Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius
We currently don't do machine authentication as we would prefer to track down issues to an individual user, rather than workstation. However we have had issues using Windows 7 SSO and are looking into options. They are: 1. A hidden SSID for machines to authenticate to. 2. Customizing our RADIUS server (RADIATOR) to recognize machine logins (HOST/workstation-name) and authenticate them separately to the eduroam SSID. I'd be curious as to what other sites are doing, as well. Thanks. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 Mobile: 319 540-2081 E-Mail: neil-john...@uiowa.edu From: Osborne, Bruce W bosbo...@liberty.edumailto:bosbo...@liberty.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Monday, February 18, 2013 9:13 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius I have a question for those of you that are using EDUROAM as your only SSID. How do you handle Windows machine authentication? Our domain computers do 802.1X machine authentication when there is not a user logged in. This allows the computer to authenticate the user and get their profile. It is also useful for remote management when a user is not logged in. Thanks, all Bruce Osborne Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Tristan Gulyas [mailto:tristan.gul...@monash.edu] Sent: Saturday, February 16, 2013 8:21 AM Subject: Re: About the eduroam configuration on Freeradius Hi, We have been using eduroam as our primary SSID for a number of years; users can simply select the network and enter their username and password, accept the certificate and they're good to go. One thing we've found to be successful for us is to accept both just the username and username@domain to enhance usability but the drawback is that we will have a few eduroam configured devices that won't work at other institutions. We have RADIATOR perform a lookup via LDAP to determine the class of user (student, staff, high school user (as we have a high school as part of our University campus) and return the appropriate Tunnel Group ID for AAA override. If there is no attribute in LDAP, we place them on the guest VLAN by default, however, the guest VLAN and student VLANs are identical in terms of access control. Tristan --- Tristan Gulyas tristan.gul...@monash.edumailto:tristan.gul...@monash.edu Wireless Network Engineer M: +61 403224484 eSolutions divisionP: +61 3 9902 9092 Building 205 Monash University 3800 Australia On 16/02/2013, at 8:55 AM, Johnson, Neil M neil-john...@uiowa.edumailto:neil-john...@uiowa.edu wrote: We have been using eduroam as our primary SSID since the fall. We could put non @uiowa.eduhttp://uiowa.edu users in a separate VLAN that appears outside our border, but the acutual number of non iowa users on campus is so small that it wasn't deemed worth the effort to setup and maintain. Implementing eduroam as our primary SSID happened to happily conicide with campus encoraging users to useuse...@uiowa.edumailto:use...@uiowa.edu as their default username in order for them to access cloud services being implemented in the near future. -Neil From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Steve Bohrer [skboh...@simons-rock.edumailto:skboh...@simons-rock.edu] Sent: Friday, February 15, 2013 3:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius On Feb 15, 2013, at 3:24 PM, Linchuan Yang linchuan.y...@concordia.camailto:linchuan.y...@concordia.ca wrote: Dear All Do you use different radius servers for your local SSID and eduroam SSID? Currently, we are using the same radius servers for both of SSID, and we found that some of our local users login with eduroam SSID inside our campus. We want to block our local users (both user...@concordia.camailto:user...@concordia.ca and user123)to login with eduroam SSID, could you please explain how to modify the proxy.conf or other configuration files on Freeradius (Linux version)? We take a different approach, and use eduroam as our primary SSID campus-wide. That is, all of our local users always connect to eduroam, even when they are not roaming. Our radius server knows they are local because they have our realm in their username, and we can use their other local LDAP attributes to put them into the proper VLAN. Our radius server also puts non-Simon's
Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius
