We currently don't do machine authentication as we would prefer to track down issues to an individual user, rather than workstation.
However we have had issues using Windows 7 SSO and are looking into options. They are: 1. A hidden SSID for machines to authenticate to. 2. Customizing our RADIUS server (RADIATOR) to recognize machine logins (HOST/<workstation-name>) and authenticate them separately to the eduroam SSID. I'd be curious as to what other sites are doing, as well. Thanks. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 Mobile: 319 540-2081 E-Mail: neil-john...@uiowa.edu From: <Osborne>, Bruce W <bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Monday, February 18, 2013 9:13 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius I have a question for those of you that are using EDUROAM as your only SSID. How do you handle Windows machine authentication? Our domain computers do 802.1X machine authentication when there is not a user logged in. This allows the computer to authenticate the user and get their profile. It is also useful for remote management when a user is not logged in. Thanks, all Bruce Osborne Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Tristan Gulyas [mailto:tristan.gul...@monash.edu] Sent: Saturday, February 16, 2013 8:21 AM Subject: Re: About the eduroam configuration on Freeradius Hi, We have been using eduroam as our primary SSID for a number of years; users can simply select the network and enter their username and password, accept the certificate and they're good to go. One thing we've found to be successful for us is to accept both just the username and username@domain to enhance usability but the drawback is that we will have a few eduroam configured devices that won't work at other institutions. We have RADIATOR perform a lookup via LDAP to determine the class of user (student, staff, high school user (as we have a high school as part of our University campus) and return the appropriate Tunnel Group ID for AAA override. If there is no attribute in LDAP, we place them on the guest VLAN by default, however, the guest VLAN and student VLANs are identical in terms of access control. Tristan --- Tristan Gulyas tristan.gul...@monash.edu<mailto:tristan.gul...@monash.edu> Wireless Network Engineer M: +61 403224484 eSolutions division P: +61 3 9902 9092 Building 205 Monash University 3800 Australia On 16/02/2013, at 8:55 AM, "Johnson, Neil M" <neil-john...@uiowa.edu<mailto:neil-john...@uiowa.edu>> wrote: We have been using eduroam as our primary SSID since the fall. We could put non "@uiowa.edu<http://uiowa.edu>" users in a separate VLAN that appears outside our border, but the acutual number of non iowa users on campus is so small that it wasn't deemed worth the effort to setup and maintain. Implementing eduroam as our primary SSID happened to happily conicide with campus encoraging users to use"use...@uiowa.edu<mailto:use...@uiowa.edu>" as their default username in order for them to access "cloud" services being implemented in the near future. -Neil ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] on behalf of Steve Bohrer [skboh...@simons-rock.edu<mailto:skboh...@simons-rock.edu>] Sent: Friday, February 15, 2013 3:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius On Feb 15, 2013, at 3:24 PM, Linchuan Yang <linchuan.y...@concordia.ca<mailto:linchuan.y...@concordia.ca>> wrote: Dear All Do you use different radius servers for your local SSID and eduroam SSID? Currently, we are using the same radius servers for both of SSID, and we found that some of our local users login with eduroam SSID inside our campus. We want to block our local users (both user...@concordia.ca<mailto:user...@concordia.ca> and user123)to login with eduroam SSID, could you please explain how to modify the proxy.conf or other configuration files on Freeradius (Linux version)? We take a different approach, and use "eduroam" as our primary SSID campus-wide. That is, all of our local users always connect to eduroam, even when they are not roaming. Our radius server knows they are local because they have our realm in their username, and we can use their other local LDAP attributes to put them into the proper VLAN. Our radius server also puts non-Simon's Rock eduroam users in to an eduroam guest VLAN. (We have an open SSID with instructions for connecting to eduroam, and some special case guest VLANs, but no other SSID for our local users). The benefit is that our users only ever need to do one wifi config, and eduroam "just works" when they travel to other federation campuses or to EDU conventions and such, because it is exactly the same wifi config that they use every day on campus. Steve Bohrer Network Admin, ITS Bard College at Simon's Rock 413-528-7645 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. --- Tristan Gulyas tristan.gul...@monash.edu<mailto:tristan.gul...@monash.edu> Wireless Network Engineer M: +61 403224484 eSolutions division P: +61 3 9902 9092 Building 205 Monash University 3800 Australia ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.