CAF – Enabling Anonymous Outer Identity with eduroam CAT and NPS

Introduction

Best practices suggest that eduroam be deployed at an organization using eduroam CAT profiles. eduroam CAT profiles ensure that users are protected against rogue wi-fi hotspots accessing usernames and passwords.

The eduroam CAT tool is available for administrator at cat.eduroam.org. The eduroam Configuration Assistant Tool (CAT) has been developed to help organizations offering their users eduroam access.  The tool builds customised installers for a range of popular PC and smartphone platforms and enhances the security for the end user.

This document specifically touches on the use of anonymous outer IDs with CAT profiles and the configuration required to use anonymous outer IDs with Microsoft’s Network Policy Server (NPS). For complete information on these topics see vendor product documentation.

Please use the unique outer identity assigned to each organization by the Canadian Access Federation. CAF will use the unique outer identity to determine if systems have a legitimate CAT profile installed. If you do not know your assigned outer ID, please request it by sending an email to tickets@canarie.ca.

Configuring NPS

NPS can be configured in a number of ways. Our recommended example configuration can be found here.

For NPS to support anonymous outer identities it must be configured using a “Connection Request Policy” that “overrides” the “Network Policy” authentication settings. See page 26 in the above linked document for more details. If you do not configure NPS in this way, anonymous outer IDs will not work even though NPS might correctly authenticate eduroam users that do not use an anonymous outer ID.

It is also necessary that the anonymous ID be created in Active Directory (AD) and be a member of the appropriate group that is allowed eduroam access. The anonymous account should be disabled but it has to exist in AD. For example, if you want to use anonymous8357 as your anonymous ID then this ID must exist in AD.

Creating the CAT profile

Follow the usual procedure to create your CAT profile. Full documentation at: https://wiki.geant.org/x/25g7Bw

When configuring your realm check “Enable Anonymous Outer Identity” as in the following screenshot:

The actual ID will be the one you created in Active Directory. Please use the ID assigned by CAF.

Before downloading a CAT profile installer you should perform a “Check realm reachability” test and make sure all setting in the CAT profile are green or that any warnings are addressed either by fixing the associated setting or by understanding and accepting the impact of the warning. Any setting with a “red” status must be corrected before the CAT profile can be used.