Security

 View Only
  • 1.  Check guest users before proxying on eduroam

    Posted Oct 18, 2019 09:16 PM

    I have a set of high school users on campus who do not get local user accounts, but still need wireless access. I'm trying to avoid setting up a new SSID for them, but I'm not sure if I can work around eduroam.

     

    My local users match on the service with @trentu.ca, and their usernames are stripped to match the samaccountname. If I assign these students arbitrary guest account usernames (user-cpg@trentu.ca), they will work, but I then have to manually deal with getting their credentials to their real address.

     

    My eduroam visitors match on the next service which just checks for the @ sign. These all get proxied up the eduroam chain.

     

    So what I thought might work is putting a new service between the two that would match the @, but authenticate against the guest user database and not strip the username. But of course any eduroam visitors will fall into that service and then fail authentication.

     

    So to make a long question short, is there any way to set up a service that will continue to the next service if user is not found?



  • 2.  RE: Check guest users before proxying on eduroam

    Posted Oct 18, 2019 09:30 PM
    You should not do this as the eduroam SSID will be saved on their device sand will continuously attempt to authenticate and fail when the users are not on your campus.


  • 3.  RE: Check guest users before proxying on eduroam

    Posted Oct 18, 2019 09:35 PM
    True, but if they actually had eduroam at their high school then I wouldn’t need to do anything to support them in the first place.


  • 4.  RE: Check guest users before proxying on eduroam

    Posted Oct 19, 2019 05:20 AM
    Right but it's not about that. It's the fact that eduroam is available in 10's of thousands of locations worldwide and it's now saved on their device with invalid credentials (outside your campus).


  • 5.  RE: Check guest users before proxying on eduroam

    Posted Oct 19, 2019 12:05 PM
    Tue, but every other device out there which has been used with the eduroam visitor access system*, or has expired credentials from a participating institution, also has invalid saved credentials.

    If we can take the debate about eduroam out for a moment, the question boils down to whether or not there is a way to have a service return with a "no, but try the next matching service"?

    *https://www.canarie.ca/identity/eduroam/eduroam-visitor-access/ for the benefit of any readers unaware of this service.


  • 6.  RE: Check guest users before proxying on eduroam
    Best Answer

    Posted Oct 20, 2019 01:39 PM
    No. There needs to be something unique about the request.


  • 7.  RE: Check guest users before proxying on eduroam

    Posted Oct 21, 2019 02:31 AM

    What about using (sponsored) Guest self-registration and provide those guests a 'random username' in a specifically chosen realm which you can authenticate to the guest user database? We have customers taking that approach to unlink internal usernames from what is used on the network, but you can use it for this purpose as well.

     

    That also looks like what is happening (as far as I can understand from the web page) in that guest service you mentioned. As Tim mentions there are some drawbacks when such a user visits another eduroam site, so it may be good to have this approach validated and approved by your eduroam provider.



  • 8.  RE: Check guest users before proxying on eduroam

    Posted Oct 21, 2019 08:56 AM

    Yes, both of those approaches do work. I could also just create AD accounts for them.

     

    What I was hoping to accomplish was allowing them to use their own school board emails as usernames.  These are high school students taking enrichment courses here for a semester, but their school board is not on eduroam (yet).

     

    Cheers!



  • 9.  RE: Check guest users before proxying on eduroam

    Posted Oct 21, 2019 09:04 AM

    Andrew,

     

    If it is a limited known list of realms, you can filter on those and authenticate locally, especially if those realms/suffixes are not used in eduroam. The point that the account stays on the device and will try to connect in other eduroam locations is still not ideal.