Govroam

This is one diagnosed by Hans Litteck from the University of London.

He'd noticed that attempts to authenticate a test user were failing and worked with Camden Council to figure it out. Thanks to all involved.

The exective summary is that Microsoft NPS was configured to reject any request that wasn't formatted like:

Called-Station-ID =~ :govroam$

i.e. the Called-Station-ID should have a suffix of ':govroam' after the address of the device.

To quote Hans:

I'm aware RFC 3580 states the Called-Station-ID SHOULD append the SSID. However,

1. Not everything does; ArubaOS below 6.4 doesn't allow you to add this to the RADIUS client configuration.

2. The default pre-proxy attribute filter in FreeRADIUS, if turned on, will remove Called-Station-ID from a proxy request.

So the policy condition is a bit strict for a 'federated' environment.

I've update our FreeRADIUS configuration to add the missing SSID if not supplied by the NAS client and I can now authenticate via Camden's RADIUS server.

Further to this Hans has looked into the attribute filters and determined that NPS should be configured not to filter out the following from a proxied request:

NAS-IP-Address
NAS-Identifier
NAS-Port
NAS-Port-Type

My interpretation is it that a RADIUS server will always see those if the request comes direct from a NAS client (AP, wireless controller, edge switch, …) but not necessarily for a proxy request especially of the visited site uses filtering.