There are a number of possibilities.
You are saying the problem is with signing into the laptop, rather than to eduroam. That's an AD/Windows login, not a network login. There's always the issue if the user doesn't already have a stored profile on the laptop they will need to be network connected before they sign in.
If they do have a stored profile on the laptop, what credentials did they use to sign in to eduroam and how were they stored?
It depends how you set up your user's wireless profiles. If nothing is pre-loaded by group policy or the CAT tool then when a user connects to eduroam they will need to enter their credentials and that should always be in the form user@domain. The user part of that is what you use to identify them, so by the sound of it that would be their AD username but the domain is the institutional domain, which is not necessarily your internal AD domain, it all depends how you have things set up.
You also need to be aware of how the wireless profile is stored - the wireless profile needs to be associated with the user profile, not the machine profile because that would mean anyone using that laptop will log in to eduroam as whoever first signed in on that machine, not their individual user. OK, only a problem with shared laptops but also still good practice.
It is also good practice to require user@domain login on your local eduroam logins as well, because that means you know your users will always work if they go to another institution.
I don't know where you are based but if in the UK there is loads of information about how to set up eduroam on the jisc website.
Original Message:
Sent: Sep 06, 2023 09:20 AM
From: Andrew Redmond
Subject: Offsite Eduroam Issues
Hello David - thanks for replying. Yes, it's our staff at other institutions. The issue seems to be with them signing into their laptops using their AD username. This means there's no domain information associated with the sign in so (like you say) the remote site/Eduroam NRPS don't know where to send the credentials for authentication.
I'm surprised there isn't domain info in the wireless profile, although this may not get scrutinised. We're going to try accepting the UPN for our users via Clearpass but if the issue is offsite I'm not sure it'll help.
Original Message:
Sent: Sep 06, 2023 05:40 AM
From: David Rickard
Subject: Offsite Eduroam Issues
I think you are talking about your users at other institutions and you aren't seeing the authentications. Is that right?
Has it worked before for these users? If not, are they logging in with the qualified username@domain format username correctly? If you allow unqualified usernames to log in locally, you may find the users are not specifying your domain so when they visit a remote institution their authentication requests are not being proxied to you.
If that's not it, and you aren't seeing any incoming requests from the eduroam NRPS, in the UK there is a portal which you can use to help debug proxying issues by setting up tests, if you aren't in theUK there may be a similar system where you are.
Original Message:
Sent: Sep 06, 2023 05:01 AM
From: areddin92
Subject: Offsite Eduroam Issues
Hi Herman - thanks for replying. It's staff and student accounts on our managed devices. The verification traffic doesn't even seem to hit our Clearpass servers for RADIUS authentication.
Original Message:
Sent: Sep 05, 2023 09:37 AM
From: Herman Robers
Subject: Offsite Eduroam Issues
Is that just for staff? Or also for students?
Is that for all users that it either works or doesn't work? Or can some uses authenticate at those locations where others cannot?
Has this started recently?
What type of authentication is used? With EAP-TLS and/or large certificates used during the authentication it can be that some RADIUS traffic is dropped during the authentication if packets become too large or get fragmented.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 04, 2023 04:20 AM
From: areddin92
Subject: Offsite Eduroam Issues
I know this might not be the forum for it but has anyone had issues with their staff accessing Eduroam at other sites?
There doesn't seem to be any consistency of device or location. Thanks very much.