Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Anonymous Outer Identity non-determinisim - eduroam

This thread has been viewed 11 times

  • 1.  Anonymous Outer Identity non-determinisim - eduroam

    Posted Oct 13, 2017 09:51 AM

    I've created an anonymous outer identity service in clearpass and it works well most of the time.  The primary reason was to separate the realm requirements of eduroam from forcing clients to enter in the full realm as their usernames.

     

    What I'm seeing is that for clients that don't enter the realm in for their inner identity, sometimes their auth request to clearpass is not being decoded correctly and their Username is being seen as anonymous and they are being enforced as a guest user.  If a client has entered their username with the full @realm.edu, I've never seen one fail in this way..

     

    The same client will succeed for 3-4 times, then fail, then succeed again several times, then fail, etc..   Access Tracker logs for successful, and failed attempts are below:

     

    Successful:

     

    Computed Attributes
    Authentication:ErrorCode        0
    Authentication:Full-Username    "Correct USERNAME"
    Authentication:Full-Username-Normalized "Correct USERNAME"
    Authentication:InnerMethod      EAP-MSCHAPv2
    Authentication:MacAuth  NotApplicable
    Authentication:OuterMethod      EAP-PEAP
    Authentication:Posture  Unknown
    Authentication:Source   ldap.
    Authentication:Status   User
    Authentication:Username "Correct USERNAME"
    Authorization:Sources   ldap.

     

    Unsuccessful:

     

    Computed Attributes
    Authentication:ErrorCode        0
    Authentication:Full-Username    "Correct USERNAME"
    Authentication:MacAuth  NotApplicable
    Authentication:OuterMethod      EAP-PEAP
    Authentication:Posture  Unknown
    Authentication:Source   ldap
    Authentication:Status   User
    Authentication:Username anonymous
    Authorization:Sources   ldap.



  • 2.  RE: Anonymous Outer Identity non-determinisim - eduroam

    EMPLOYEE
    Posted Oct 13, 2017 11:13 AM
    The best practice for eduroam is to add a rule at the top of all policies that rejects usernames that don't contain '@'.


  • 3.  RE: Anonymous Outer Identity non-determinisim - eduroam

    Posted Oct 13, 2017 11:18 AM

    The outer identity is hardcoded to anonymous@realm.edu so that eduroam is satisfied, are you saying that users should be forced to always enter inner identity to USERNAME@realm.edu also? 

     

    Having that requirement is the reason I switched to anonymous outer as 50% of our help desk calls were for users not adding the realm, because it's the only place on campus they have to auth with the full realm.

     

     



  • 4.  RE: Anonymous Outer Identity non-determinisim - eduroam

    EMPLOYEE
    Posted Oct 13, 2017 11:27 AM
    How is the anonymous identity being configured on the device in the first place? It's completely optional.


  • 5.  RE: Anonymous Outer Identity non-determinisim - eduroam

    Posted Oct 13, 2017 11:30 AM

    We use the eduroam CAT application



  • 6.  RE: Anonymous Outer Identity non-determinisim - eduroam

    EMPLOYEE
    Posted Oct 13, 2017 11:40 AM
    I thought that tool provided the ability to auto append the domain to form a UPN. Is that not the case?


  • 7.  RE: Anonymous Outer Identity non-determinisim - eduroam

    Posted Oct 13, 2017 11:41 AM

    It is a feature on the enhancement list, but is not available at this time.