Hi Norman, Thank you for your input and direction.
Best, Nadim On Fri, Aug 28, 2020 at 10:49 AM Norman Elton <normel...@gmail.com> wrote: > Ahh yep ... we use EAP-TLS, but continue to advertise an open SSID for > onboarding (we use SecureW2), and for devices that do not support > EAP-TLS. > > By default, users are required to use eduroam. Students can > self-enroll their devices (gaming consoles, etc) onto the open SSID. > Some inevitably self-enroll their laptops for various reasons. But > getting everyone connected to eduroam while on campus streamlines > their experience when they travel to another institution. > > Norman > > On Fri, Aug 28, 2020 at 10:38 AM Tim Cappalli > <00000194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > > > Yes, EAP-TLS, EAP-TTLS and PEAPv0/EAP-MSCHAPv2 are the common three EAP > methods deployed, with TEAP becoming more popular. > > > > Great care should be taken when using a legacy method like PEAPv0 with > user credentials. Ensure the device is under management and the user cannot > modify the supplicant configuration (same with EAP-TTLS/PAP or > EAP-TTLS/MSCHAPv2). > > > > Ideally these devices should just use what the rest of your students, > faculty and staff are using. > > > > tim > > ________________________________ > > From: The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Nadim El-Khoury < > nel-kho...@springfield.edu> > > Sent: Friday, August 28, 2020 10:35 > > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > > Subject: Re: [WIRELESS-LAN] MAC authentication bypass on Freeradius > > > > Hi Tim, > > > > Thank you for the information and advice. > > Maybe use EAP-TLS or PEAP with EAP-TLS as the inner authentication > method. > > Do you think that would work? > > Has anyone done that with Freeradius and eduroam? > > > > Best, > > > > Nadim > > > > On Fri, Aug 28, 2020 at 9:57 AM Tim Cappalli < > 00000194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > > > eduroam is an 802.1X network. You need to use an EAP-based > authentication method. MAC address can only be used as authorization > context (but really shouldn't be). > > > > Tim > > ________________________________ > > From: The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Nadim El-Khoury < > nel-kho...@springfield.edu> > > Sent: Friday, August 28, 2020 9:52:08 AM > > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > > Subject: Re: [WIRELESS-LAN] MAC authentication bypass on Freeradius > > > > Hi Norman, > > > > Let me better explain what we trying to do. > > We used to have an open hidden SSID using a WEP key to connect loaner > laptops (Windows, Macs), iPads, and Chromebooks. > > We upgraded our wireless network to MIST and we decided to only > advertise eduroam. > > We want to connect the above devices to eduroam using Mac address > authentication, and it is not working. > > > > Best, > > > > Nadim > > > > On Thu, Aug 27, 2020 at 9:38 PM Norman Elton <normel...@gmail.com> > wrote: > > > > Do you mean authenticate non-802.1x clients based on MAC address? Yes. > > It works fine. We have an Open Access SSID, with "MAC address > > authentication by RADIUS lookup". We provide our RADIUS server IP & > > secret. Our FreeRADIUS server takes the request and responds with an > > Accept/Reject, and the following attributes: > > > > Tunnel-Type = "GRE" > > Tunnel-Medium-Type = "IP" > > Tunnel-Private-Group-ID = <vlan-id> > > > > I don't remember any specific challenges, but if you can post what's > > not working, I'm happy to help. And/or jump on a call and compare > > experience with Mist. > > > > Norman > > > > On Thu, Aug 27, 2020 at 4:14 PM Nadim El-Khoury > > <nel-kho...@springfield.edu> wrote: > > > > > > Hi Everyone, > > > > > > Has anyone been able to get MAC authentication bypass to work properly > with FreeRadius and MIST Wireless? > > > > > > Best, > > > > > > Nadim > > > > > > ********** > > > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > > > ********** > > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > > > ********** > > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > > > ********** > > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > > > ********** > > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > > > ********** > > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
