Wireless Access

 View Only
last person joined: an hour ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

eduroam user failing authentication as another user

This thread has been viewed 47 times

  • 1.  eduroam user failing authentication as another user

    Posted Jan 18, 2023 03:17 PM
    Hello, my EDU organization has ClearPass Software Version - 6.10.7. The backstory: user who previously enrolled at another EDU institution allowed a friend to log their 802.1x creds on the problem computer. User joins my EDU institution and now cannot authenticate on our WLAN and is is constantly failing authentication. HelpDesk supposedly did all the end device troubleshoots netsh commands etc, computer wipe and reset, password rest(no special characters) driver update, reset etc.They couldn't find the "Authentication Tab" in the configuration section of the driver device. HelpDesk 1.X creds work on the same problem computer. I tried to install our ClearPass certificate on the machine and as local user(this solved a problem at one our remote sites for different user.)  The Radius:IETF:User-Name is correct but Endpoint:Username = always shows a different person with a different EDU handle.  There is a Authentication:Full-Username-Normalized field with the right username but doesn't show up on a working example using the correct method. Does this look like a tac case for the Internet2 Federation? 
    Thank you. 

     
    Working example of Authentication: 
Service:eduroam_users 
Authentication Method: EAP-PEAP,EAP-MSCHAPv2 
Authentication Source: #Hits our Domain Controllers fine#
Authorization Source: #Hits Active Directory just fine #
Roles:eduroam-staff, [User Authenticated] 
Enforcement Profiles: [Update Endpoint Known], [Allow Access Profile], 
Service Monitor Mode: Disabled


Problem authentcation: 


Service: eduroam_for_visitors : #Not a visitor, transfer student#
Authentication Method: PROXY 
Authentication Source: PROXY:tlrs1.eduroam.us 

Alerts - 
Error Code: 216 
Error Category: Authentication failure 
Error Message: User authentication failed 
Alerts for this Request - 
RADIUS: Request rejected by home server tlrs1.eduroam.us 


    WLAN REPORT FROM END DEVICE 


Interface:Intel(R) Wi-Fi 6E AX211 160MHz
Interface GUID: 6b2040df-a46d-411a-9c63-42e737ced872
Connection Mode:Connection to a secure network without a profile
Profile:eduroam
SSID:eduroam
Deleting cached credentials as authentication failed for EAP method type 25.

‒]EapHostPeerGetResult returned a failure.
Eap Method Friendly Name: Microsoft: Protected EAP (PEAP)
Reason code: 691
Root Cause String: Network authentication failed\nThe credentials provided might not be correct. 


Peer MAC Address: 04:BD:88:7A:CF:52
Identity: user@edu.edu
User: user computer name 
Domain: ComputerUserName_DELL
Reason: Explicit Eap failure received
Error: 0x2B3
EAP Reason: 0x2B3
EAP Error: 0x80420112

‒]EapHostPeerGetResult returned a failure.





     


  • 2.  RE: eduroam user failing authentication as another user

    Posted Jan 19, 2023 04:38 AM
    HI there,
    from the outputs given, you need to check the home/proxy server logs and that give you the exact reason for failure. 
    tlrs1.eduroam.us​

    Original Message


  • 3.  RE: eduroam user failing authentication as another user

    MVP
    Posted Jan 19, 2023 10:58 AM
    The Endpoint:Username is pulling from the Outer Identity of the RADIUS request. Depending on the client OS, that can be specified.

    For eduroam it is recommended to be anonymized. Ours will be set to "@liberty.edu" The Outer identity is only supposed to be used for routing the RADIUS request, according to the RFSc.

    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------

    Original Message


  • 4.  RE: eduroam user failing authentication as another user

    Posted Jan 19, 2023 02:46 PM
    Hello, the end device is WIN 11. I couldn't find the authentication tab on the chips driver
    Original Message


  • 5.  RE: eduroam user failing authentication as another user

    Posted Jan 19, 2023 03:17 PM
    The end user device is WIN 11. It is not a campus computer enrolled in SCCM, so I can't necessarily specify it without the Authentication Tab on the Intel Chip driver.
    Original Message


  • 6.  RE: eduroam user failing authentication as another user

    EMPLOYEE
    Posted Jan 19, 2023 10:17 PM
    I don't have a Windows 11 device to take screenshots from as an example so I refer you to this site for some instructions on manual configuration of authentication within the Windows system: https://www.studentinternet.eu/en/docs/english/login-out/eduroam-how-do-i-connect-to-eduroam-on-windows-11/

    My recommendation would be to configure the windows supplicant for authentication rather than the driver authentication settings which is available with some network interfaces. It is likely to be more consistent across Windows devices if you configure the settings within Windows itself.

    If you refer to the manual configuration you will see reference to the Settings tab post setting up the eduroam SSID. Within these advanced settings you can configure more EAP settings manually, including what credentials to use (you may need to save the user credentials if it is not a domain joined machine), and the outer identity / privacy identity. This privacy identity will be required to ensure correct routing of the proxied radius request when the user is remote to your environment as suggested by bosborne.
    Original Message


  • 7.  RE: eduroam user failing authentication as another user

    Posted Jan 20, 2023 09:54 AM
    I find it odd that if you remove the eduroam network as a favorite/known network did not clear it out.  If you log in with the helpdesk 1.x creds and go into the control panel - network and sharing and click on the network connection (Should be a blue link) - Then wireless properties from the pop-up which will give you the authentication settings on that network.  See if that will help.

    Original Message


  • 8.  RE: eduroam user failing authentication as another user

    Posted Jan 20, 2023 11:54 AM
    Yes, which is why I am thinking there is a hiccup with the Internet2 Federation. They have been doing maintance recently, which is also why I don't believe it is an end device issue requiring the extra steps in the network settings.
    Original Message


  • 9.  RE: eduroam user failing authentication as another user

    Posted Jan 20, 2023 06:40 PM
    I went to Configuration » Identity » Endpoints, searched the MAC address and found the offending EDU handle value as the username for the MAC address. I trashed/deleted the handle. The MAC address is now no longer "Profiled" I assume this is a possible fix. 
    Original Message