ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 100
Registered: ‎11-05-2009

Only partial 802.1x username displayed

Hi all,

We provide an eduroam service, which allows participating institution users to authenticate at our site using their home credentials.

Looking at the list of connected clients, our users have a username in the format "@" which is exactly what I would expect. I am seeing some visitors who have successfully authenticated where the username is just "" without the @.

Does anyone know why I wouldn't be seeing the full username?

I am aware of being able to using an anonymous identity, and it is possible that the outer request our radius server would see (and the Aruba controller) would only contain a realm without a username; however the realm is required to know where to 'route' the authentication request.

Additionally, if I check our radius server logs I can see the full username@realm.
Aruba
Posts: 760
Registered: ‎05-31-2007

Which AOS version are you running?

Which AOS version are you running? I ask as I have EDUROAM deployments locally that I can check with to see how their performance has been/is on same parameter.
Occasional Contributor II
Posts: 100
Registered: ‎11-05-2009

Re: Only partial 802.1x username displayed




Thanks for the quick reply, we have AOS 5.0.

From a controller point of view, it shouldn't know if the user is a local or visitor (I don't think I've given it our realm anywhere) so it seems very bizarre.

Occasional Contributor I
Posts: 5
Registered: ‎09-15-2009

Re: Only partial 802.1x username displayed

Hi guys,

This may be relevant - there is a bug in the code 5.0.2.1 which we are running whereby the controller truncates the username to 26 characters. This was not an issue for us in 3.3.3.3.

TAC are working on this as we speak.

Tom
Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Outer Identity


Hi all,

We provide an eduroam service, which allows participating institution users to authenticate at our site using their home credentials.

Looking at the list of connected clients, our users have a username in the format "@" which is exactly what I would expect. I am seeing some visitors who have successfully authenticated where the username is just "" without the @.

Does anyone know why I wouldn't be seeing the full username?

I am aware of being able to using an anonymous identity, and it is possible that the outer request our radius server would see (and the Aruba controller) would only contain a realm without a username; however the realm is required to know where to 'route' the authentication request.

Additionally, if I check our radius server logs I can see the full username@realm.




The Outer Identity CAN be completely different than what the actual username passed to the radius server is. There is an option in freeradius to pass the actual username back to the controller if you are interested in that.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 100
Registered: ‎11-05-2009

Re: Only partial 802.1x username displayed

I am aware the outer identify can be different - however the outer identify *must* contain the correct realm otherwise it isn't possible to 'route' to the correct place. I'm seeing only the username without the realm.

Someone else within the eduroam community said this could be because the home server might provide a User-Name attribute in the Access-Accept message of just the username (no realm) and the controller might be using that instead of the User-Name in the 802.1x connection request.
Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

True


I am aware the outer identify can be different - however the outer identify *must* contain the correct realm otherwise it isn't possible to 'route' to the correct place. I'm seeing only the username without the realm.

Someone else within the eduroam community said this could be because the home server might provide a User-Name attribute in the Access-Accept message of just the username (no realm) and the controller might be using that instead of the User-Name in the 802.1x connection request.




True,

Ignore what I said.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 22
Registered: ‎12-11-2009

Re: Only partial 802.1x username displayed

Are you using TLS or Peap?
Occasional Contributor II
Posts: 100
Registered: ‎11-05-2009

Re: Only partial 802.1x username displayed




Our clients use peap. The visitors will use whatever their home institution tells them to use.

Occasional Contributor II
Posts: 20
Registered: ‎04-29-2008

Re: Only partial 802.1x username displayed

Could it be that your Radius server "auto-completes" with your local domain when is doesn't see the @ ?

That wouldn't explain how a local user and a distant (other realm) user could have the same password :rolleyes:

In our case, we broadcast a separate SSID for eduRoam so our local users don't have to include the local domain. It also has the added benefit of informing visitors that we do support eduRoam, which is not the case for all the colleges in my neck of the woods. The Radius server is configured to reject usernames with or without the @, depending on the SSID.
Search Airheads
Showing results for 
Search instead for 
Did you mean: