As a tangent "answer" to the original question: We have found that ONE eduroam profile per device is the best (and many times the only) solution. And, how they onboard is immaterial.
If someone keeps their home institution's eduroam profile, it will work fine and dandy but they will not get the extra privileges and resources associated with using our eduroam profile. Christina Klam Network Engineer Institute for Advanced Study 1 Einstein Dr Princeton, NJ 08540 +1 609-734-8154 ck...@ias.edu From: "Anderson, Charles R" <c...@wpi.edu> To: "The EDUCAUSE Wireless Issues Community Group Listserv" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Sent: Friday, September 20, 2019 5:57:36 PM Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] WiFi failures due to eduroam profiles I'm not following either. We onboard both profiles with the same EAP-TLS certs, although we are using SecureW2 (just moved from CloudPath). It matters not which one the user's device connects to locally--they both drop the user on the same network. If we were to eventually drop our branded SSID, we'd just reconfigure the onboarding tool to configure only eduroam, but still use the same configuration/certs otherwise. On Fri, Sep 20, 2019 at 04:01:32PM -0400, Michael Davis wrote: > We onboard EAP-TLS to eduroam. I'm not following this progression of > events. > > On 9/20/19 3:47 PM, Aaron Abitia wrote: > > > > Hello all, Aaron from Cal Poly, San Luis Obispo here... > > > > > > We just went all eduroam and turned off our primary branded dot1x > > SSID, which featured Aruba Clearpass EAP-TLS Onboarding of devices. > > Because Onboarding is now gone, my question is about the eduroam CAT > > tool…I believe reasons for using it would be to mitigate > > man-in-the-middle attacks, to get rid of the red “Not Verified” iOS > > message and to otherwise insulate the user from manually accepting our > > RADIUS certificate. > > > > > > However, I’m wondering about usability once our users leave our > > campus. We have seen users here from other universities who are > > unable to connect to eduroam, and we find that they are running a > > profile from their home university, though we’re not sure if its the > > eduroam CAT tool or another installer. Once we remove their profile, > > they are able to get on eduroam. I believe that if an organization is > > using a profile and that profile lists the RADIUS server(s) from that > > organization for the eduroam connection, the user may or may not be > > dead until that profile is removed, depending on what’s in the > > profile; if all that’s in the profile is the organization’s RADIUS > > servers, the user should still work here, but if there’s other > > elements in that profile, the user could fail, which we’ve seen, but > > I’m trying to identify what precisely in the profile could cause the > > failure to connect. Would anyone have any insight into this? > > > > > > We have many other eduroam users from other organizations that work > > fine here, presumably because no profile is being used and the user > > has just manually connected at home and here at our school. I would > > also be interested in hearing about the eduroam CAT tool from anyone > > using it, or other config tools used by anyone and the reasons for it, > > beyond what I’ve mentioned above. > > > > > > Many thanks. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