Hi, We have been using eduroam as our primary SSID for a number of years; users can simply select the network and enter their username and password, accept the certificate and they're good to go. One thing we've found to be successful for us is to accept both just the username and username@domain to enhance usability but the drawback is that we will have a few eduroam configured devices that won't work at other institutions. We have RADIATOR perform a lookup via LDAP to determine the class of user (student, staff, high school user (as we have a high school as part of our University campus) and return the appropriate Tunnel Group ID for AAA override. If there is no attribute in LDAP, we place them on the guest VLAN by default, however, the guest VLAN and student VLANs are identical in terms of access control. Tristan --- Tristan Gulyas tristan.gul...@monash.edu Wireless Network Engineer M: +61 403224484 eSolutions divisionP: +61 3 9902 9092 Building 205 Monash University 3800 Australia On 16/02/2013, at 8:55 AM, Johnson, Neil M neil-john...@uiowa.edu wrote: We have been using eduroam as our primary SSID since the fall. We could put non @uiowa.edu users in a separate VLAN that appears outside our border, but the acutual number of non iowa users on campus is so small that it wasn't deemed worth the effort to setup and maintain. Implementing eduroam as our primary SSID happened to happily conicide with campus encoraging users to useuse...@uiowa.edu as their default username in order for them to access cloud services being implemented in the near future. -Neil From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Steve Bohrer [skboh...@simons-rock.edu] Sent: Friday, February 15, 2013 3:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius On Feb 15, 2013, at 3:24 PM, Linchuan Yang linchuan.y...@concordia.ca wrote: Dear All Do you use different radius servers for your local SSID and eduroam SSID? Currently, we are using the same radius servers for both of SSID, and we found that some of our local users login with eduroam SSID inside our campus. We want to block our local users (both user...@concordia.ca and user123)to login with eduroam SSID, could you please explain how to modify the proxy.conf or other configuration files on Freeradius (Linux version)? We take a different approach, and use eduroam as our primary SSID campus-wide. That is, all of our local users always connect to eduroam, even when they are not roaming. Our radius server knows they are local because they have our realm in their username, and we can use their other local LDAP attributes to put them into the proper VLAN. Our radius server also puts non-Simon's Rock eduroam users in to an eduroam guest VLAN. (We have an open SSID with instructions for connecting to eduroam, and some special case guest VLANs, but no other SSID for our local users). The benefit is that our users only ever need to do one wifi config, and eduroam just works when they travel to other federation campuses or to EDU conventions and such, because it is exactly the same wifi config that they use every day on campus. Steve Bohrer Network Admin, ITS Bard College at Simon's Rock 413-528-7645 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. --- Tristan Gulyas tristan.gul...@monash.edu Wireless Network Engineer M: +61 403224484 eSolutions divisionP: +61 3 9902 9092 Building 205 Monash University 3800 Australia ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius
On Feb 15, 2013, at 14:24 , Linchuan Yang linchuan.y...@concordia.ca wrote: Currently, we are using the same radius servers for both of SSID, and we found that some of our local users login with eduroam SSID inside our campus. What we are thinking about doing for local users who connect to eduroam while on campus is to put them into a role on our Aruba controllers that sends them to a captive portal web page that says, Congratulations! You have successfully configured your device to use the eduroam network! When you travel to another eduroam-enabled institution, you should be all set! Something like that anyway. -- Julian Y. Koh Manager, Network Transport, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: http://www.it.northwestern.edu/ PGP Public Key:http://bt.ittns.northwestern.edu/julian/pgppubkey.html ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius
