RE: PEAP Username format in Domain Joined machines
Yes, we are using eduroam. For the Radius server we use Aruba ClearPass. Additional Context: The reason for this ask is to support our faculty/staff that visits other "eduroam" participating universities. We are also using the authentication option of "User auth or computer auth" so when the user is logged out of the machine, the device remains connected to the wireless network via computer authentication. We understand that we can manually modify the profile to unselect "Automatically use my windows logon and password" in the wireless profile and manually configure the user name in the format of USERNAME@FQDN when prompted. However, the issue is we do not have all the faculty/admin staff with admin rights to machine. Thank you Tim and Lynn. Regards, Pratik Mehta From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Heavrin, Lynn Sent: Tuesday, July 27, 2021 12:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PEAP Username format in Domain Joined machines I didn't see anywhere he mentioned this was for eduroam, but after a google search it seems Princeton uses it for their primary SSID, so yes that is a good point. That's one big factor in why we're moving to EAP-TLS and forcing the format instead of trying to accommodate whatever the user decides to type in. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> Date: Tuesday, July 27, 2021 at 10:47 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] PEAP Username format in Domain Joined machines I would not recommend that as the device will not be routable on eduroam outside your campus. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Heavrin, Lynn mailto:lheav...@wustl.edu>> Date: Tuesday, July 27, 2021 at 11:41 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] PEAP Username format in Domain Joined machines Depending on your RADIUS server you could rewrite the identity to whatever you want. Some are more granular than others with what all you can do. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> Date: Tuesday, July 27, 2021 at 10:17 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] PEAP Username format in Domain Joined machines No, it cannot. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Pratik Mehta mailto:pra...@princeton.edu>> Date: Tuesday, July 27, 2021 at 11:14 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] PEAP Username format in Domain Joined machines Hello Everyone, On a Windows 10 device, and when using "Automatically use my windows logon and password" for MSCHAPv2 properties of PEAP authentication, the default username format that Windows uses in NETBIOS_DOMAIN_NAME\USERNAME. Does anyone know if the default format can be to changed to USERNAME@FQDN (UPN format)? This is obviously for a domain joined machine. Thank you for your insights and assistance. Regards, Pratik Mehta ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4072b031cb7c4c371e1508d95114e6c5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629972668917488%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=P8cJtMXFKzjDtllv%2FU93k4f4%2BtoHUi%2BbaKvXue%2Faml4%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at
PEAP Username format in Domain Joined machines
Hello Everyone, On a Windows 10 device, and when using "Automatically use my windows logon and password" for MSCHAPv2 properties of PEAP authentication, the default username format that Windows uses in NETBIOS_DOMAIN_NAME\USERNAME. Does anyone know if the default format can be to changed to USERNAME@FQDN (UPN format)? This is obviously for a domain joined machine. Thank you for your insights and assistance. Regards, Pratik Mehta ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: [WIRELESS-LAN] Microsoft Windows 10 CRL Check on 802.1x Authentication
Tim, Thank you following up. Are you talking about Windows team from Microsoft or Aruba? Please let us know what you find. Regards, Pratik Mehta From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Wednesday, April 14, 2021 10:36 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Microsoft Windows 10 CRL Check on 802.1x Authentication RE OCSP: AFAIK, only Android 11+ supports OCSP stapling for EAP. RE OP: Pratik, I reached out to the Windows team and they are diagnosing the issue to try to pinpoint when this occurs. tim From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Jonathan Waldrep Sent: Wednesday, April 14, 2021 10:33 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Microsoft Windows 10 CRL Check on 802.1x Authentication On 2021-04-13 21:20:32+, Pratik Mehta wrote: > [...] > The problem is that Windows attempts to perform a CRL check on the > RADIUS server certificate during the TLS handshake and before 802.1x > authentication is complete. This causes the EAP session to timeout and > wireless connectivity to take a long time to be established (more than > 25 seconds). It does not make sense for the supplicant to perform a > CRL check before wireless connectivity > is established. > [...] I can't speak to the specifics of the situation, but in general, the solution is to use OCSP stapling instead of a CRL check. The gist of OCSP stapling is the server contacts the CA/OCSP server to get a token that asserts the cert has not been revoked, and sends that with the cert to the client. This allows the client to verify the server's cert hasn't been revoked without having to connect another network resource. I've probably got the details there wrong, but that is the _idea_ of what is happening. Implementing OCSP stapling on your authentication servers may bypass the bug. Full disclosure: we haven't gotten around to implementing this ourselves yet, so there may well be dragons ahead that I am completely unaware of. -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Microsoft Windows 10 CRL Check on 802.1x Authentication
Hello all, We ran into a Microsoft wireless supplicant bug and we're wondering if any other academic institution have experienced the same issue. We have windows 10 laptops that are joined to an AD domain and their wireless profile is pushed thru GPO. We're doing Computer authentication for these laptops. The problem is that Windows attempts to perform a CRL check on the RADIUS server certificate during the TLS handshake and before 802.1x authentication is complete. This causes the EAP session to timeout and wireless connectivity to take a long time to be established (more than 25 seconds). It does not make sense for the supplicant to perform a CRL check before wireless connectivity is established. Microsoft acknowledged this as bug, but they're saying that it has been reported only by Princeton and another large enterprise. We're wondering if any of you are experiencing the same issue. Thank you all. Regards, Pratik Mehta Wireless Network Architecture and Engineering Princeton University ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community