Scholars and students often visit different campuses for internships, seminars, conferences, and other events. Accessing secure Wi-Fi at foreign campuses has always been a challenge for these individuals requiring guest access or temporary credentials. Eduroam is the solution – an international federation of organizations that provides network access to roaming members on partner campuses using the same credentials they use at home.
Many network admins have a misconception that implementing eduroam requires complex network configurations. In reality, it’s not any more complicated than the average university network setup. Here’s a story about an institute that successfully deployed eduroam hassle-free using the top-rated BYOD onboarding solution.
Let’s evaluate some of the best practices for eduroam deployment to ensure a smooth experience.
Retire Your Existing SSID and Use Only the Eduroam SSID
Many of our customers have chosen to do away with their existing SSIDs and rely totally on the eduroam network for network access on campus. While that might sound like an extreme option, it’s been pretty effective in our experience.
Eliminating extraneous network options makes onboarding (and even routine connections) much more straightforward. Fewer options mean fewer chances to fall off the flow for the less tech-savvy folks. It has a secondary benefit in that some types of credential harvesting are much harder to obscure if there’s only one legitimate SSID.
Wi-Fi Homepage for UNC-Chapel Hill
Using only eduroam does not necessarily limit your own network customization options. eduroam can easily distinguish visitors from your own users, allowing for normal policy enforcement options. Furthermore, it’s a built-in guest network, alleviating the need to configure your own.
However, there are some technical hurdles in implementation, primarily if your organization uses machine identity for login credentials instead of user identity. Also, your identity provider needs to be compatible with eduroam for deploying eduroam as your primary SSID.
Select a Secure Protocol, and Format Email as UPN
While using eduroam, users need to share their credentials over multiple intermediate servers, and it is of utmost importance to secure these credentials against any possible security threats. For robust Wi-Fi authentication, eduroam relies on 802.1X, an IEEE standard for Port-Based Network Access Control (PNAC).
The standard authentication protocol used in 802.1X encrypted networks is Extensible Authentication Protocol (EAP). The EAP protocol is a point-to-point (P2P) authentication framework that enhances the security of the network server with its encrypted tunnel.
Currently, there are over 40 methods for authentication under the EAP protocol, but the most common methods used in modern wireless networking are:
- EAP-TLS
- PEAP-MSCHAPV2
- EAP-TTLS/PAP
EAP-TTLS/PAP is an outdated protocol that does not use encryption for user authentication and transmits credentials as plain text. Similarly, the PEAP-MSCHAPV2 protocol relies on outdated credentials and requires the sAMAccountName attribute (ex. john.hopkins) to authenticate network users, which is incompatible with eduroam authentication.
Eduroam requires a user’s credentials in the format of UserPrinicpalName, or UPN (ex. john.hopkins@university.com). Since identifying their home network is crucial to the eduroam auth flow, sAMAccountName is not a sufficient substitute. A lot of recent eduroam connection issues are due to this misalignment of expectations.
To eliminate the risk of compromising the user’s identity over the transport, EAP-TLS is the most preferred choice of network admins.
Replace Passwords with Digital Certificates
One UPN-compliant solution is to use another authentication protocol – EAP-TLS. EAP-TLS is not dependent on credentials and is considered the most secure authentication protocol for 802.1x networks. It is usually deployed on WPA2-Enterprise networks to enable X.509 digital certificates for authentication. It also provides the best user experience by eliminating the need to remember complex passwords.
Understandably, some organizations might consider reconfiguring their existing credentials to be compatible with the UPN eduroam format as a simpler and cheaper way forward. PEAP authentication protocol needs to be reconfigured with UPN and FQDN (Fully Qualified Domain Name) for proper compatibility with eduroam. While this is a viable option in the short term, it still doesn’t address inherent issues with user credentials for authentication.
A future-proof solution is to deploy x.509 certificates using a reliable onboarding solution that can provide them with a longer life cycle. Certificate templates in combination with the right onboarding client can encode any attribute and value needed, such as the user’s UPN or FQDN. It is also advisable to choose a Certificate Authority (CA) that clearly mentions its expiry date to be better positioned to switch the CAs if needs arise.
Digital certificates eliminate the need for credentials and provide a more secure authentication method. They use public-private key encryption for communication over the air, adding a degree of cryptographic protection to the server strong enough to protect from over-the-air attacks.
Use an Onboarding Software to Enroll Users for Eduroam
One of the major challenges for network administrators is facilitating eduroam deployment without compromising organizations’ existing infrastructure. Most organizations already have ancient on-premise directories, which are difficult to replace with new, cloud-based alternatives. Most vendors that promise to deliver a smooth eduroam deployment require you to duplicate these existing directories, which is a cumbersome task and doesn’t even solve the underlying issue of antiquated architecture.
SecureW2 offers ultra-simple onboarding software to use your existing directories without duplicating them. It’s a plug-and-play solution to enrolling BYOD devices for certificate-based authentication that guides users through a foolproof automatic configuration. It integrates with existing infrastructure from all major vendors and more or less handles the entire onboarding process for unmanaged devices (and managed too!). It also provides an anonymous identity that prevents the guest institutions from snooping roaming traffic.
Our JoinNow solution allows institutions to leverage existing SAML identity providers (ex. Azure, Google, Okta, etc.) for simple, secure onboarding with the user’s existing credentials. Once the device is enrolled and the certificate distributed, it can be configured to access not just Wi-Fi but a plethora of other applications – such as desktop login, VPN, and other web apps. Most importantly, users will never have to remember or reset another password ever again. Their devices will simply connect to the correct network every time it’s in range.
Easy Eduroam Deployment
Eduroam provides organizations, especially educational institutions, a dynamic roaming service for students and personnel traveling across campuses. It is imperative that you adopt best practices such as EAP-TLS and X.509 certificates to ensure they can roam safely. Another necessity is a comprehensive onboarding solution like JoinNow MultiOS that prevents misconfigurations that could serve as a vector of attack for your network.
SecureW2 has affordable options for organizations of all shapes and sizes and is vendor-neutral. It provides a turnkey solution that allows end-users to smoothly and securely configure their devices to use eduroam. It enables users to securely access the Wi-Fi at their main campus and other universities. Click here to see our pricing.
