Andmost of our FTE are distance students that would likely never use EDUROAM.
Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Lee H Badman [mailto:lhbad...@syr.edu] Sent: Thursday, February 2, 2017 8:22 AM Subject: Re: Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request? Ah- the I2 freebie had me confused, as I assume everyone is one I2. Never had to think about the non I2 costs. Thanks for the information/reminder. -Lee Lee Badman | Network Architect Adjunct Instructor | CWNE #200 Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu SYRACUSE UNIVERSITY syr.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Philippe Hanset Sent: Thursday, February 02, 2017 8:03 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request? Lee, Let me give the official cost of eduroam: The cost of eduroam in the US is 10 cents per student per year with a minimum of $400 (Number of students reported at National Center for Education Statistics, under IPEDS, total student). The amount is charged to the institution. https://nces.ed.gov/ipeds/Home/UseTheData For Internet2 members, eduroam is included with the Internet2 membership (different than Internet2 connectors!) http://www.internet2.edu/communities-groups/members/higher-education/ Philippe Philippe Hanset, CEO www.anyroam.net<http://www.anyroam.net> www.eduroam.us<http://www.eduroam.us> GPG key id: 0xF2636F9C On Feb 2, 2017, at 7:52 AM, Lee H Badman <lhbad...@syr.edu<mailto:lhbad...@syr.edu>> wrote: Got me curious, Bruce. What costs are associated with Eduroam? Lee Lee Badman Network Architect/Wireless TME Syracuse University 315.443.3003 -----Original Message----- From: Osborne, Bruce W (Network Operations) [bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>] Received: Thursday, 02 Feb 2017, 7:41 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu> [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu>] Subject: Re: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request? We do not use Eduroam (too expensive) but we use RADIUS EAP/PEAP MSCHAPv2 for both machine & user authentication. I have only seen the host/ prefix from our OSX clients, not Windows. Perhaps EAP/TLS is different? Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com] Sent: Wednesday, February 1, 2017 8:17 PM Subject: Re: Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request? Sounds like the client is configured for computer authentication, not user. You can change this in the supplicant configuration. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Wednesday, February 1, 2017 16:51 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request? Let me ask our RADIUS folks about this tomorrow. I'll post whatever I find out. ========================== -jcw ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu>] on behalf of Scot Colburn [colb...@ucar.edu<mailto:colb...@ucar.edu>] Sent: Wednesday, February 01, 2017 5:55 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request? Is anybody else seeing Windows 10 prepending "host/" to eduroam usernames in EAP/TLS auth? We've had trouble getting our Windows 10 machines authenticating onto our eduroam SSID using EAP/TLS. We seem to have two outcomes, neither of which work: 1) if we create a "Manual Profile" then no authentication traffic ever hits the RADIUS server. 2) if we do NOT create a manual profile then an authentication request does hit the RADIUS server, but with "host/" prepended to the hostname. Our RADIUS server rejects the authentication with "host/" prepended; I imagine a roaming user would have often have the same issue. I have a theory: The eduroam auth requires a "realm" to be appended to the username so eduroam service-providers and federated RADIUS servers know to proxy a roaming RADIUS auth to the correct server. In our case, we append "@ucar.edu<http://ucar.edu/>" to the username. Maybe that "@ucar.edu<http://ucar.edu/>" is provoking Windows10 to prepend the "host/" prefix. Authentication to our internal SSID without the "@ucar.edu<http://ucar.edu/>" is working normally. Any clues? I think we can build a workaround to rewrite the username on the RADIUS server, but that won't help our roaming eduroam EAP/TLS users if other eduroam service-providers are having the same issue. Scot Colburn Network Engineer NCAR/UCAR/NETS/FRGP ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.