On 14 Nov 2012, at 18:24, Lee H Badman <[email protected]> wrote:
> Can always block MAC on WLAN too. Simple, nuclear, elegant.
>
And completely ineffective if the user has any technical skill whatsoever.
shinyhead:freeradius-server-master arr2036$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=2b<RXCSUM,TXCSUM,VLAN_HWTAGGING,TSO4>
ether 7c:6d:62:xx:xx:xx
shinyhead:freeradius-server-master arr2036$ sudo ifconfig en0 ether
11:22:33:44:55:66
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=2b<RXCSUM,TXCSUM,VLAN_HWTAGGING,TSO4>
ether 11:22:33:44:55:66
media: autoselect (none)
status: inactive
-Arran
>
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:[email protected]] On Behalf Of Craig Simons
> Sent: Wednesday, November 14, 2012 1:13 PM
> To: [email protected]
> Subject: Re: [WIRELESS-LAN] Eduroam technical questions
>
> Our approach is to block MAC addresses of banned machines directly on the
> switch port using vendor specific features on our switching gear. However, as
> the Radius requests are still created by your own equipment (which would
> presumably have MAC address Calling-Station-Id information), you could still
> reject outer EAP tunnel requests before they are proxied to the user's home
> institution.
>
> - Craig
>
>
>
> On 2012-11-14, at 12:45 AM, Arran Cudbard-Bell <[email protected]>
> wrote:
>
>> The problem comes in implementing the ban.
>>
>> Some institutions allow an anonymous outer identity for the EAP tunnel,
>> which, so long as it contains enough information for routing can contain an
>> arbitrary user id. You ban one and the user can just change it and still get
>> access. You never get to see the inner id unless the homeserver has been
>> configured to send it back in the Access-Accept.
>>
>> The best solution is to contact the home institution directly and get their
>> guys to ban the user. This will be easier once more institutions have
>> adopted CUI as then there'll be a definitive linking value between a user
>> and a session. Even without CUI it should still be possible to figure out
>> the inner ID using timestamps and attributes included in the authentication
>> request(s), it's just harder to automate the process.
>>
>> If you're using FreeRADIUS you might want to take a look at the example CUI
>> configurations, and implement them at the same time as the your eduroam
>> service.
>>
>> -Arran
>>
>>
>>
>>> Ah. You clever fella.
>>>
>>> Thanks for turning on the light.
>>>
>>> Lee H. Badman
>>> Network Architect/Wireless TME
>>> ITS, Syracuse University
>>> 315.443.3003
>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
>>> [[email protected]] on behalf of Hanset, Philippe C
>>> [[email protected]]
>>> Sent: Tuesday, November 13, 2012 10:48 AM
>>> To: [email protected]
>>> Subject: Re: [WIRELESS-LAN] Eduroam technical questions
>>>
>>> Lee,
>>>
>>> Your campus only terminates EAP sessions for YOUR users.
>>> For visitors, you take the initial TLS negotiation (with the outer tunnel
>>> identity e.g. [email protected], or [email protected], or @syr.edu ) and you
>>> pass it to the top level.
>>> You never deal with the EAP-type for visitors.
>>> In your RADIUS server you basically have a switch: pass to top level OR
>>> terminate locally.
>>> Take a look at some config examples:
>>> http://www.eduroamus.org/radius_configuration
>>>
>>> Philippe
>>>
>>>
>>> On Nov 13, 2012, at 10:12 AM, Lee H Badman <[email protected]>
>>> wrote:
>>>
>>>> Thanks, Phillipe-
>>>>
>>>> I'm talking more from supplicant config side. So we use Xpressconnect to
>>>> configure our supplicants to only use MS-CHAPv2 /PEAP while disabling the
>>>> other EAP types, and in RADIUS only have this single EAP type enabled. So
>>>> if our Eduraom SSID required this EAP type, and someone showed up and hit
>>>> our EDUROAAM with their supplicant configured for EAP-TLS for EDUROAM, a
>>>> reconfiguration would be required, no? Or am I really missing something
>>>> important?
>>>>
>>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
>>>> [[email protected]] on behalf of Hanset, Philippe C
>>>> [[email protected]]
>>>> Sent: Tuesday, November 13, 2012 10:01 AM
>>>> To: [email protected]
>>>> Subject: Re: [WIRELESS-LAN] Eduroam technical questions
>>>>
>>>> Lee,
>>>>
>>>> eduroam is EAP agnostic.
>>>> All that the roaming does is pass the initial SSL/TLS tunnel to the home
>>>> institution.
>>>> Then in the tunnel, exchanges occur between your device and your home
>>>> institution
>>>> So, as long as your institution does a tunneled EAP, your are done. The
>>>> visited institution
>>>> has nothing to do with oyur EAP -method.
>>>>
>>>> EAP-TTLS, PEAP, EAP-TLS ... all tunneled will work
>>>>
>>>> Philippe
>>>>
>>>> On Nov 13, 2012, at 9:52 AM, Lee H Badman <[email protected]>
>>>> wrote:
>>>>
>>>>> I have read through the most recent docs, not quite grasping:
>>>>>
>>>>> - If we use MS-CHAPv2 w PEAP on our campus, and that's all we want to
>>>>> use, does that exclude us from Eduroam?
>>>>>
>>>>> - If not, what happens when I roam to another campus that uses TLS, or
>>>>> visa versa? The goal is autoconnection, with no reconfig, but is everyone
>>>>> on Eduroam really and truly using the same EAP with no need to
>>>>> reconfigure as you roam campus to campus?
>>>>>
>>>>> Sorry to be thick, I realize a lot of time went in to the documents.
>>>>>
>>>>>
>>>>> Lee H. Badman
>>>>> Network Architect/Wireless TME
>>>>> ITS, Syracuse University
>>>>> 315.443.3003
>>>>> ********** Participation and subscription information for this EDUCAUSE
>>>>> Constituent Group discussion list can be found
>>>>> athttp://www.educause.edu/groups/.
>>>>
>>>> ********** Participation and subscription information for this EDUCAUSE
>>>> Constituent Group discussion list can be found at
>>>> http://www.educause.edu/groups/.
>>>> ********** Participation and subscription information for this EDUCAUSE
>>>> Constituent Group discussion list can be found
>>>> athttp://www.educause.edu/groups/.
>>>
>>> ********** Participation and subscription information for this EDUCAUSE
>>> Constituent Group discussion list can be found at
>>> http://www.educause.edu/groups/.
>>>
>>> ********** Participation and subscription information for this EDUCAUSE
>>> Constituent Group discussion list can be found at
>>> http://www.educause.edu/groups/.
>>
>> **********
>> Participation and subscription information for this EDUCAUSE Constituent
>> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **********
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **********
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
