We took Anders Nilsson away from a party during Cisco Live and asked him to talk about Eduroam.
Eduroam
Anders Nilsson joins us on the show to discuss the basics of eduroam, how it works, and why higher education institutions decide to deploy the eduroam SSID on their campus. Anders is from Sweden and you may know him through the Wi-Fi Moose.
Hälge the Swedish WiFi Moose waving goodbye to all of you at this year's #CLUS. Hopefully we'll meet again next year. 😊 pic.twitter.com/OhFpguxzVk
— Herr Nilsson (@HerrNilsson2) June 15, 2018
Anders does work for the Swedish education network and is technically responsible for eduroam in Sweden. That makes him today’s subject matter expert for this topic.
If you’re from a higher education institute you may be familiar with eduroam already. Or maybe you’re thinking about deploying eduroam or you don’t fully understand how it works. Anders provides a thorough introduction to eduroam which was started around 2003 in the Netherlands.
The goal was to provide a better way for guest students at a visiting university to access Wi-Fi. In it’s early days, eduroam was implemented as an Open SSID with an access list that allowed VPN only. They quickly realized this method wouldn’t scale very well and went for the 802.1X solution instead.
eduroam is WPA2 Enterprise based with a federation of RADIUS servers. This means an institution will peer its RADIUS server(s) to the eduroam federation RADIUS servers. When a visiting user wants to join the eduroam SSID but authenticate back to the home RADIUS servers, the local institution will forward the authentication requests up the eduroam chain.
This allows for a seamless, convenient connection for the global academic community by using a single SSID, eduroam, at any participating institution. In the old days, a visiting user had to get ahold of the local IT department in order to gain access or use a visitor SSID.
Since eduroam is implemented using WPA2 Enterprise, it is strongly suggested to start with using EAP-TLS. Although, other EAP methods are allowed to be used, the table below features the common EAP types deployed with eduroam.
EAP-Type | Native Supplicant Support | Pros | Cons |
EAP-TLS | Windows (XP, Vista, 7), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+) | • Validates client as well as infrastructure • Reduced risk of being Phished • Blocking user access is via certificate revocation | • PKI infrastructure is required • Users must configure supplicant to use certificate* • Identity may be exposed in TLS exchange depending on contents of certificate |
EAP-TTLS | Windows (8, 10), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+) | • No native supplicant support on Microsoft Windows XP or 7 • Potential for Man-in-the-Middle attacks* | |
EAP-PEAP | Windows (XP, Vista, 7), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+) | • Works on many platforms | • Potential for Man-in-the-Middle attacks* • Identity may be exposed during Phase-1 of exchange |
Links and Resources
Follow Anders on Twitter – @HerrNilsson2
Learn more about eduroam
Read the eduroam FAQ
