FAQ
This page provides answers to the most frequently asked questions relating to eduroam.
-
What is eduroam?
eduroam (education roaming) allows users (researchers, teachers, students, staff) from participating institutions to securely access the Internet from any eduroam-enabled institution. The eduroam principle is based on the fact that the user's authentication is done by the user's home institution, whereas the authorisation decision allowing access to the network resources is done by the visited network.
Can a student / researcher / professor use eduroam?
Any person with a valid electronic identity (e.g. account for network access) can use eduroam. Institutions are responsible for issuing and managing user's electronic identites.
Can a public WiFi provider offer eduroam?
eduroam separates the concepts of authentication (identity providers) and hotspots (service providers) allowing public, commercial or city wifi initiatives to offer eduroam in addition to research and education institutions.
What commercial entities cannot do is become identity providers and offer a service to their customers that will work with eduroam. Any partnership with a commercial wifi service needs to respect that users of this hotspot cannot be charged for accessing the network.
As a network administrator, what do I need to do to set up eduroam in my campus?
In order to enable your users to access eduroam in your campus, you need to maintain an Identity Management System (IdMs), where your users' electronic identities are stored.
You also need a RADIUS server, which will have to be connected to your IdMs.
To set up an eduroam service point in your institution you have to configure your wireless LAN according to the eduroam requirements.
Your institution must be part of an eduroam service, which is provided on a national level by a National Roaming Operator (in most cases a National Research and Education Network (NREN)).
Your NREN representative will be able to inform you about the formal rules for participation.
How does eduroam work?
When a user tries to log on to the wireless network of a visited eduroam-enabled institution, the user's authentication request is sent to the user's home institution. This is done via a hierarchical system of RADIUS servers. The user's home institution verifies the user's credentials and sends to the visited institution (via the RADIUS servers) the result of such a verification.
For example, let's consider two eduroam users inside University computing centre:
Pero - employee of University Computing Centre (Srce)
Ana - student at Faculty of Chemical Engineering and Technology
1. Both are trying to connect to eduroam with their laptop / smartphone / tablet. They send their encrypted credentials. Only the realm of the institution which they belong is visible: @srce.hr or @fkit.hr.
2. Encrypted credentials are delivered through network infrastructure to University Computing Centre's RADIUS server.
3. RADIUS server checks if realm on the credentials matches his own. Since user Pero has the same realm, authentication proces begins. His credentials are checked against the values stored in institution's LDAP directory.
3.a. Ana's credentials don't match University Computing Centre's RADIUS server realm so they are forwarded to top-level RADIUS server for .hr domain which forwards them to RADIUS server of Faculty of Chemical Engineering and Technology.
3.b. RADIUS server on Faculty of Chemical Engineering and Technology checks her credentials against values stored in institution's LDAP directory and sends authentication results back to University Computing Centre's RADIUS server.
4. Authentication result is sent back to access point.
5. Starting device recieves authentication result.
6. If the authentication result is positive, user can access the Internet and other network resources.
What technology does eduroam use?
In eduroam, communication between the access point and the user's home institution is based on IEEE 802.1X standard; 802.1X encompasses the use of EAP, the Extensible Authentication Protocol, which allows for different authentication methods. Depending on the type of EAP method used, either a secure tunnel will be established from the user’s computer to his home institution through which the actual authentication information (username/password etc.) will be carried (EAP-TTLS or PEAP), or mutual authentication by public X.509 certificates, which is not vulnerable to eavesdropping, will be used (EAP-TLS).
Is eduroam safe to use?
eduroam is based on the most secure encryption and authentication standards in existence today. Its security by far exceeds typical commercial hotspots. Be aware though that when using the general Internet at an eduroam hotspot, the local site security measures at that hotspot will apply to you as well. For example, the firewall settings at the visited place may be different from those you are used to at home, and as a guest you may have access to fewer services on the Internet than you have at home.
Does eduroam use a captive portal for authentication?
No. Web Portal, Captive Portal or Splash-Screen based authentication mechanisms are not a secure way of accepting eduroam credentials, even if the website is protected by an HTTPS secure connection. The distributed nature of eduroam would mean that many different pages, languages and layouts would be presented to eduroam users making it impossible to distinguish between legitimate and bogus sites (even a consistent layout can be mimicked by an adversary).
eduroam requires the use of 802.1x which provides end-to-end encryption to ensure that your private user credentials are only available to your home institution. The certificate of your home institution is the only point you need to trust regardless of who operates any intermediate infrastructure. Web portals require you to trust their infrastructure as they receive your password in clear text, this breaks the end-to-end encryption tenets of eduroam.
Does eduroam work on different platforms?
eduroam uses open standards to enable cross platform uniform access. This means that eduroam works on Windows, Linux, MacOS, iOS and Android operating systems.
Who is responsible for end user support?
Each institution's IT department is responsible for their eduroam end users. eduroam configuration is simplified by eduroam installer service provided by Srce so the IT deparment shouldn't have much work with giving support to end users.
What certificates does eduroam use?
eduroam uses server certificates to ensure that client credentials are transfered in a secure tunnel. Diagram below explains steps of creating such a secure tunnel. Each identity provider's RADIUS server has two certificates:
- Root CA self-signed (SS) certificate - it serves as a common point of trust for both the RADIUS server and users it authenticates. Note: Self signed root CA certificates are used because of Android OS is lacking a feature to support chains of certificates leading to the root CA.
- RADIUS certificate - it is signed by root CA certificate.
- Presumption is that the user's tablet is properly configured for eduroam. That means it already has the public key of root CA certificate from the identity provider.
- User sends Request authentication message to the access point.
- Access point responds with Request identity message.
- User sends his/her outer identity (eg srce.hr) which is used for routing the request to the correct RADIUS server.
- Server sends his RADIUS certificate that is signed with root CA private key.
- User receives the server's RADIUS certificate and validates the signature using root CA public key. If the signature checks out, user knows he can trust recieved certificate.
- User uses public key received in server's RADIUS certificate to encrypt data needed to establish the secured tunnel (pre shared secret).
- Server decrypts received data with his RADIUS certificate's private key.
- Based on pre shared secret, RADIUS server generates necessary data for establishing encrypted TLS tunnel.
- User sends his credentials through the encrypted TLS tunnel.
It can be concluded from the steps above that changing the RADIUS certificate has no effect on the end user as long as it is signed by the same root CA. This enables eduroam administrators to regenerate RADIUS certificates if they suspect it was compromised in some way or it has expired.
Users need to reconfigure their devices only in the case where the root CA certificate was changed.
Detailed instructions for certificate handling for eduroam administrators can be found on this link.
Windows 8 won't connect to eduroam even after proper package was installed from installer service
Problem is caused by server certificate not having a part of information that instructs Windows 8 to use it for EAP-TLS encryption, so it silently fails. Detailed description of the problem can be found http://support.microsoft.com/kb/814394/.
This problem can be corrected by generating new server certificate. Note: your rootCA certificate will remain unchanged so your users won't have to reconfigure their devices.
Detailed instructions for generating new server certificate can be found on this link.