On Feb 15, 2013, at 3:24 PM, Linchuan Yang linchuan.y...@concordia.ca wrote: Dear All Do you use different radius servers for your local SSID and eduroam SSID? Currently, we are using the same radius servers for both of SSID, and we found that some of our local users login with eduroam SSID inside our campus. We want to block our local users (both user...@concordia.ca and user123)to login with eduroam SSID, could you please explain how to modify the proxy.conf or other configuration files on Freeradius (Linux version)? We take a different approach, and use eduroam as our primary SSID campus-wide. That is, all of our local users always connect to eduroam, even when they are not roaming. Our radius server knows they are local because they have our realm in their username, and we can use their other local LDAP attributes to put them into the proper VLAN. Our radius server also puts non-Simon's Rock eduroam users in to an eduroam guest VLAN. (We have an open SSID with instructions for connecting to eduroam, and some special case guest VLANs, but no other SSID for our local users). The benefit is that our users only ever need to do one wifi config, and eduroam just works when they travel to other federation campuses or to EDU conventions and such, because it is exactly the same wifi config that they use every day on campus. Steve Bohrer Network Admin, ITS Bard College at Simon's Rock 413-528-7645 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius
Linchuan, There is a big drawback to no letting your users join the local eduroam SSID. They won't be able to setup their devices while on campus before traveling. Having the concordia.cahttp://concordia.ca users joining the eduroam SSID on campus will help them with two aspects of the connectivity: -Learn to use the REALM (user@reaml, in your case realm=concordia.cahttp://concordia.ca) -Learn to load the proper RADIUS infrastructure certificate on their machine before traveling somewhere else These two things alone could reduce your help desk calls quite a bit. If you do so, make sure to enforce the REALM requirement from your own users in your RADIUS config (we used to not enforce that at University of Tennessee and ended up with users not being able to use eduroam when traveling) What you can do (as explained by Steve and Julian) is to filter the concordia.cahttp://concordia.ca users and put them in special VLANs. For instance: University of Tennessee, Knoxville assigns users with @utk.eduhttp://utk.edu credentials to the same VLAN pool weather they join the eduroam SSID or the ut-wpa2 SSID. The only difference between the two is that users joining eduroam have to use ne...@utk.edumailto:ne...@utk.edu and users on ut-wpa2 can only use netid if they want. Have a good Weekend, Best, Philippe Hanset www.eduroamus.orghttp://www.eduroamus.org On Feb 15, 2013, at 3:24 PM, Linchuan Yang linchuan.y...@concordia.camailto:linchuan.y...@concordia.ca wrote: Dear All Do you use different radius servers for your local SSID and eduroam SSID? Currently, we are using the same radius servers for both of SSID, and we found that some of our local users login with eduroam SSID inside our campus. We want to block our local users (both user...@concordia.camailto:user...@concordia.ca and user123)to login with eduroam SSID, could you please explain how to modify the proxy.conf or other configuration files on Freeradius (Linux version)? Furthermore, we want to block user...@concordia.camailto:user...@concordia.ca to login with our local SSID, and let user123 login with our local SSID. Thank you, and have a nice weekend. Yours, Linchuan Yang (Antony) Wireless Networking Analyst Network Assessment and Integration, IITS-Concordia University Tel: (514)848-2424 ext. 7664 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] About the eduroam configuration on Freeradius
It's pretty common in Europe to only offer the eduroam ssid, and offer visitors 'different' connectivity than local users on it, (and have a captive portal containing all the setup etc on an open ssid). Making it so the wireless configuration is the same whether on campus or at another eduroam site is very popular amongst our academics students, as it means that in practice, it's set up once, and simply opening the lid on their laptop at another site gets them connectivity. -- ian -Original Message- From: phanset Sent: 15/02/2013, 21:35 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius Linchuan, There is a big drawback to no letting your users join the local eduroam SSID. They won't be able to setup their devices while on campus before traveling. Having the concordia.cahttp://concordia.ca users joining the eduroam SSID on campus will help them with two aspects of the connectivity: -Learn to use the REALM (user@reaml, in your case realm=concordia.cahttp://concordia.ca) -Learn to load the proper RADIUS infrastructure certificate on their machine before traveling somewhere else These two things alone could reduce your help desk calls quite a bit. If you do so, make sure to enforce the REALM requirement from your own users in your RADIUS config (we used to not enforce that at University of Tennessee and ended up with users not being able to use eduroam when traveling) What you can do (as explained by Steve and Julian) is to filter the concordia.cahttp://concordia.ca users and put them in special VLANs. For instance: University of Tennessee, Knoxville assigns users with @utk.eduhttp://utk.edu credentials to the same VLAN pool weather they join the eduroam SSID or the ut-wpa2 SSID. The only difference between the two is that users joining eduroam have to use ne...