Is anybody else seeing Windows 10 prepending "host/" to eduroam usernames in EAP/TLS auth?
We've had trouble getting our Windows 10 machines authenticating onto our eduroam SSID using EAP/TLS. We seem to have two outcomes, neither of which work: 1) if we create a "Manual Profile" then no authentication traffic ever hits the RADIUS server. 2) if we do NOT create a manual profile then an authentication request does hit the RADIUS server, but with "host/" prepended to the hostname. Our RADIUS server rejects the authentication with "host/" prepended; I imagine a roaming user would have often have the same issue. I have a theory: The eduroam auth requires a "realm" to be appended to the username so eduroam service-providers and federated RADIUS servers know to proxy a roaming RADIUS auth to the correct server. In our case, we append "@ ucar.edu" to the username. Maybe that "@ucar.edu" is provoking Windows10 to prepend the "host/" prefix. Authentication to our internal SSID without the "@ucar.edu" is working normally. Any clues? I think we can build a workaround to rewrite the username on the RADIUS server, but that won't help our roaming eduroam EAP/TLS users if other eduroam service-providers are having the same issue. Scot Colburn Network Engineer NCAR/UCAR/NETS/FRGP ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
