Implementing Eduroam at the College of William and Mary
A Case Study
Integrating Eduroam Into the Existing Network
In 2018, William & Mary’s networking team was urged by their CIO to setup an eduroam network on campus. They quickly realized that implementing eduroam would be no simple task. Android devices were already having issues getting configured for their Wi-Fi, creating a poor user experience and putting the network at risk for credential theft. The team also knew that all their devices would need to be reconfigured if they were going to support eduroam, prompting Norman Elton and his team to investigate a solution that could help configure all his devices.
Everyone’s got to reconfigure their devices to get on eduroam… we knew that the configuration process for Android devices would be troublesome for our users.
Android-Eduroam Difficulties and Configuring Users for Eduroam
Android 8 and newer devices were particularly difficult as W&M students and staff were having trouble configuring their devices. The configuration had too many steps and W&M discovered that students were often blindly trusting certificate prompts. This posed a huge security risk because these devices put the network at high risk for over-the-air credential theft.
W&M also discovered that in order to use eduroam, all the end-users would have to reconfigure their devices. This was because eduroam required all the usernames to be configured for network access in email format (firstname.lastname@example.org). Their existing configuration was not in this format, meaning each device would need to be manually reconfigured for network access. This was a concern for William & Mary because they weren’t using any onboarding software, so every end user would need to re-configure all their devices (the average college student has 7 internet connected devices).
Once we all started talking to you, it became apparent you had a pretty good solution for EAP-TLS.
Implementing Eduroam with EAP-TLS
After initial discussions, Norman realized that SecureW2 could solve the issues that were affecting William & Mary’s network. Through research and word of mouth from other universities, W&M connected with SecureW2 to solve the growing issues. “You all came highly recommended,” Norman said.
SecureW2 introduced the idea of switching from their existing PEAP-MSCHAPv2 network to EAP-TLS. “Once we started talking to you all, it became apparent that you all had a pretty good solution for EAP-TLS,” Norman said. The overarching project of implementing Eduroam was the perfect opportunity to also improve their network authentication protocol.
W&M used SecureW2’s PKI and found the process to be surprisingly simple. “As far as setting up the infrastructure, it was Plug-and-Play,” Norman said. “The fact that you all run the CA is fantastic. We don’t have to stand up something on campus to do, that is great.”
W&M also used SecureW2’s Managed Device Gateways to automatically enroll their AD-Domain and Jamf managed devices for certificates. Previously, they had issues in which postal workers would experience network disconnects due to password-change policies and the use of managed devices, causing interruptions to the mail service. Certificate-based authentication fixed W&M’s password-related disconnects while also improving network security.
Successful Deployment of Eduroam on Campus
With the new system set in place, W&M was ready for the new semester. During the move-in weekend, about 5600 student devices connected to the eduroam SSID. This was a security system completely new to W&M faculty and student, but the onboarding proved successful. With the help of SecureW2, William & Mary accomplished the objective of implementing eduroam and improved the network’s security and user experience.
W&M wanted to keep their PEAP network running for returning students, but every freshman and new user would be onboarded using EAP-TLS. Because deploying with SecureW2 was so easy, the most involved process for W&M was the customizing the page design where users downloaded SecureW2’s onboarding client. “We stumbled through a lot of EAP-TLS questions and your support guys were fantastic,” Norman said.
William & Mary had two problems: configuring Android devices for WPA2-Enterprise access and the transition to eduroam. They solved both issues by using SecureW2’s #1 rated device onboarding solution to configure their devices for secure network access. They improved their network security and user experience by implementing certificate-based authentication, eliminating the risk of over-the-air credential theft and password-related disconnects.