Higher Education

last person joined: 16 hours ago 

Got questions on how to enable mobility in education? Submit them here!
Expand all | Collapse all

[Guide] AD Machine Auth + Eduroam + ClearPass

  • 1.  [Guide] AD Machine Auth + Eduroam + ClearPass

    Posted Jan 27, 2014 10:24 PM

    We recently came across this issue when we decided to offer eduroam as our primary secure network. Eduroam works by using the fully qualified username to route authentication requests to the correct home institution. We wanted to maintain machine authentication so users could do an initial login with AD credentials and also for group policy and updates.

     

    An example of a normal eduroam user authentication would be: cappalli@brandeis.edu

     

    An example of a machine authentication would be: host/cappalli-xps13.brandeis.edu.

     

    There are two issues with machine authentication with eduroam. The first being that the machine username is not formatted correctly for eduroam. The second issue is that when the computer switches to user authentication after logon, Windows sends credentials in the REALM\username format (USERS\cappalli). This is not valid for eduroam.

     

    The fix below solves two things:

     

    1) It allows you to maintain machine authentication locally on campus. When users are visiting another university, machine authentication will fail and user authentication will be attempted (and should pass).

     

    2) After logging in for the first time, prompt the user to enter valid eduroam credentials (username@domain.edu). These credentials will then be saved with the profile and only need to be entered again if their password changes.

     

     

     

    CLEARPASS SERVICE CONFIGURATION

    eduroam-services.PNG

     

     

    1. Duplicate your existing eduroam local user service. Place the new service below your local authentication and above your visitor services.

    2. Add two new service rules that check for host/ and .domain.edu
      eduroam-services-rules.png

    3. Configure any role mapping policies if needed.

    4. Create an enforcement profile that checks for TIPS Role [Machine Authenticated] and map the appropriate enforcement profiles. In this case, we have a machine authentication role that is restricted to talking to domain controllers, DNS, DHCP and WSUS.

      eduroam-machine-authenf.PNG

     

     

    WINDOWS CLIENT CONFIGURATION

     

    The client can be configured 3 different ways:

    1. Group policy profile
    2. QuickConnect
    3. Manually

     

    GROUP POLICY

    1)  In your group policy object, navigate to:

    Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies

     2)  Right click and select Create a new wireless network policy.

     

     3)  Assign the policy a name such as "Brandeis eduroam"

     

     4)  Click the Add button and select Infrastructure

             eduroam-gpo-add-profile.png

     

    5)  Assign the name eduroam to the profile and add eduroam to the SSID list. You might want to also uncheck "Connect to a more       preferred network if  available"


              eduroam-gpo-add-profile2.png

     

    6)  Next head over to the Security tab. This should look identical to the client-side supplicant configuration in Windows. 
     
    7)  First, make sure the Authentication Mode is set to User or Computer authentication. Then click the Properties button next to           the network authentication method drop-down.
     

    8)  Select the Certificate Authority that signed your RADIUS server certificates and add in your server names to the "Connect to               these  servers" box. (Use AddTrust if you use InCommon). Next click Configure next to "Select Authentication Method".

       eduroam-gpo-peap.png

           

    9)  Uncheck "Automatically use my Windows logon name and password (and domain if any)". This will force Windows to prompt       the user for credentials after the first logon.

          eduroam-gpo-auto.png

     

    10)  Link your GPO to the appropriate OU's or security groups.

     

     

    QUICK CONNECT

     

      Use the settings starting from step 7 to create your profile in the QuickConnect wizard (quickconnect.arubanetworks.com)

     

    MANUAL

     

      Use the same settings starting from step 7 of the group policy config to manually configure a client.

     



  • 2.  RE: [Guide] AD Machine Auth + Eduroam + ClearPass

    Posted May 22, 2019 04:55 PM

    Hi Tim,

     

    Still an excellent guide! I'm setting this up at a local school (using eduroam and windows 10 domain joined laptops) but am running into the problem that the user credentials just aren't being saved as mentioned in point 2 in your guide "After logging in for the first time, prompt the user ....". It seems like the profile is read-only on the local laptop.

    We manually configured the settings on the laptop and then all seems to work fine. However, when we disable "Connect automatically" by removing the checkmark when trying to connect to eduroam, we also break the Machine Authetication functionallity. Any thoughts what I'm missing or how to resolve this issue?

     

    Regards,

     

    Bart



  • 3.  RE: [Guide] AD Machine Auth + Eduroam + ClearPass

    Posted May 23, 2019 08:47 AM

    Hello Group, 

    Thanks 

    ServicesServices

    hostslashhostslash

    backslashbackslash

    Windows works great.  The MAC not so much. Looks like there is additonal work that has to be done on the MAC side with setting up profiles. (will put more info out on this topic later) 

     

    We are to the point where AD does not see MAC requesting auth. Clearpass and the controller have already passed and the MAC is put in the proper role. The MAC will sit there and eventually time out. 

    Any thoughts on the MAC machines profiles??

    thanks

    Bill