Higher Education

 View Only
last person joined: 21 days ago 

Got questions on how to enable mobility in education? Submit them here!
Back to discussions
Expand all | Collapse all

Offsite Eduroam Issues

This thread has been viewed 31 times

  • 1.  Offsite Eduroam Issues

    Posted Sep 04, 2023 04:20 AM

    I know this might not be the forum for it but has anyone had issues with their staff accessing Eduroam at other sites?

    There doesn't seem to be any consistency of device or location. Thanks very much.



  • 2.  RE: Offsite Eduroam Issues

    EMPLOYEE
    Posted Sep 05, 2023 09:37 AM

    Is that just for staff? Or also for students?

    Is that for all users that it either works or doesn't work? Or can some uses authenticate at those locations where others cannot?

    Has this started recently?

    What type of authentication is used? With EAP-TLS and/or large certificates used during the authentication it can be that some RADIUS traffic is dropped during the authentication if packets become too large or get fragmented.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: Offsite Eduroam Issues

    Posted Sep 06, 2023 05:01 AM

    Hi Herman - thanks for replying. It's staff and student accounts on our managed devices. The verification traffic doesn't even seem to hit our Clearpass servers for RADIUS authentication.


    Original Message


  • 4.  RE: Offsite Eduroam Issues

    Posted Sep 06, 2023 05:40 AM

    I think you are talking about your users at other institutions and you aren't seeing the authentications.  Is that right?

    Has it worked before for these users?  If not, are they logging in with the qualified username@domain format username correctly?  If you allow unqualified usernames to log in locally, you may find the users are not specifying your domain so when they visit a remote institution their authentication requests are not being proxied to you.

    If that's not it, and you aren't seeing any incoming requests from the eduroam NRPS, in the UK there is a portal which you can use to help debug proxying issues by setting up tests, if you aren't in theUK there may be a similar system where you are.


    Original Message


  • 5.  RE: Offsite Eduroam Issues

    Posted Sep 06, 2023 09:21 AM

    Hello David - thanks for replying. Yes, it's our staff at other institutions. The issue seems to be with them signing into their laptops using their AD username. This means there's no domain information associated with the sign in so (like you say) the remote site/Eduroam NRPS don't know where to send the credentials for authentication. 

    I'm surprised there isn't domain info in the wireless profile, although this may not get scrutinised. We're going to try accepting the UPN for our users via Clearpass but if the issue is offsite I'm not sure it'll help.


    Original Message


  • 6.  RE: Offsite Eduroam Issues

    Posted Sep 07, 2023 05:23 AM

    There are a number of possibilities.

    You are saying the problem is with signing into the laptop, rather than to eduroam. That's an AD/Windows login, not a network login. There's always the issue if the user doesn't already have a stored profile on the laptop they will need to be network connected before they sign in. 

    If they do have a stored profile on the laptop, what credentials did they use to sign in to eduroam and how were they stored? 

    It depends how you set up your user's wireless profiles. If nothing is pre-loaded by group policy or the CAT tool then when a user connects to eduroam they will need to enter their credentials and that should always be in the form user@domain. The user part of that is what you use to identify them, so by the sound of it that would be their AD username but the domain is the institutional domain, which is not necessarily your internal AD domain, it all depends how you have things set up.

    You also need to be aware of how the wireless profile is stored - the wireless profile needs to be associated with the user profile, not the machine profile because that would mean anyone using that laptop will log in to eduroam as whoever first signed in on that machine, not their individual user.  OK, only a problem with shared laptops but also still good practice.

    It is also good practice to require user@domain login on your local eduroam logins as well, because that means you know your users will always work if they go to another institution.  

    I don't know where you are based but if in the UK there is loads of information about how to set up eduroam on the jisc website.


    Original Message


  • 7.  RE: Offsite Eduroam Issues

    Posted Sep 12, 2023 03:09 AM

    It is somewhat unclear to me what your question and concern is about,
    May you please elaborate some more ?



    ------------------------------
    Steinar
    ------------------------------

    Original Message


  • 8.  RE: Offsite Eduroam Issues

    Posted Sep 13, 2023 10:30 AM

    It's a classic "chicken and egg" situation.

    My guess is that at your main site your laptops are authenticating to your eduroam network using machine credentials to establish a connection to your AD servers. Then, the user can login with their AD credentials.

    When at another site, the laptops can't machine authenticate to the other site's network first, so there is no way to establish a connection to your AD servers first to allow the user to login.

    Unfortunately, the machine credentials are usually "host/<computer_name>" which doesn't match the eduroam standard of "user@domain.edu".

    In short you will have to:

    1. Make sure users login into the laptops before leaving your site so that credentials are cached.
    2. Modify the GPO to allow the user to enter wireless credentials first so that the laptop can connect, and then the user can login with their AD credentials.
      (We've tried this in the past with very mixed results).

    -Neil


    Original Message


  • 9.  RE: Offsite Eduroam Issues

    Posted Sep 13, 2023 11:08 AM
    I think it is more or less, whether you and the visiting sites are following 
    the strict Eduroam guidelines and requirements.
    As a collaborative society, it is no room for mistakes, or own thoughts… ! (ideas!)
     
    Eduroam works, happy reading:
     
    https://eduroam.org/
    https://wiki.geant.org/display/H2eduroam
    https://monitor.eduroam.org/
    https://monitor.eduroam.org/mon_infrastructure.php



    ------------------------------
    Steinar
    ------------------------------

    Original Message