Security

Reply
New Contributor

eduroam outer identity

Hi,

I tried searching for answers to this question but wasn't able to find anything. If this is a FAQ I somehow overlooked, my apologies - very happy to just receive a link!

 

We're trying to follow eduroam best practice and reject authentications where the username doesn't contain an @ so we don't end up with users stranded at other institutions unable to be routed back to us.

 

We're also trying to use JAMF for Mac laptop provisioning, joining the devices to the domain and then creating generic wireless device profiles that simply use the credentials used to log into the OS for authentication to eduroam (much like Windows laptops would do). JAMF is not capable of changing the string used as the username, and we don't want to require users to append @realm.edu every time they're logging into their laptop. JAMF *is* able to generate an outer identity of 'anonymous@realm.edu', which we actually consider a privacy feature. Such authentication requests have a fully qualified outer identity and can be routed through the eduroam federation, but have a bare username and password in the inner identity.

 

These authentication requests get rejected by ClearPass due to the 'no @ in the username' rule.

 

Is it possible to set that rule to validate that just the outer identity must contain the @? I've been entirely unable to figure out how to access the outer identity at all.

 

thx,

felix

Guru Elite

Re: eduroam outer identity

Outer identity can only be evaluated in service categorization.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: eduroam outer identity

Interesting! I can see Authentication:InnerMethod and Authentication:OuterMethod, but can't see anything relating to OuterIdentity. Is it just that the Authentication:Username is the OuterIdentity during service categorization, and then the InnerIdenty within role mappings etc?

 

thx,

felix

Guru Elite

Re: eduroam outer identity

Yes, the Username = Outer Identity prior to EAP termination and Inner Identity after EAP termintation.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: eduroam outer identity

Before I actually try this, is this a reasonable strategy:

 

Create a new service at the top of of the list:

 

Match on all of:

- RADIUS:IETF NAS-Port-Type EQUALS Wireless-802.11 (19)

- Connection:SSID CONTAINS eduroam

- Authentication:Username NOT_CONTAINS @

 

Enable all relevant EAP methods, authenticate against some dummy source such as a static host list with no usable entries

 

No role mapping, enforcement is set to [Sample Deny Access Policy]

 

That should only match requests for eduroam with an outer identity that doesn't contain an @ and therefore isn't fully qualified, and deny them. All well-formed requests with an @ in them would fall through to our currently configured services for actually authenticating users, or proxying them off to the federation.

 

Anything I'm missing?

 

Thanks for all the pointers on this, I appreciate it.

 

thx,

felix

Guru Elite

Re: eduroam outer identity

That should work.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: eduroam outer identity

Thanks again, really appreciate the help.

 

thx,

felix

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: