Oops. I stand corrected. I did not pay close attention because it just works in our ClearPass environment.
Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Toivo Voll [mailto:to...@mail.usf.edu] Sent: Thursday, February 2, 2017 9:23 AM Subject: Re: Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request? Not EDUROAM, but in my environment the "username" from EAP-TLS gets pulled as a configurable field from the certificate, so other than selecting whether using the machine or user certificate on the client (user vs. machine auth), nothing is prepended or modified. We use SAN-DNS as the "username" field, and there the machine cert (assigned by AD) does not have a "host/" prefix, just the FQDN of the machine. When using EAP PEAP, if machine authentication is allowed, host/ is prepended to the username with machine auth, but not for user auth once the user logs in. This is using Windows 10, Cisco WLC 8.0.132, ISE 2.1 -- Toivo Voll On Wed, Feb 1, 2017 at 6:55 PM, Scot Colburn <colb...@ucar.edu<mailto:colb...@ucar.edu>> wrote: Is anybody else seeing Windows 10 prepending "host/" to eduroam usernames in EAP/TLS auth? We've had trouble getting our Windows 10 machines authenticating onto our eduroam SSID using EAP/TLS. We seem to have two outcomes, neither of which work: 1) if we create a "Manual Profile" then no authentication traffic ever hits the RADIUS server. 2) if we do NOT create a manual profile then an authentication request does hit the RADIUS server, but with "host/" prepended to the hostname. Our RADIUS server rejects the authentication with "host/" prepended; I imagine a roaming user would have often have the same issue. I have a theory: The eduroam auth requires a "realm" to be appended to the username so eduroam service-providers and federated RADIUS servers know to proxy a roaming RADIUS auth to the correct server. In our case, we append "@ucar.edu<http://ucar.edu>" to the username. Maybe that "@ucar.edu<http://ucar.edu/>" is provoking Windows10 to prepend the "host/" prefix. Authentication to our internal SSID without the "@ucar.edu<http://ucar.edu>" is working normally. Any clues? I think we can build a workaround to rewrite the username on the RADIUS server, but that won't help our roaming eduroam EAP/TLS users if other eduroam service-providers are having the same issue. Scot Colburn Network Engineer NCAR/UCAR/NETS/FRGP ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
