Our approach is to block MAC addresses of banned machines directly on the switch port using vendor specific features on our switching gear. However, as the Radius requests are still created by your own equipment (which would presumably have MAC address Calling-Station-Id information), you could still reject outer EAP tunnel requests before they are proxied to the user's home institution.
- Craig On 2012-11-14, at 12:45 AM, Arran Cudbard-Bell <[email protected]> wrote: > The problem comes in implementing the ban. > > Some institutions allow an anonymous outer identity for the EAP tunnel, > which, so long as it contains enough information for routing can contain an > arbitrary user id. You ban one and the user can just change it and still get > access. You never get to see the inner id unless the homeserver has been > configured to send it back in the Access-Accept. > > The best solution is to contact the home institution directly and get their > guys to ban the user. This will be easier once more institutions have adopted > CUI as then there'll be a definitive linking value between a user and a > session. Even without CUI it should still be possible to figure out the inner > ID using timestamps and attributes included in the authentication request(s), > it's just harder to automate the process. > > If you're using FreeRADIUS you might want to take a look at the example CUI > configurations, and implement them at the same time as the your eduroam > service. > > -Arran > > > >> Ah. You clever fella. >> >> Thanks for turning on the light. >> >> Lee H. Badman >> Network Architect/Wireless TME >> ITS, Syracuse University >> 315.443.3003 >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [[email protected]] on behalf of Hanset, Philippe C >> [[email protected]] >> Sent: Tuesday, November 13, 2012 10:48 AM >> To: [email protected] >> Subject: Re: [WIRELESS-LAN] Eduroam technical questions >> >> Lee, >> >> Your campus only terminates EAP sessions for YOUR users. >> For visitors, you take the initial TLS negotiation (with the outer tunnel >> identity e.g. [email protected], or [email protected], or @syr.edu ) and you >> pass it to the top level. >> You never deal with the EAP-type for visitors. >> In your RADIUS server you basically have a switch: pass to top level OR >> terminate locally. >> Take a look at some config examples: >> http://www.eduroamus.org/radius_configuration >> >> Philippe >> >> >> On Nov 13, 2012, at 10:12 AM, Lee H Badman <[email protected]> >> wrote: >> >>> Thanks, Phillipe- >>> >>> I'm talking more from supplicant config side. So we use Xpressconnect to >>> configure our supplicants to only use MS-CHAPv2 /PEAP while disabling the >>> other EAP types, and in RADIUS only have this single EAP type enabled. So >>> if our Eduraom SSID required this EAP type, and someone showed up and hit >>> our EDUROAAM with their supplicant configured for EAP-TLS for EDUROAM, a >>> reconfiguration would be required, no? Or am I really missing something >>> important? >>> >>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >>> [[email protected]] on behalf of Hanset, Philippe C >>> [[email protected]] >>> Sent: Tuesday, November 13, 2012 10:01 AM >>> To: [email protected] >>> Subject: Re: [WIRELESS-LAN] Eduroam technical questions >>> >>> Lee, >>> >>> eduroam is EAP agnostic. >>> All that the roaming does is pass the initial SSL/TLS tunnel to the home >>> institution. >>> Then in the tunnel, exchanges occur between your device and your home >>> institution >>> So, as long as your institution does a tunneled EAP, your are done. The >>> visited institution >>> has nothing to do with oyur EAP -method. >>> >>> EAP-TTLS, PEAP, EAP-TLS ... all tunneled will work >>> >>> Philippe >>> >>> On Nov 13, 2012, at 9:52 AM, Lee H Badman <[email protected]> >>> wrote: >>> >>>> I have read through the most recent docs, not quite grasping: >>>> >>>> - If we use MS-CHAPv2 w PEAP on our campus, and that's all we want to use, >>>> does that exclude us from Eduroam? >>>> >>>> - If not, what happens when I roam to another campus that uses TLS, or >>>> visa versa? The goal is autoconnection, with no reconfig, but is everyone >>>> on Eduroam really and truly using the same EAP with no need to reconfigure >>>> as you roam campus to campus? >>>> >>>> Sorry to be thick, I realize a lot of time went in to the documents. >>>> >>>> >>>> Lee H. Badman >>>> Network Architect/Wireless TME >>>> ITS, Syracuse University >>>> 315.443.3003 >>>> ********** Participation and subscription information for this EDUCAUSE >>>> Constituent Group discussion list can be found >>>> athttp://www.educause.edu/groups/. >>> >>> ********** Participation and subscription information for this EDUCAUSE >>> Constituent Group discussion list can be found at >>> http://www.educause.edu/groups/. >>> ********** Participation and subscription information for this EDUCAUSE >>> Constituent Group discussion list can be found >>> athttp://www.educause.edu/groups/. >> >> ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
