The Endpoint:Username is pulling from the Outer Identity of the RADIUS request. Depending on the client OS, that can be specified.
For eduroam it is recommended to be anonymized. Ours will be set to "@liberty.edu" The Outer identity is only supposed to be used for routing the RADIUS request, according to the RFSc.
------------------------------
Bruce Osborne ACCP ACMP
Liberty University
The views expressed here are my personal views and not those of my employer
------------------------------
Original Message:
Sent: Jan 18, 2023 01:58 PM
From: vvajpeyi
Subject: eduroam user failing authentication as another user
Hello, my EDU organization has ClearPass Software Version - 6.10.7. The backstory: user who previously enrolled at another EDU institution allowed a friend to log their 802.1x creds on the problem computer. User joins my EDU institution and now cannot authenticate on our WLAN and is is constantly failing authentication. HelpDesk supposedly did all the end device troubleshoots netsh commands etc, computer wipe and reset, password rest(no special characters) driver update, reset etc.They couldn't find the "Authentication Tab" in the configuration section of the driver device. HelpDesk 1.X creds work on the same problem computer. I tried to install our ClearPass certificate on the machine and as local user(this solved a problem at one our remote sites for different user.) The Radius:IETF:User-Name is correct but Endpoint:Username = always shows a different person with a different EDU handle. There is a Authentication:Full-Username-Normalized field with the right username but doesn't show up on a working example using the correct method. Does this look like a tac case for the Internet2 Federation?
Thank you.
Working example of Authentication:
Service:eduroam_users
Authentication Method: EAP-PEAP,EAP-MSCHAPv2
Authentication Source: #Hits our Domain Controllers fine#
Authorization Source: #Hits Active Directory just fine #
Roles:eduroam-staff, [User Authenticated]
Enforcement Profiles: [Update Endpoint Known], [Allow Access Profile],
Service Monitor Mode: Disabled
Problem authentcation:
Service: eduroam_for_visitors : #Not a visitor, transfer student#
Authentication Method: PROXY
Authentication Source: PROXY:tlrs1.eduroam.us
Alerts -
Error Code: 216
Error Category: Authentication failure
Error Message: User authentication failed
Alerts for this Request -
RADIUS: Request rejected by home server tlrs1.eduroam.us
WLAN REPORT FROM END DEVICE
Interface:Intel(R) Wi-Fi 6E AX211 160MHz
Interface GUID: 6b2040df-a46d-411a-9c63-42e737ced872
Connection Mode:Connection to a secure network without a profile
Profile:eduroam
SSID:eduroam
Deleting cached credentials as authentication failed for EAP method type 25.
‒]EapHostPeerGetResult returned a failure.
Eap Method Friendly Name: Microsoft: Protected EAP (PEAP)
Reason code: 691
Root Cause String: Network authentication failed\nThe credentials provided might not be correct.
Peer MAC Address: 04:BD:88:7A:CF:52
Identity: user@edu.edu
User: user computer name
Domain: ComputerUserName_DELL
Reason: Explicit Eap failure received
Error: 0x2B3
EAP Reason: 0x2B3
EAP Error: 0x80420112
‒]EapHostPeerGetResult returned a failure.