Before I actually try this, is this a reasonable strategy:
Create a new service at the top of of the list:
Match on all of:
- RADIUS:IETF NAS-Port-Type EQUALS Wireless-802.11 (19)
- Connection:SSID CONTAINS eduroam
- Authentication:Username NOT_CONTAINS @
Enable all relevant EAP methods, authenticate against some dummy source such as a static host list with no usable entries
No role mapping, enforcement is set to [Sample Deny Access Policy]
That should only match requests for eduroam with an outer identity that doesn't contain an @ and therefore isn't fully qualified, and deny them. All well-formed requests with an @ in them would fall through to our currently configured services for actually authenticating users, or proxying them off to the federation.
Anything I'm missing?
Thanks for all the pointers on this, I appreciate it.
thx,
felix