You reminded me. When we first set up eduroam, Cisco ACS was allowing logins like "hf0002" or "UAH\hf0002". To fix this, we added a rule that denies logins that don't contain an @ in the username. This way people won't be surprised when the roaming features of eduroam don't work for them later.
On Friday, November 11, 2016, Jeremy Mooney <[email protected]> wrote: > We went that way. It was a relatively easy decision given our old radius > cert was expiring and everyone would need to reconfigure anyways. We just > used the opportunity to transition to eduroam instead. > > We wanted to enforce proper username syntax (both for roaming, and to push > CAT so CAs get set up properly), but also allow domain-joined computers to > authenticate pre-login (on campus - it's not allowed roaming anyways). > That's primarily so non-cached-users can log in, but also useful for > management. Our solution was two profiles on Windows - an "eduroam" one > that's user-entered credentials for roaming, and a "Bethel eduroam" using > machine-credentials for local/default. We then allow windows host syntax > (but not windows user syntax) along with the usual user@realm on the > radius side. A nice side benefit is the network side doesn't have the user > identity, and the having to pull data from an unrelated system discourages > inappropriate user-ip data correlation. > > > On Thu, Nov 10, 2016 at 10:04 PM, Becker, Jason <[email protected] > <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote: > >> We're getting ready to reduce the number of ssid that we have across >> Campus and one idea is to use edroam as our main 802.1x secure ssid. Is >> anyone else doing this and if so how is it going? >> >> >> >> >> Thanks, >> >> Jason >> ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> > > > -- > Jeremy Mooney > ITS - Bethel University > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > groups/. > > -- -- Hunter Fuller Network Engineer VBRH Annex B-1 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
