Main Nav

Neil,

If you want to do machine authentication for local access, the SSID is yours, so treat it like you would treat 
any other SSID on campus.

For machine authentication, I know that University of Tennessee used a lot of AD Group Policies to accomplish Machine Authentication,
while maintaining user authentication at the same time (the machine can jojn the network to talk to AD on its own but each user has to authenticate independently
to access the functionality of the machine).

As Anders mentioned, if you give access to those machines with a REALM, empowering them to travel to other eduroam locations, make sure that someone is responsible for their usage.

Best,

Philippe


Comments

He used to- now he’s like Cher, or Yani.

 

I bought his last disc- the dude can play the radius like no other.

 

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of McNamara, Diane
Sent: Tuesday, April 02, 2013 1:12 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam and machine authentication

 

Does phanset have a last name?

 

 

 

 

"Difficult things take a long time, impossible things a little longer".  ~André A. Jackson

*****************************************************************

Diane R. McNamara

Director of Telecom/Networking

Union College

Old Chapel Rm 200

807 Union Street 

Schenectady, NY  12308

518-388-6411

www.union.edu

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of phanset
Sent: Tuesday, April 02, 2013 1:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam and machine authentication

 

Neil,

 

If you want to do machine authentication for local access, the SSID is yours, so treat it like you would treat 

any other SSID on campus.

 

For machine authentication, I know that University of Tennessee used a lot of AD Group Policies to accomplish Machine Authentication,

while maintaining user authentication at the same time (the machine can jojn the network to talk to AD on its own but each user has to authenticate independently

to access the functionality of the machine).

 

As Anders mentioned, if you give access to those machines with a REALM, empowering them to travel to other eduroam locations, make sure that someone is responsible for their usage.

 

Best,

 

Philippe

 

 

What version of Windows? Starting with 7, you can do single sign-on from the login screen which is a great alternative to machine auth.
 
Tim

 
Tim Cappalli  ACMP  CCNA
Network Engineer | LTS NetSys
Brandeis University
x67149 | (617) 701-7149
cappalli@brandeis.edu


Message from neil-johnson@uiowa.edu

We tried SSO with windows 7 and the GINA confuses people because it asks them enter their user name twice (once for wireless and once for the domain).

Also the GUI tells the user to use DOMAIN/user-name for the format of wireless logon which leads to confusion.

We would restricting machines logins to machines on campus only, mainly shared classroom and checkout machines.

I did get something running in RADIATOR by creating a handler for  user names that start with "host/<machine-name>".

We have security issues we also need to address. Evidently it's hard to keep track of AD user logins.

-Neil



On Apr 2, 2013, at 1:46 PM, Tim Cappalli <cappalli@brandeis.edu> wrote:

What version of Windows? Starting with 7, you can do single sign-on from the login screen which is a great alternative to machine auth.
 
Tim

 
Tim Cappalli  ACMP  CCNA
Network Engineer | LTS NetSys
Brandeis University
x67149 | (617) 701-7149
cappalli@brandeis.edu


Recommend