Security

Reply
Contributor II

eduroam (USERNAME@Domain.Edu strip) failing after reauthentication(?) of AirGroup

I'm working on a new CPPM setup for eduroam, and combining it with AirGroup. I setup eduroam according to the docs from Geant and it works well.  I setup AirGroup according to documentation, and it appears to work well at first, but then mostly stops working. (most iOS devices stop working, a MacOS devices stays working to AppleTV)

 

Since eduroam requires USERNAME@Domain.Edu usernames that get stripped off in the CPPM Service, I create my AirGroup devices (chromecast, AppleTV, etc.) shared to both USERNAME and  USERNAME@Domain.Edu.  But under investication, it appears that AirGroup doesn't honor the USERNAME@Domain.Edu.  In addition, when the iOS devices first connect, they are correctly listed with AirGroup usernames of USERNAME, but after some time or roaming amoung APs, they "reauthenticate" back and their AirGroup usernames become USERNAME@Domain.Edu and they can no longer detect or cast to the shared Airgroup devices.  The controller's user-table always lists them with usernames of USERNAME@Domain.Edu, it's only under "

show airgroup users" that I can see the username changing from USERNAME that works, to later USERNAME@Domain.Edu that doesn't.  I don't have the CPPM eduroam service caching roles and postures in the enforcmement.

 

thanks

mike

Mike Davis
Network Engineer
University of Delaware
Guru Elite

Re: eduroam (USERNAME@Domain.Edu strip) failing after reauthentication(?) of AirGroup

Please open a TAC case. That is not expected behavior.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: eduroam (USERNAME@Domain.Edu strip) failing after reauthentication(?) of AirGroup

I'm gonna bump this... since I'm wondering how people with eduroam are working with airgroup.

 

In my setup eduroam users are typically seen on the controller with <userid>@domain.name as their username.   I verified that just setting up a device with <userid>  I'm unable to discover it on eduroam.... or legacy ssid (just <userid> I can discover registered airgroup devices)

 

Tried listed <userid>@domain.name in airgroup registration.... but look like airgroup strips the domain... try using ''s or \ in front of @ in case parseing issue - no change...

 

So what are people doing.... do I need to change clearpass to strip @domain.name  when sending userid to controller?

 

so userid@domain1 is effectivly the same as userid@domain2?

could opt to strip domain only for local domain.... but then users can't share a device with external eduroam user?

 

maybe there's a third option I'm just not grapsing... or my clearpass ver is old: 6.6.0.81015 and this is mute issue in updated patch?...

 

Guru Elite

Re: eduroam (USERNAME@Domain.Edu strip) failing after reauthentication(?) of AirGroup

AirGroup should not be stripping the realm. Where are you seeing that?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: eduroam (USERNAME@Domain.Edu strip) failing after reauthentication(?) of AirGroup

It's patched in 6.5.2 and back ports are expected by June. (It's the ArubaOS on the controller

that's at fault, not CPPM)

 

I've been getting around it by sharing the device in CPPM as USERNAME@domain.edu@

 

The controllers strip off everything to the RHS of the right most '@' leaving USERNAME@domain.edu

Mike Davis
Network Engineer
University of Delaware
Frequent Contributor I

Re: eduroam (USERNAME@Domain.Edu strip) failing after reauthentication(?) of AirGroup

show airgroup policy

 

 

on the controller was showing just my username twice when I had 

<userid>,<userid>@domain.name entered in clearpass registration

 

Found out this is a bug on controller side - fixed in 6.5.2.0

 

there is a workaround, if I enter the username as <userid>@domain.name@domain.name  the controller picks up the username as desired.  and with show airgroup policy

I show up as <userid>@domain.name

 

 

So now-  for people with eduroam - do you just setup cppm to prepopulate the shared user field with <userid> and <userid>@domain.name?   I'm assuming I can customize the registration form to do this....

 

Contributor II

Re: eduroam (USERNAME@Domain.Edu strip) failing after reauthentication(?) of AirGroup

We are documenting to add both USER, USER@domain.edu@ to the sharing registration.   But we are moving towards a single SSID (eduroam) so eventually it will only be USER@domain.edu

Mike Davis
Network Engineer
University of Delaware
Guru Elite

Re: eduroam (USERNAME@Domain.Edu strip) failing after reauthentication(?) of AirGroup

You could clone the default AirGroup service and enforcement policies to dynamically append the second @ so you don’t have to modify all your device registrations.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: eduroam (USERNAME@Domain.Edu strip) failing after reauthentication(?) of AirGroup

Do you have a pointer to documentation or quick help on dynamically adding the @domain.edu@ to the policy.  I have the service/profile/policy duplicated and see the attribute:

 

Radius:Aruba    Aruba-AirGroup-Shared-User      =       %{GuestUser:airgroup_shared_user}

 

But i don't know the syntax the value is expecting.

 

thanks

mike

 

Mike Davis
Network Engineer
University of Delaware
Guru Elite

Re: eduroam (USERNAME@Domain.Edu strip) failing after reauthentication(?) of AirGroup

On second thought, this likely won’t work in your case since you likely have multiple users shared out for devices.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: