Security

Reply
New Contributor

Eduroam - Using anonymous@xx.com for outer creation of EAP tunnel

Hello all!

I have a question regarding how to configure Clearpass in the following scenario:

1. A company has multiple login domain (f.ex xx.com, xx.org, xx.net)

2. The company will authenticate all users with an anonymous@xx.com account, with a certificate binded to that user.

3. The next step is to authenticat the "real" user with it's own credentials inside the established EAP tunnel, created by step 2.

 

I have tried almost everything, but i can't get this to work:(

 

Questions:

How should the method be configured?

How should the service be configured?

And the last one, how do i configure f.ex an iPhone for this type of connection?

 

BR

Fredrik

Guru Elite

Re: Eduroam - Using anonymous@xx.com for outer creation of EAP tunnel

Is this EAP-PEAP or EAP-TLS?

Do you simply want to authenticate users for multiple domains?

Did you try adding ClearPass to multiple domains?

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: Eduroam - Using anonymous@xx.com for outer creation of EAP tunnel

Hi

 

We are trying to use EAP-PEAP.

 

Yes, the current company structure requires multiple "inside" user domains.

And the correct domain has trusts to all other domains, but in this scenario we have to use a specifik domain name, for authentication externally using radius proxies.

 

BR

Fredrik E

Guru Elite

Re: Eduroam - Using anonymous@xx.com for outer creation of EAP tunnel

So, you already have a radius proxy?  What are you trying to do in addition, then?

You have Eduroam in the title of this post.  Where does that come in?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: Eduroam - Using anonymous@xx.com for outer creation of EAP tunnel

We do not have our own radius proxies, we have a connection (RX/TX) with Eduroam national proxies, here we have our "main" domain registred, all authentication request coming from a user with our domain end, are relayed to our Clearpass servers for authentication, work perfectly as long the user has an user account in that specifik domain.

The problem is when a user is a part of the company but his home domain is another.

Here we would like to use an outer identy that relays the request to our servers, and then the user specifies his "correct" credentials (inner identity).

 

Hopes this make sense :)

 

BR

Fredrik

Guru Elite

Re: Eduroam - Using anonymous@xx.com for outer creation of EAP tunnel

Create a standard 802.1X service that matches on that realm and uses the appropriate authentication source.

 

Also, just to be clear, the certificate needs to be bound to the user. The anonymous outer identity is not a "user". You also later mentioned later in the thread that you're using PEAPv0/EAP-MSCHAPv2. Which is it?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Eduroam - Using anonymous@xx.com for outer creation of EAP tunnel

The problem is how we should do this set up, we need to use an anonymous account for the eap tunnel(outer identity) and then we will use this EAP tunnel for authentication traffic, for the "real" identity.

 

Sorry for the "weak" explanation:(

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: