Lee, Your campus only terminates EAP sessions for YOUR users. For visitors, you take the initial TLS negotiation (with the outer tunnel identity e.g. [email protected]<mailto:[email protected]>, or [email protected]<mailto:[email protected]>, or @syr.edu<http://syr.edu> ) and you pass it to the top level. You never deal with the EAP-type for visitors. In your RADIUS server you basically have a switch: pass to top level OR terminate locally. Take a look at some config examples: http://www.eduroamus.org/radius_configuration
Philippe On Nov 13, 2012, at 10:12 AM, Lee H Badman <[email protected]<mailto:[email protected]>> wrote: Thanks, Phillipe- I'm talking more from supplicant config side. So we use Xpressconnect to configure our supplicants to only use MS-CHAPv2 /PEAP while disabling the other EAP types, and in RADIUS only have this single EAP type enabled. So if our Eduraom SSID required this EAP type, and someone showed up and hit our EDUROAAM with their supplicant configured for EAP-TLS for EDUROAM, a reconfiguration would be required, no? Or am I really missing something important? ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]<mailto:[email protected]>] on behalf of Hanset, Philippe C [[email protected]<mailto:[email protected]>] Sent: Tuesday, November 13, 2012 10:01 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Eduroam technical questions Lee, eduroam is EAP agnostic. All that the roaming does is pass the initial SSL/TLS tunnel to the home institution. Then in the tunnel, exchanges occur between your device and your home institution So, as long as your institution does a tunneled EAP, your are done. The visited institution has nothing to do with oyur EAP -method. EAP-TTLS, PEAP, EAP-TLS ... all tunneled will work Philippe On Nov 13, 2012, at 9:52 AM, Lee H Badman <[email protected]<mailto:[email protected]>> wrote: I have read through the most recent docs, not quite grasping: - If we use MS-CHAPv2 w PEAP on our campus, and that's all we want to use, does that exclude us from Eduroam? - If not, what happens when I roam to another campus that uses TLS, or visa versa? The goal is autoconnection, with no reconfig, but is everyone on Eduroam really and truly using the same EAP with no need to reconfigure as you roam campus to campus? Sorry to be thick, I realize a lot of time went in to the documents. Lee H. Badman Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
