Security

Reply
Highlighted
Contributor II

Check guest users before proxying on eduroam

I have a set of high school users on campus who do not get local user accounts, but still need wireless access. I'm trying to avoid setting up a new SSID for them, but I'm not sure if I can work around eduroam.

 

My local users match on the service with @trentu.ca, and their usernames are stripped to match the samaccountname. If I assign these students arbitrary guest account usernames (user-cpg@trentu.ca), they will work, but I then have to manually deal with getting their credentials to their real address.

 

My eduroam visitors match on the next service which just checks for the @ sign. These all get proxied up the eduroam chain.

 

So what I thought might work is putting a new service between the two that would match the @, but authenticate against the guest user database and not strip the username. But of course any eduroam visitors will fall into that service and then fail authentication.

 

So to make a long question short, is there any way to set up a service that will continue to the next service if user is not found?

Guru Elite

Re: Check guest users before proxying on eduroam

You should not do this as the eduroam SSID will be saved on their device sand will continuously attempt to authenticate and fail when the users are not on your campus.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: Check guest users before proxying on eduroam

True, but if they actually had eduroam at their high school then I wouldn’t need to do anything to support them in the first place.
Guru Elite

Re: Check guest users before proxying on eduroam

Right but it's not about that. It's the fact that eduroam is available in 10's of thousands of locations worldwide and it's now saved on their device with invalid credentials (outside your campus).

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: Check guest users before proxying on eduroam

Tue, but every other device out there which has been used with the eduroam visitor access system*, or has expired credentials from a participating institution, also has invalid saved credentials.

If we can take the debate about eduroam out for a moment, the question boils down to whether or not there is a way to have a service return with a "no, but try the next matching service"?

*https://www.canarie.ca/identity/eduroam/eduroam-visitor-access/ for the benefit of any readers unaware of this service.
Guru Elite

Re: Check guest users before proxying on eduroam

No. There needs to be something unique about the request.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP Guru

Re: Check guest users before proxying on eduroam

What about using (sponsored) Guest self-registration and provide those guests a 'random username' in a specifically chosen realm which you can authenticate to the guest user database? We have customers taking that approach to unlink internal usernames from what is used on the network, but you can use it for this purpose as well.

 

That also looks like what is happening (as far as I can understand from the web page) in that guest service you mentioned. As Tim mentions there are some drawbacks when such a user visits another eduroam site, so it may be good to have this approach validated and approved by your eduroam provider.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Contributor II

Re: Check guest users before proxying on eduroam

Yes, both of those approaches do work. I could also just create AD accounts for them.

 

What I was hoping to accomplish was allowing them to use their own school board emails as usernames.  These are high school students taking enrichment courses here for a semester, but their school board is not on eduroam (yet).

 

Cheers!

MVP Guru

Re: Check guest users before proxying on eduroam

Andrew,

 

If it is a limited known list of realms, you can filter on those and authenticate locally, especially if those realms/suffixes are not used in eduroam. The point that the account stays on the device and will try to connect in other eduroam locations is still not ideal.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: