TME Syracuse University 315.443.3003 -Original Message- From: Osborne, Bruce W (Network Operations) [bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>] Received: Thursday, 02 Feb 2017, 7:41 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu> [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu>] Subject: Re: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request? We do not use Eduroam (too expensive) but we use RADIUS EAP/PEAP MSCHAPv2 for both machine & user authentication. I have only seen the host/ prefix from our OSX clients, not Windows. Perhaps EAP/TLS is different? Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com] Sent: Wednesday, February 1, 2017 8:17 PM Subject: Re: Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request? Sounds like the client is configured for computer authentication, not user. You can change this in the supplicant configuration. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Wednesday, February 1, 2017 16:51 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request? Let me ask our RADIUS folks about this tomorrow. I'll post whatever I find out. == -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu>] on behalf of Scot Colburn [colb...@ucar.edu<mailto:colb...@ucar.edu>] Sent: Wednesday, February 01, 2017 5:55 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request? Is anybody else seeing Windows 10 prepending "host/" to eduroam usernames in EAP/TLS auth? We've had trouble getting our Windows 10 machines authenticating onto our eduroam SSID using EAP/TLS. We seem to have two outcomes, neither of which work: 1) if we create a "Manual Profile" then no authentication traffic ever hits the RADIUS server. 2) if we do NOT create a manual profile then an authentication request does hit the RADIUS server, but with "host/" prepended to the hostname. Our RADIUS server rejects the authentication with "host/" prepended; I imagine a roaming user would have often have the same issue. I have a theory: The eduroam aut
RE: Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request?
We do not use Eduroam (too expensive) but we use RADIUS EAP/PEAP MSCHAPv2 for both machine & user authentication. I have only seen the host/ prefix from our OSX clients, not Windows. Perhaps EAP/TLS is different? Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com] Sent: Wednesday, February 1, 2017 8:17 PM Subject: Re: Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request? Sounds like the client is configured for computer authentication, not user. You can change this in the supplicant configuration. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Wednesday, February 1, 2017 16:51 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request? Let me ask our RADIUS folks about this tomorrow. I'll post whatever I find out. == -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Scot Colburn [colb...@ucar.edu] Sent: Wednesday, February 01, 2017 5:55 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request? Is anybody else seeing Windows 10 prepending "host/" to eduroam usernames in EAP/TLS auth? We've had trouble getting our Windows 10 machines authenticating onto our eduroam SSID using EAP/TLS. We seem to have two outcomes, neither of which work: 1) if we create a "Manual Profile" then no authentication traffic ever hits the RADIUS server. 2) if we do NOT create a manual profile then an authentication request does hit the RADIUS server, but with "host/" prepended to the hostname. Our RADIUS server rejects the authentication with "host/" prepended; I imagine a roaming user would have often have the same issue. I have a theory: The eduroam auth requires a "realm" to be appended to the username so eduroam service-providers and federated RADIUS servers know to proxy a roaming RADIUS auth to the correct server. In our case, we append "@ucar.edu<http://ucar.edu>" to the username. Maybe that "@ucar.edu<http://ucar.edu/>" is provoking Windows10 to prepend the "host/" prefix. Authentication to our internal SSID without the "@ucar.edu<http://ucar.edu>" is working normally. Any clues? I think we can build a workaround to rewrite the username on the RADIUS server, but that won't help our roaming eduroam EAP/TLS users if other eduroam service-providers are having the same issue. Scot Colburn Network Engineer NCAR/UCAR/NETS/FRGP ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
