The problem comes in implementing the ban. Some institutions allow an anonymous outer identity for the EAP tunnel, which, so long as it contains enough information for routing can contain an arbitrary user id. You ban one and the user can just change it and still get access. You never get to see the inner id unless the homeserver has been configured to send it back in the Access-Accept.
The best solution is to contact the home institution directly and get their guys to ban the user. This will be easier once more institutions have adopted CUI as then there'll be a definitive linking value between a user and a session. Even without CUI it should still be possible to figure out the inner ID using timestamps and attributes included in the authentication request(s), it's just harder to automate the process. If you're using FreeRADIUS you might want to take a look at the example CUI configurations, and implement them at the same time as the your eduroam service. -Arran > Ah. You clever fella. > > Thanks for turning on the light. > > Lee H. Badman > Network Architect/Wireless TME > ITS, Syracuse University > 315.443.3003 > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hanset, Philippe C > [phan...@utk.edu] > Sent: Tuesday, November 13, 2012 10:48 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Eduroam technical questions > > Lee, > > Your campus only terminates EAP sessions for YOUR users. > For visitors, you take the initial TLS negotiation (with the outer tunnel > identity e.g. lhbad...@syr.edu, or anonym...@syr.edu, or @syr.edu ) and you > pass it to the top level. > You never deal with the EAP-type for visitors. > In your RADIUS server you basically have a switch: pass to top level OR > terminate locally. > Take a look at some config examples: > http://www.eduroamus.org/radius_configuration > > Philippe > > > On Nov 13, 2012, at 10:12 AM, Lee H Badman <lhbad...@syr.edu> > wrote: > >> Thanks, Phillipe- >> >> I'm talking more from supplicant config side. So we use Xpressconnect to >> configure our supplicants to only use MS-CHAPv2 /PEAP while disabling the >> other EAP types, and in RADIUS only have this single EAP type enabled. So if >> our Eduraom SSID required this EAP type, and someone showed up and hit our >> EDUROAAM with their supplicant configured for EAP-TLS for EDUROAM, a >> reconfiguration would be required, no? Or am I really missing something >> important? >> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hanset, Philippe C >> [phan...@utk.edu] >> Sent: Tuesday, November 13, 2012 10:01 AM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> Subject: Re: [WIRELESS-LAN] Eduroam technical questions >> >> Lee, >> >> eduroam is EAP agnostic. >> All that the roaming does is pass the initial SSL/TLS tunnel to the home >> institution. >> Then in the tunnel, exchanges occur between your device and your home >> institution >> So, as long as your institution does a tunneled EAP, your are done. The >> visited institution >> has nothing to do with oyur EAP -method. >> >> EAP-TTLS, PEAP, EAP-TLS ... all tunneled will work >> >> Philippe >> >> On Nov 13, 2012, at 9:52 AM, Lee H Badman <lhbad...@syr.edu> >> wrote: >> >>> I have read through the most recent docs, not quite grasping: >>> >>> - If we use MS-CHAPv2 w PEAP on our campus, and that's all we want to use, >>> does that exclude us from Eduroam? >>> >>> - If not, what happens when I roam to another campus that uses TLS, or visa >>> versa? The goal is autoconnection, with no reconfig, but is everyone on >>> Eduroam really and truly using the same EAP with no need to reconfigure as >>> you roam campus to campus? >>> >>> Sorry to be thick, I realize a lot of time went in to the documents. >>> >>> >>> Lee H. Badman >>> Network Architect/Wireless TME >>> ITS, Syracuse University >>> 315.443.3003 >>> ********** Participation and subscription information for this EDUCAUSE >>> Constituent Group discussion list can be found >>> athttp://www.educause.edu/groups/. >> >> ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found >> athttp://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
