We onboard EAP-TLS to eduroam. I'm not following this progression of
events.
On 9/20/19 3:47 PM, Aaron Abitia wrote:
Hello all, Aaron from Cal Poly, San Luis Obispo here...
We just went all eduroam and turned off our primary branded dot1x
SSID, which featured Aruba Clearpass EAP-TLS Onboarding of devices.
Because Onboarding is now gone, my question is about the eduroam CAT
tool…I believe reasons for using it would be to mitigate
man-in-the-middle attacks, to get rid of the red “Not Verified” iOS
message and to otherwise insulate the user from manually accepting our
RADIUS certificate.
However, I’m wondering about usability once our users leave our
campus. We have seen users here from other universities who are
unable to connect to eduroam, and we find that they are running a
profile from their home university, though we’re not sure if its the
eduroam CAT tool or another installer. Once we remove their profile,
they are able to get on eduroam. I believe that if an organization is
using a profile and that profile lists the RADIUS server(s) from that
organization for the eduroam connection, the user may or may not be
dead until that profile is removed, depending on what’s in the
profile; if all that’s in the profile is the organization’s RADIUS
servers, the user should still work here, but if there’s other
elements in that profile, the user could fail, which we’ve seen, but
I’m trying to identify what precisely in the profile could cause the
failure to connect. Would anyone have any insight into this?
We have many other eduroam users from other organizations that work
fine here, presumably because no profile is being used and the user
has just manually connected at home and here at our school. I would
also be interested in hearing about the eduroam CAT tool from anyone
using it, or other config tools used by anyone and the reasons for it,
beyond what I’ve mentioned above.
Many thanks.
--
Aaron Abitia
Network Analyst
Enterprise Information Systems, Networks
Information Technology Services
Cal Poly State University
Tel: 805.756.1295
**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email
reply. Additional participation and subscription information can be
found at https://www.educause.edu/community
--
Mike Davis
IT - University of Delaware - 302.831.8756
Newark, DE 19716 Email [email protected]
**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional participation
and subscription information can be found at https://www.educause.edu/community