@utk.edumailto:ne...@utk.edu and users on ut-wpa2 can only use netid if they want. Have a good Weekend, Best, Philippe Hanset www.eduroamus.orghttp://www.eduroamus.org On Feb 15, 2013, at 3:24 PM, Linchuan Yang linchuan.y...@concordia.camailto:linchuan.y...@concordia.ca wrote: Dear All Do you use different radius servers for your local SSID and eduroam SSID? Currently, we are using the same radius servers for both of SSID, and we found that some of our local users login with eduroam SSID inside our campus. We want to block our local users (both user...@concordia.camailto:user...@concordia.ca and user123)to login with eduroam SSID, could you please explain how to modify the proxy.conf or other configuration files on Freeradius (Linux version)? Furthermore, we want to block user...@concordia.camailto:user...@concordia.ca to login with our local SSID, and let user123 login with our local SSID. Thank you, and have a nice weekend. Yours, Linchuan Yang (Antony) Wireless Networking Analyst Network Assessment and Integration, IITS-Concordia University Tel: (514)848-2424 ext. 7664 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius
Hi, It is an exceptionally bad idea to do what you're proposing, as it prevents local users from verifying their eduroam configuration actually works at your site before roaming to other sites. Yes, you can display a test page, but then you have to make sure that every user sets the priority of the SSIDs correctly so that your local SSID has a higher precedence, else every time they reconnect to wireless they'll get the test page. Many universities have transitioned to a single eduroam SSID which serves both local and remote users. They then assign different VLANs or wireless profiles dynamically based on where the user is authenticating from. This is, IMHO, far easier to support, and far better for the students/staff using the service. The only argument i've heard against eduroam as the primary SSID is that it reduces awareness of the university brand. -Arran ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] About the eduroam configuration on Freeradius
We have been using eduroam as our primary SSID since the fall. We could put non @uiowa.edu users in a separate VLAN that appears outside our border, but the acutual number of non iowa users on campus is so small that it wasn't deemed worth the effort to setup and maintain. Implementing eduroam as our primary SSID happened to happily conicide with campus encoraging users to use use...@uiowa.edumailto:use...@uiowa.edu as their default username in order for them to access cloud services being implemented in the near future. -Neil From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Steve Bohrer [skboh...@simons-rock.edu] Sent: Friday, February 15, 2013 3:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius On Feb 15, 2013, at 3:24 PM, Linchuan Yang linchuan.y...@concordia.camailto:linchuan.y...@concordia.ca wrote: Dear All Do you use different radius servers for your local SSID and eduroam SSID? Currently, we are using the same radius servers for both of SSID, and we found that some of our local users login with eduroam SSID inside our campus. We want to block our local users (both user...@concordia.camailto:user...@concordia.ca and user123)to login with eduroam SSID, could you please explain how to modify the proxy.conf or other configuration files on Freeradius (Linux version)? We take a different approach, and use eduroam as our primary SSID campus-wide. That is, all of our local users always connect to eduroam, even when they are not roaming. Our radius server knows they are local because they have our realm in their username, and we can use their other local LDAP attributes to put them into the proper VLAN. Our radius server also puts non-Simon's Rock eduroam users in to an eduroam guest VLAN. (We have an open SSID with instructions for connecting to eduroam, and some special case guest VLANs, but no other SSID for our local users). The benefit is that our users only ever need to do one wifi config, and eduroam just works when they travel to other federation campuses or to EDU conventions and such, because it is exactly the same wifi config that they use every day on campus. Steve Bohrer Network Admin, ITS Bard College at Simon's Rock 413-528-7645 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.