On Thu, 11 Feb 2021, Matthew Craig wrote: > Does all this have any consequences for “traveling” eduroam clients? ... > Professor X travels to otherorg.edu<http://otherorg.edu/>: > > Location: traveling at otherorg.edu<http://otherorg.edu/> > ssid: eduroam > username: profess...@myorg.edu<mailto:profess...@myorg.edu> > Professor X’s supplicant config: Domain = myorg.edu<http://myorg.edu/> > otherorg radius server: aaa.otherorg.edu<http://aaa.otherorg.edu/>
To expand on Tim's answer: > No. EAP server trust is between the client and home infrastructure. Agree; because the validation of the cert is against the authenticating radius server - ie, his home one. When he is on otherorg's network, the network initially directs the EAP conversation to the local radius server, it then just gets proxied on to his home organisation myorg.edu (as routed by the outer identity), and that's the one that's checking his credentials so that's the one that is trusted (inside the tunnel that is created between the two end parties). Everything in between is just passing the packets along (and is blind to the conversation inside the tunnel). I find this is often misunderstood as well, if you're taking notes for your blog post Tim :). A passive observation from this side of the pond might be that within Europe, roaming between eduroam sites is far more common than in the US, so this use case is less commonly considered? In the UK at least, when we were trialling the service, roaming was in fact the primary use case and problem for which we were developing a solution (in those heady days before XP SP3 made 802.1X useable); having 'eduroam' as your primary site network for your own users was slightly an afterthought. (You may treat visitor users vs local users differently by policy of course). Jethro. > > > > Does this not break? > > What do? > > > > - > Matt Craig > Network Engineer > Information and Communication Technologies > New Mexico State University > > > > > > > > > On Feb 11, 2021, at 8:19 AM, Tim Cappalli > <00000194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:00000194c9ecac40-dmarc-requ...@listserv.educause.edu>> > wrote: > > WARNING: This email originated external to the NMSU email system. Do not > click on links or open attachments unless you are sure the content is safe. > Yes, the EAP server certificate subject should be the same eTLD as the > credential realm. > > Said differently, if EAP identity is > `t...@capptoso.com<mailto:t...@capptoso.com>`, the server certificate should > be `<something>.capptoso.com<http://capptoso.com>`. > > From: The EDUCAUSE Wireless Issues Community Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > on behalf of Jethro R Binks > <jethro.bi...@strath.ac.uk<mailto:jethro.bi...@strath.ac.uk>> > Date: Thursday, February 11, 2021 at 10:15 > To: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] Android 11 Manual > Profile Configuration Variable > Can I drill into this a bit please just be clear on my understanding? > > On Thu, 11 Feb 2021, Sweetser, Frank E. wrote: > > > "The STA is configured with EAP credentials that explicitly specify a CA > > root certificate that matches the root certificate in the received > > Server Certificate message and, if the EAP credentials also include a > > domain name (FQDN or suffix-only), it matches the domain name > > (SubjectAltName dNSName if present, otherwise SubjectName CN) of the > > certificate [2] in the received Server Certificate message." > > > > In particular, note the bit about SAN if present, otherwise CN. A > > strict reading of this (which Android appears to follow) means that > > unlike the web browser behavior we're all used to, if there is a dNSName > > in the SAN list, then the CN will not be evaluated in matching the > > client configured domain. This means that if you have: > > > > > > * A client configured domain of myorg.edu<http://myorg.edu> > > * A server CN of radius.myorg.edu<http://radius.myorg.edu> > > * A server SAN of radius.myotherorg.edu<http://radius.myotherorg.edu> > > Particularly, "EAP credential domain name", as contrasted with the > "Domain" setting in the client discussed earlier. > > My understanding is that the "Domain" setting in the client is telling the > client "the radius server must present a certificate with this > subjectAltName/CN". Equivalent to the Validate server connection / > Connect to these servers settings seen elsewhere? > > But "EAP credential domain name" to me means the credentials one provides > to authenticate as, so usern...@myorg.edu<mailto:usern...@myorg.edu> say. > > Is this saying that the server cert subjectAltName/CN must be > "myorg.edu<http://myorg.edu>"? > That's not what the common case is now I would say; most radius server > certs would likely carry a name "aaa.myorg.org<http://aaa.myorg.org>", > "radius.myorg.org<http://radius.myorg.org>" or > somesuch. > > Do I misunderstand "EAP credentials also include a domain name (FQDN or > suffix-only)" ?? > > Reading the document a bit more, "EAP credentials" seems to be a broader > phrase equated to "network profile" (see 5.3.1), so perhaps means "the > bundle of settings including login credentials and Domain of radius server > for validation", so "EAP credential domain name" is referring to the > Domain (for cert validation) ie "radius.myorg.org<http://radius.myorg.org>", > not any domain part of > the login credentials ie "myorg.org<http://myorg.org>"? Is that a correct > reading? > > Jethro. > > . . . . . . . . . . . . . . . . . . . . . . . . . > Jethro R Binks, Network Manager, > Information Services Directorate, University Of Strathclyde, Glasgow, UK > > The University of Strathclyde is a charitable body, registered in > Scotland, number SC015263. > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C3597488f334c4c6fed8f08d8ce9fd805%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637486533221740806%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=7fwWkkx3Vp7v%2F1soXjoGx5NF1m0%2FRyr%2B7Jndtzfc7sg%3D&reserved=0<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmatcraig%40nmsu.edu%7C31102a495bd9419940d608d8cea09448%7Ca3ec87a89fb84158ba8ff11bace1ebaa%7C1%7C0%7C637486536414947788%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Gmiety16AEVAH9VSS3Hgk%2Bbp8dBYkuPEmzuOqxeBSHY%3D&reserved=0> > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmatcraig%40nmsu.edu%7C31102a495bd9419940d608d8cea09448%7Ca3ec87a89fb84158ba8ff11bace1ebaa%7C1%7C0%7C637486536414957784%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=R8%2F3rGpodrN5GQ66m95mnKI1cHYqBAngFFdUMLL9p3c%3D&reserved=0> > > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
