Security

last person joined: 13 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

eduroam outer identity

This thread has been viewed 11 times

  • 1.  eduroam outer identity

    Posted Feb 04, 2019 11:58 AM

    Hi,

    I tried searching for answers to this question but wasn't able to find anything. If this is a FAQ I somehow overlooked, my apologies - very happy to just receive a link!

     

    We're trying to follow eduroam best practice and reject authentications where the username doesn't contain an @ so we don't end up with users stranded at other institutions unable to be routed back to us.

     

    We're also trying to use JAMF for Mac laptop provisioning, joining the devices to the domain and then creating generic wireless device profiles that simply use the credentials used to log into the OS for authentication to eduroam (much like Windows laptops would do). JAMF is not capable of changing the string used as the username, and we don't want to require users to append @realm.edu every time they're logging into their laptop. JAMF *is* able to generate an outer identity of 'anonymous@realm.edu', which we actually consider a privacy feature. Such authentication requests have a fully qualified outer identity and can be routed through the eduroam federation, but have a bare username and password in the inner identity.

     

    These authentication requests get rejected by ClearPass due to the 'no @ in the username' rule.

     

    Is it possible to set that rule to validate that just the outer identity must contain the @? I've been entirely unable to figure out how to access the outer identity at all.

     

    thx,

    felix



  • 2.  RE: eduroam outer identity

    EMPLOYEE
    Posted Feb 04, 2019 12:48 PM
    Outer identity can only be evaluated in service categorization.


  • 3.  RE: eduroam outer identity

    Posted Feb 04, 2019 12:59 PM

    Interesting! I can see Authentication:InnerMethod and Authentication:OuterMethod, but can't see anything relating to OuterIdentity. Is it just that the Authentication:Username is the OuterIdentity during service categorization, and then the InnerIdenty within role mappings etc?

     

    thx,

    felix



  • 4.  RE: eduroam outer identity
    Best Answer

    EMPLOYEE
    Posted Feb 04, 2019 01:13 PM
    Yes, the Username = Outer Identity prior to EAP termination and Inner Identity after EAP termintation.


  • 5.  RE: eduroam outer identity

    Posted Feb 04, 2019 02:23 PM

    Before I actually try this, is this a reasonable strategy:

     

    Create a new service at the top of of the list:

     

    Match on all of:

    - RADIUS:IETF NAS-Port-Type EQUALS Wireless-802.11 (19)

    - Connection:SSID CONTAINS eduroam

    - Authentication:Username NOT_CONTAINS @

     

    Enable all relevant EAP methods, authenticate against some dummy source such as a static host list with no usable entries

     

    No role mapping, enforcement is set to [Sample Deny Access Policy]

     

    That should only match requests for eduroam with an outer identity that doesn't contain an @ and therefore isn't fully qualified, and deny them. All well-formed requests with an @ in them would fall through to our currently configured services for actually authenticating users, or proxying them off to the federation.

     

    Anything I'm missing?

     

    Thanks for all the pointers on this, I appreciate it.

     

    thx,

    felix



  • 6.  RE: eduroam outer identity

    EMPLOYEE
    Posted Feb 04, 2019 02:39 PM
    That should work.


  • 7.  RE: eduroam outer identity

    Posted Feb 04, 2019 02:59 PM

    Thanks again, really appreciate the help.

     

    thx,

    felix