Scholars and students often visit different campuses for internships, seminars, conferences, and other events. Accessing secure Wi-Fi at foreign campuses has always been a challenge for these individuals who require guest access or temporary credentials. Eduroam is the solution—an international federation of organizations that provides network access to roaming members on partner campuses using the same credentials they use at home.
Many network admins have a misconception that implementing eduroam requires complex network configurations. It’s not any more complicated than the average university network setup. Here’s a story about an institute that successfully deployed eduroam hassle-free using the top-rated BYOD onboarding solution.
Read to learn more about Eduroam and how to best deploy it for your organization’s safe and secure network.
What Is Eduroam
Eduroam (education roaming) is a secure Wi-Fi roaming service developed and used exclusively by international education and research organizations. It uses 802.1X authentication and encryption, considered the standard for Wi-Fi protocols today.
Eduroam lets users use credentials from their university to access Wi-Fi at any partner university. If the visiting university is a part of the Eduroam Federation, then a user can enter their usual credentials. These credentials are verified by eduroam to ensure they belong to the home university, subsequently confirming and granting wi-fi access at the host university. The eduroam acts as a proxy server between the radius servers of the two universities.
Basic Steps To Configure Eduroam Wireless Network In A WLAN
For eduroam RADIUS configuration, you need to make sure the following things are set up correctly:
- Wi-Fi network with good coverage
- Sufficient bandwidth
- Sufficient DHCP for all clients.
The main requirement for an eduroam-specific wireless access point should be to ensure that the WLAN supports 802.1X authentication, WPA, and multiple SSID support. As an organization, if you need to keep a separate eduroam network away from the regular traffic, you would need separate VLANs to segregate eduroam users on a network.
If you want to deploy eduroam for your network, you will start by adding the RADIUS authentication server of the WLAN controller or the standalone access point. As an eduroam SP, your radius server would be the national federation, and if you are an eduroam IDP, then the RADIUS is your server.
Next, you must add the radius servers’ IP and the shared secret agreed upon by the service provider. Add the ports that you would use, and create the eduroam SSID. The eduroam server network must support WPA2/AES to broadcast the eduroam SSID.
If the eduroam network is misconfigured, it will be vulnerable to MITM attacks and put the whole campus data at risk. An onboarding software would help configure your devices for eduroam access without errors for smooth and safe network access.
Best Practices To Follow For Eduroam Deployment
Eduroam utilizes the WPA2-Enterprise (IEEE 802.1X) protocol and authenticates every user’s credentials to a radius server. Universities generally have an Eduroam-specific onboarding SSID. As a user, you should connect to the network first and then enroll for eduroam. Upon connection, you will redirected to a safe eduroam SSID. However, misconfigured devices can leave the whole network vulnerable to attacks and security risks. Follow these four best practices for a safe Eduroam browsing experience:
- Retire Your Existing SSID and Use Only the Eduroam SSID
- Select a Secure Protocol, and Format the Email as UPN
- Replace Passwords with Digital Certificates
- Use Onboarding Software to Enroll Users for Eduroam
Retire Your Existing SSID and Use Only the Eduroam SSID
Many of our customers have chosen to do away with their existing SSIDs and rely totally on the eduroam network for network access on campus. While that might sound like an extreme option, it’s been pretty effective in our experience.
Eliminating extraneous network options makes onboarding (and even routine connections) much more straightforward. Fewer options mean fewer chances to fall off the flow for the less tech-savvy folks. It has a secondary benefit in that some types of credential harvesting are much harder to obscure if there’s only one legitimate SSID.
Using only eduroam does not necessarily limit your own network customization options. eduroam can easily distinguish visitors from your own users, allowing for normal policy enforcement options. Furthermore, it’s a built-in guest network, alleviating the need to configure your own.
However, there are some technical hurdles in implementation, primarily if your organization uses machine identity for login credentials instead of user identity. Also, your identity provider needs to be compatible with eduroam for deploying eduroam as your primary SSID.
Select a Secure Protocol, and Format the Email as UPN
While using eduroam, users need to share their credentials over multiple intermediate servers, and it is of utmost importance to secure these credentials against any possible security threats. For robust Wi-Fi authentication, eduroam relies on 802.1X, an IEEE standard for Port-Based Network Access Control (PNAC).
The standard authentication protocol used in 802.1X encrypted networks is Extensible Authentication Protocol (EAP). The EAP protocol is a point-to-point (P2P) authentication framework that enhances the security of the network server with its encrypted tunnel.
