CTS 126: Using Eduroam in Higher Education

We took Anders Nilsson away from a party during Cisco Live and asked him to talk about Eduroam.

Eduroam

Anders Nilsson joins us on the show to discuss the basics of eduroam, how it works, and why higher education institutions decide to deploy the eduroam SSID on their campus. Anders is from Sweden and you may know him through the Wi-Fi Moose.

https://twitter.com/HerrNilsson2/status/1007630629272457216

Anders does work for the Swedish education network and is technically responsible for eduroam in Sweden. That makes him today’s subject matter expert for this topic.

If you’re from a higher education institute you may be familiar with eduroam already. Or maybe you’re thinking about deploying eduroam or you don’t fully understand how it works. Anders provides a thorough introduction to eduroam which was started around 2003 in the Netherlands.

How eduroam routes authentication

From https://www.eduroam.us/node/10

The goal was to provide a better way for guest students at a visiting university to access Wi-Fi. In it’s early days, eduroam was implemented as an Open SSID with an access list that allowed VPN only. They quickly realized this method wouldn’t scale very well and went for the 802.1X solution instead.

eduroam is WPA2 Enterprise based with a federation of RADIUS servers. This means an institution will peer its RADIUS server(s) to the eduroam federation RADIUS servers. When a visiting user wants to join the eduroam SSID but authenticate back to the home RADIUS servers, the local institution will forward the authentication requests up the eduroam chain.

This allows for a seamless, convenient connection for the global academic community by using a single SSID, eduroam, at any participating institution. In the old days, a visiting user had to get ahold of the local IT department in order to gain access or use a visitor SSID.

Since eduroam is implemented using WPA2 Enterprise, it is strongly suggested to start with using EAP-TLS. Although, other EAP methods are allowed to be used, the table below features the common EAP types deployed with eduroam.

EAP-Type

Native Supplicant Support

Pros

Cons

EAP-TLS

Windows (XP, Vista, 7), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+)

• Validates client as well as infrastructure

• Reduced risk of being Phished

• Blocking user access is via certificate revocation

• PKI infrastructure is required

• Users must configure supplicant to use certificate*

• Identity may be exposed in TLS exchange depending on contents of certificate

EAP-TTLS

Windows (8, 10), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+)

• No native supplicant support on Microsoft Windows XP or 7

• Potential for Man-in-the-Middle attacks*

EAP-PEAP

Windows (XP, Vista, 7), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+)

• Works on many platforms

• Potential for Man-in-the-Middle attacks*

• Identity may be exposed during Phase-1 of exchange

Links and Resources

Follow Anders on Twitter – @HerrNilsson2
Learn more about eduroam
Read the eduroam FAQ

Join Clear To Send

Come join the Clear To Send community.

Powered by ConvertKit
About the Author
Rowell, CWNE #210, is a network engineer in Higher-Ed. He enjoys working with wireless networking technologies and loves to share and engage with the community. You can connect with him on Twitter, LinkedIn, and Facebook.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.