Security

Hi,
It;s been 4 or 5 years since I looked at  the cppm onboarding fetures, so thought I'd have another look at it.

At the moment we use the Cloudpath onboarding solution which lets us create  certificates of the form <useri>-<4digit hex number>@york.ac.uk The certCN therefor maps onto a username of the same format ( eg. cn=as1558-abcd@york.ac.uk -> UserName as1558-abcd@york.ac.uk) which is perfect for eduroam conectivity as the outer username has the york.ac.uk realm required for remote york users to have their auth requests prxied off to our Tier 1 RADIUS servers.

Having configured a local user account and  cppm onboard to create a cert using login userid and machine type  it was fairly easy to perform a local eap-tls  auth using cppm OCSP.

However, we do want the cert to contain the realm so it will work anywhere on eduroam.  Other  than  logging into cppm onboard as user@realm is there a way of doing this in the config?

Also, With cloudpath we can specify a string of SSIDS to ignore ( i.e make the ssid associated with the config "top of the list preferred SSID"

e.g. at present I'm configured to connect to my local SSID using cppm eap-tls.  The  CN just has a userid in there and as I've got a guest and  wpa2-psk network here as well I occasionally have  to manually select the wpa3-enterprise one .. something that doesn't happen with the  Cloudpath offering

A​

------------------------------
Alex Sharaz
------------------------------

No, your IdP should be returning a fully qualified username.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Nov 24, 2020 07:43 AM
From: Alex Sharaz
Subject: CPPM Cliebt certificate generation

Hi,
It;s been 4 or 5 yers since I looked at  the cppm onboarding fetures, so thought I'd have another look at it.

At the moment we use the Cloudpath onboarding solution which lets us create  certificates of the form <useri>-<4digit hex number>@york.ac.uk The certCN therefor maps onto a username of the same format ( eg. cn=as1558-abcd@york.ac.uk -> UserName as1558-abcd@york.ac.uk) which is perfect for eduroam conectivity as the outer username has the york.ac.uk realm required for remote york users to have their auth requests prxied off to our Tier 1 RADIUS servers.

Having configured a local user account and  cppm onboard to create a cert using login userid and machine type  it was fairly easy to perform a local eap-tls  auth using cppm OCSP.

However, we do want the cert to contain the realm so it will work anywhere on eduroam.  Other  than  logging into cppm onboard as user@realm is there a way of doing this in the config?

Also, With cloudpath we can specify a string of SSIDS to ignore ( i.e make the ssid associated with the config "top of the list preferred SSID"

e.g. at present I'm configured to connect to my local SSID using cppm eap-tls.  The  CN just has a userid in there and as I've got a guest and  wpa2-psk network here as well I occasionally have  to manually select the wpa3-enterprise one .. something that doesn't happen with the  Cloudpath offering

A​

------------------------------
Alex Sharaz
------------------------------

Thanks for that .....and it works!
I'm just using Policy Manager/Confguration/Local Users at the moment, and if I create an entry of the form
Alex@my.domain.tld thats what appears in the  cert CN

That's fine except  does require logging into onboading cppm component with your FQDN  username. This would make it different to all the other Uni web based logons which just require a userid.

Also wonder if there'll be an update to cpppm/guest at some point as the config still supports  Win XP and upwards and ther isn't a way of saying Win 8.1 and upwards or Win 10 only or even of defining a set of legacy operating systems to ignore. Granted you can do stuff in policy manager, but that doesn't stop the fact that you're still configuring them

Rgds
Alex

------------------------------
Alex Sharaz
------------------------------

Original Message:
Sent: Nov 24, 2020 03:26 PM
From: Tim C
Subject: CPPM Cliebt certificate generation

No, your IdP should be returning a fully qualified username.

------------------------------
Tim C

Original Message:
Sent: Nov 24, 2020 07:43 AM
From: Alex Sharaz
Subject: CPPM Cliebt certificate generation

Hi,
It;s been 4 or 5 yers since I looked at  the cppm onboarding fetures, so thought I'd have another look at it.

At the moment we use the Cloudpath onboarding solution which lets us create  certificates of the form <useri>-<4digit hex number>@york.ac.uk The certCN therefor maps onto a username of the same format ( eg. cn=as1558-abcd@york.ac.uk -> UserName as1558-abcd@york.ac.uk) which is perfect for eduroam conectivity as the outer username has the york.ac.uk realm required for remote york users to have their auth requests prxied off to our Tier 1 RADIUS servers.

Having configured a local user account and  cppm onboard to create a cert using login userid and machine type  it was fairly easy to perform a local eap-tls  auth using cppm OCSP.

However, we do want the cert to contain the realm so it will work anywhere on eduroam.  Other  than  logging into cppm onboard as user@realm is there a way of doing this in the config?

Also, With cloudpath we can specify a string of SSIDS to ignore ( i.e make the ssid associated with the config "top of the list preferred SSID"

e.g. at present I'm configured to connect to my local SSID using cppm eap-tls.  The  CN just has a userid in there and as I've got a guest and  wpa2-psk network here as well I occasionally have  to manually select the wpa3-enterprise one .. something that doesn't happen with the  Cloudpath offering

A​

------------------------------
Alex Sharaz
------------------------------