Currently, there are over 40 methods for authentication under the EAP protocol, but the most common methods used in modern wireless networking are:
- EAP-TLS
- PEAP-MSCHAPV2
- EAP-TTLS/PAP
EAP-TTLS/PAP is an outdated protocol that does not use encryption for user authentication and transmits credentials as plain text. Similarly, the PEAP-MSCHAPV2 protocol relies on outdated credentials and requires the sAMAccountName attribute (ex. john.hopkins) to authenticate network users, which is incompatible with eduroam authentication.
Eduroam requires a user’s credentials in the format of UserPrinicpalName, or UPN (ex. john.hopkins@university.com). Since identifying their home network is crucial to the eduroam auth flow, sAMAccountName is not a sufficient substitute. A lot of recent eduroam connection issues are due to this misalignment of expectations.
To eliminate the risk of compromising the user’s identity over the transport, EAP-TLS is the most preferred choice of network admins.
Replace Passwords with Digital Certificates
One UPN-compliant solution is to use another authentication protocol – EAP-TLS. EAP-TLS is not dependent on credentials and is considered the most secure authentication protocol for 802.1x networks. It is usually deployed on WPA2-Enterprise networks to enable X.509 digital certificates for authentication. It also provides the best user experience by eliminating the need to remember complex passwords.
Understandably, some organizations might consider reconfiguring their existing credentials to be compatible with the UPN eduroam format as a simpler and cheaper way forward. PEAP authentication protocol needs to be reconfigured with UPN and FQDN (Fully Qualified Domain Name) for proper compatibility with eduroam. While this is a viable option in the short term, it still doesn’t address inherent issues with user credentials for authentication.
A future-proof solution is to deploy x.509 certificates using a reliable onboarding solution that can provide them with a longer life cycle. Certificate templates in combination with the right onboarding client can encode any attribute and value needed, such as the user’s UPN or FQDN. It is also advisable to choose a Certificate Authority (CA) that clearly mentions its expiry date to be better positioned to switch the CAs if needs arise.
Digital certificates eliminate the need for credentials and provide a more secure authentication method. They use public-private key encryption for communication over the air, adding a degree of cryptographic protection to the server strong enough to protect from over-the-air attacks.
Use Onboarding Software to Enroll Users for Eduroam
One significant challenge for network administrators is facilitating eduroam deployment without compromising organizations’ existing infrastructure. Most organizations already have ancient on-premise directories, which are difficult to replace with new, cloud-based alternatives. Most vendors that promise to deliver a smooth eduroam deployment require you to duplicate these existing directories, which is a cumbersome task and doesn’t even solve the underlying issue of antiquated architecture.
Why is EAP-TLS Better Than PEAP-MSCHAPv2 For Eduroam?
PEAP-MSCHAPv2 is commonly used for 802.1X authentication in eduroam, allowing users to use their credentials to connect to the eduroam radius client. However, PEAP uses credentials to authenticate a user to the network. In an eduroam network, the user credentials are sent to a radius server, where they are validated with the identity provider. The eduroam has a specific UPN (USerPrincipalName) format in which credentials are to be entered, failing which users cannot connect to a network.
PEAP credentials are also vulnerable to over-the-air attacks, as eduroam uses a common SSID for all its users and devices. Misconfiguring devices could also leave the campus network vulnerable to data leaks and attacks. A robust form of security, like digital certificates with EAP-TLS, protects a network against hacking and over-the-air attacks.
EAP-TLS uses digital certificates for mutual server authentication, where the client and server are authenticated by verifying the certificates issued by the same certificate authority.
Use Digital Certificates With EAP-TLS For Secure Eduroam
Eduroam provides organizations, especially educational institutions, a dynamic roaming service for students and personnel traveling across campuses. It is imperative that you adopt best practices such as EAP-TLS and X.509 certificates to ensure they can roam safely. Another necessity is a comprehensive onboarding solution like JoinNow MultiOS that prevents misconfigurations that could serve as a vector of attack for your network.
SecureW2 offers ultra-simple onboarding software that allows you to use your existing directories without duplicating them. It’s a plug-and-play solution to enrolling BYOD devices for certificate-based authentication that guides users through a foolproof automatic configuration. It integrates with existing infrastructure from all major vendors and more or less handles the entire onboarding process for unmanaged devices (and managed, too!). It also provides an anonymous identity that prevents the guest institutions from snooping on roaming traffic.
Our JoinNow solution allows institutions to leverage existing SAML identity providers (ex., Azure, Google, Okta, etc.) for simple, secure onboarding with the user’s existing credentials. Once the device is enrolled and the certificate distributed, it can be configured to access not just Wi-Fi but a plethora of other applications – such as desktop login, VPN, and other web apps. Most importantly, users will never have to remember or reset another password again. Their devices will connect to the correct network whenever it’s in range.
Click here to explore security options for your university eduroam needs.
