higher education

CTS 126: Using Eduroam in Higher Education

We took Anders Nilsson away from a party during Cisco Live and asked him to talk about Eduroam.

Eduroam

Anders Nilsson joins us on the show to discuss the basics of eduroam, how it works, and why higher education institutions decide to deploy the eduroam SSID on their campus. Anders is from Sweden and you may know him through the Wi-Fi Moose.

https://twitter.com/HerrNilsson2/status/1007630629272457216

Anders does work for the Swedish education network and is technically responsible for eduroam in Sweden. That makes him today’s subject matter expert for this topic.

If you’re from a higher education institute you may be familiar with eduroam already. Or maybe you’re thinking about deploying eduroam or you don’t fully understand how it works. Anders provides a thorough introduction to eduroam which was started around 2003 in the Netherlands.

How eduroam routes authentication

From https://www.eduroam.us/node/10

The goal was to provide a better way for guest students at a visiting university to access Wi-Fi. In it’s early days, eduroam was implemented as an Open SSID with an access list that allowed VPN only. They quickly realized this method wouldn’t scale very well and went for the 802.1X solution instead.

eduroam is WPA2 Enterprise based with a federation of RADIUS servers. This means an institution will peer its RADIUS server(s) to the eduroam federation RADIUS servers. When a visiting user wants to join the eduroam SSID but authenticate back to the home RADIUS servers, the local institution will forward the authentication requests up the eduroam chain.

This allows for a seamless, convenient connection for the global academic community by using a single SSID, eduroam, at any participating institution. In the old days, a visiting user had to get ahold of the local IT department in order to gain access or use a visitor SSID.

Since eduroam is implemented using WPA2 Enterprise, it is strongly suggested to start with using EAP-TLS. Although, other EAP methods are allowed to be used, the table below features the common EAP types deployed with eduroam.

EAP-Type

Native Supplicant Support

Pros

Cons

EAP-TLS

Windows (XP, Vista, 7), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+)

• Validates client as well as infrastructure

• Reduced risk of being Phished

• Blocking user access is via certificate revocation

• PKI infrastructure is required

• Users must configure supplicant to use certificate*

• Identity may be exposed in TLS exchange depending on contents of certificate

EAP-TTLS

Windows (8, 10), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+)

• No native supplicant support on Microsoft Windows XP or 7

• Potential for Man-in-the-Middle attacks*

EAP-PEAP

Windows (XP, Vista, 7), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+)

• Works on many platforms

• Potential for Man-in-the-Middle attacks*

• Identity may be exposed during Phase-1 of exchange

Links and Resources

Follow Anders on Twitter – @HerrNilsson2
Learn more about eduroam
Read the eduroam FAQ

CTS 110: The Wi-Fi Connected Classroom

Teaching & learning is taking advantage of Wi-Fi. Are you ready for the connected classroom?

The Highly Connected Classroom

Students are bringing more Wi-Fi capable devices into the classroom. Professors have used the “closed lid” method with students for a while now to prevent distractions from happening during lectures.

Other professors have shifted their teaching to take advantage of technology. They use an interactive teaching method which involves students researching information and presenting their results in the class. With hundreds of students now actively utilizing Wi-Fi during class for teaching and learning purposes, we must ensure Wi-Fi is up to the task.

In this episode, I highlight topics I personally have gone through to create a highly connected classroom.

  • Stakeholder buy-in
  • Blending in with Aesthetics
  • Planning
  • Designing to meet requirements
  • Configuration
  • Monitoring

Navigating around the politics and funding is all part of the process. One we wish to ignore. In this episode I have some tips to get the project going. The most important part of a successful Wi-Fi deployment in a high density classroom environment is planning. Getting as much information as possible leads to a better design. Configuration cannot be left to defaults for high density classrooms. They need tuning and optimization to handle the capacity. And of course, let’s not forget to monitor our Wi-Fi networks. Be proactive instead of reactive.