Security

Reply
Frequent Contributor I

Anonymous Outer Identity non-determinisim - eduroam

I've created an anonymous outer identity service in clearpass and it works well most of the time.  The primary reason was to separate the realm requirements of eduroam from forcing clients to enter in the full realm as their usernames.

 

What I'm seeing is that for clients that don't enter the realm in for their inner identity, sometimes their auth request to clearpass is not being decoded correctly and their Username is being seen as anonymous and they are being enforced as a guest user.  If a client has entered their username with the full @realm.edu, I've never seen one fail in this way..

 

The same client will succeed for 3-4 times, then fail, then succeed again several times, then fail, etc..   Access Tracker logs for successful, and failed attempts are below:

 

Successful:

 

Computed Attributes
Authentication:ErrorCode        0
Authentication:Full-Username    "Correct USERNAME"
Authentication:Full-Username-Normalized "Correct USERNAME"
Authentication:InnerMethod      EAP-MSCHAPv2
Authentication:MacAuth  NotApplicable
Authentication:OuterMethod      EAP-PEAP
Authentication:Posture  Unknown
Authentication:Source   ldap.
Authentication:Status   User
Authentication:Username "Correct USERNAME"
Authorization:Sources   ldap.

 

Unsuccessful:

 

Computed Attributes
Authentication:ErrorCode        0
Authentication:Full-Username    "Correct USERNAME"
Authentication:MacAuth  NotApplicable
Authentication:OuterMethod      EAP-PEAP
Authentication:Posture  Unknown
Authentication:Source   ldap
Authentication:Status   User
Authentication:Username anonymous
Authorization:Sources   ldap.

Mike Davis
Network Engineer
University of Delaware
Guru Elite

Re: Anonymous Outer Identity non-determinisim - eduroam

The best practice for eduroam is to add a rule at the top of all policies that rejects usernames that don't contain '@'.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Anonymous Outer Identity non-determinisim - eduroam

The outer identity is hardcoded to anonymous@realm.edu so that eduroam is satisfied, are you saying that users should be forced to always enter inner identity to USERNAME@realm.edu also? 

 

Having that requirement is the reason I switched to anonymous outer as 50% of our help desk calls were for users not adding the realm, because it's the only place on campus they have to auth with the full realm.

 

 

Mike Davis
Network Engineer
University of Delaware
Guru Elite

Re: Anonymous Outer Identity non-determinisim - eduroam

How is the anonymous identity being configured on the device in the first place? It's completely optional.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Anonymous Outer Identity non-determinisim - eduroam

We use the eduroam CAT application

Mike Davis
Network Engineer
University of Delaware
Guru Elite

Re: Anonymous Outer Identity non-determinisim - eduroam

I thought that tool provided the ability to auto append the domain to form a UPN. Is that not the case?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Anonymous Outer Identity non-determinisim - eduroam

It is a feature on the enhancement list, but is not available at this time.

 

 

Mike Davis
Network Engineer
University of Delaware
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: