This document discusses routing host certificates in eduroam/govroam wireless networks. It proposes using EAP-TTLS to encapsulate EAP-TLS authentication, allowing the use of an outer identity with a realm for routing even when client certificates do not include a realm. Testing showed this approach worked routing Windows host certificates via a RADIUS server, but not yet via a Microsoft NPS server. Future work includes further testing, documentation, and pilots using this method with Intune and Azure AD without on-premises servers.

1. ROUTING HOST CERTIFICATES
IN EDUROAM/GOVROAM
Govroam stakeholders’ meeting, 14th of April 2021
Karri Huhtanen (Radiator Software)

2. Background
● eduroam, govroam, roam.fi, OpenRoaming all require
realm (domain) in RADIUS User-Name to route the
RADIUS request
● In certificate authentication (EAP-TLS) CN of the client
certificate is usually used
● Unfortunately client certificates may not always have
realm in the username => cannot be routed
● Windows host certificates are one example of this.
User-Name is like host/HOSTID.windows.domain

3. Source: https://wiki.govroam.uk/lib/exe/fetch.php?media=public:high_level_architecture.pdf
Host certificate
auth. usually
works within
organisation
Some RRPS
make an
exception and
route it inside
region
Organisation may
also route all
unknown requests
to RRPS
But even one
properly
configured
(i.e. requires
a realm)
organisation
within region
prevents host
certificate
roaming.
JISC NRPS
forward only
authentications
with proper realms.
RRPS are not
guaranteed to
forward
realmless
authentications
ORPS are not
guaranteed
to forward
realmless
authentications … and because some
organisations use
.local AD domain,
routing may not be
possible even with
exceptions made in
ORPS, RRPS and
NRPS

4. Idea: Making host certificates routable with EAP-TTLS
● EAP-TLS usually retrieves the username from
certificate and does not allow configuring it
separately.
● EAP-TTLS supports external/anonymous
identity while being able to encapsulating
EAP-TLS within EAP authentication
● So, let’s configure EAP-TTLS’ outer identity to
be routable one.

5. Idea: EAP-TLS inside EAP-TTLS
EAP-TLS is the inner EAP
authentication protocol for
certificate authentication
Wireless
controller, access
point etc. RADIUS
server
EAP protocol
WPA2 authentication
Outer EAP is EAP-TTLS with a
routable User-Name e.g.
anonhostcert@example.com

6. Idea: How does it actually work?
● Windows clients may already have host certificates, which
are not routable.
● EAP-TTLS capable Windows clients can be configured to
have whatever anonymous identity and then use existing
host certificate in inner EAP-TLS authentication.
● This enables Windows host certificates to be routable in
RADIUS based roaming.
● Together with Tampere University we decided to verify if this
idea works in practise and with what limitations if any.

7. TEST SETUPS AND RESULTS
Leena Heino
Tampere University

8. Test case 1:
Windows 10 -> WLC -> Radiator (EAP-TTLS) -> Radiator (EAP-TLS)
AD
Host certificate CAs
copied to EAP-TLS
RADIUS
EAP-TLS
authenticating
Radiator
instance
EAP-TTLS
terminating
Radiator
instance
EAP-TLS with
host certificate
EAP-TTLS
anonttlshost@tuni.fi
WLC
RADIUS
TUNI
Radiator
proxy
instance
WPA2 Enterprise
Authentication
Regular host client certificate from AD
RESULT
OK

9. Test case 2:
Windows 10 -> WLC -> Radiator (EAP-TTLS) -> NPS (EAP-TLS)
NPS
AD
Host authentication
policies
EAP-TLS
authenticating
Microsoft NPS
EAP-TTLS
terminating
Radiator
instance
EAP-TLS with
host certificate
WLC
RADIUS
TUNI
Radiator
proxy
instance
WPA2 Enterprise
Authentication
Regular host client certificate from AD
RESULT
FAIL
(so far)
EAP-TTLS
anonttlshost@tuni.fi

10. Not tested case 3:
Windows 10 -> WLC -> NPS (EAP-TLS)
NPS
AD
Host authentication
policies
EAP-TTLS
terminating,
EAP-TLS
Microsoft NPS
EAP-TTLS
anonttlshost@tuni.fi
WLC
RADIUS
TUNI
Radiator
proxy
instance
WPA2 Enterprise
Authentication
Regular host client certificate from AD
RESULT
UNKNOWN
May be possible, but
requires NPS expert to
verify.

11. Future work
Radiator Software
● Detailed blog post about the
idea and Radiator configuration
● EAP-TLS proxying patch,
Radiator configurations and
documentation
● Radiator host certificate
authentication with Intune and
Azure AD pilot (no onsite
NPS/AD)
Tampere University
● Additional testing for Test Case 2
● Additional host certificate validity
checks with Radiator Software for
Test Case 1
● Extended pilot?
● Production use?

12. Routeable certificates with Intune and SCEPman
Cooperation proof-of-concept with
Radiator Software and City of Ylöjärvi
(and other Tampere region cities)
With thanks for cooperation to
Jouni Paarala (City of Ylöjärvi)

13. Objectives
● Client certificates for all Intune
managed devices
● No onsite/local ADs or servers,
Azure/cloud servers/services
only
● Minimal user interaction needed
● Automatic certificate renewals

14. First attempt: Reusing Intune MDM certs
● Intune installs a client certificate signed by
Intune MDM CA to all Intune managed devices.
● This client certificate is not a routable client
certificate, but TTLS idea might apply.
● Unfortunately Microsoft support said no to this
kind of (ab)use of Intune MDM certificates.

15. Second attempt: So guess we need a PKI?
● Microsoft expert suggested 3rd party SCEPman as PKI and for client
certificate management
● SCEPman Community Edition is free to use so that was selected
● SCEPman/Intune was configured to issue certificates with
CN/SubjectName <CityId>-<Serialnumber>@cert.edu.city.fi
● Radiator was used as a RADIUS server
● SCEPman tenant specific CA (for client certificates) was copied to
Radiator server
● Regular EAP-TLS was used since client certificate was already routable
● Intune was configured to provision SCEP(man) configuration to client
devices as well as Wi-Fi network profile.

16. … and it worked ...
● with:
○ Intune
○ SCEPman Community Edition (https://scepman.com/)
○ Radiator RADIUS server software
● so well that the pilot was extended to replace old
malfunctioning onsite AD/NPS-based host username -
password authentication.

17. Example provisioning flow
1. Windows laptop is (re)installed from USB stick
2. The laptop only needs some Internet access to be
configured manually or from the USB stick
3. From there on USB stick install and Intune handle all the
configurations and installation including network
configurations and certificates.
4. Client certificates are renewed and installed automatically
5. If certificate expires, new certificate, configurations and apps
can be provisioned by connecting laptop to some Internet
capable network

18. What next?
● Ongoing pilot is expanding in Ylöjärvi and starting in
Tampere and other neighboring cities area
● Moving into production use probably as soon as
possible.
● Currently refining the solution as a product/service,
and writing a blog post/white paper about it.

19. Thank you. Any questions?

20. For more information
Blog post coming to: blog.radiatorsoftware.com
Slideshare (Radiator): www.slideshare.net/radiatorsoftware
Slideshare (Karri): www.slideshare.net/khuhtanen