Information for Participating Institutions/Administrators


Still needs to be ported/restructured.


How does eduroam work ?


The idea of eduroam is to leave the administration of user accounts to the entity that a user comes from.
All the sites participating in eduroam all over the world are linked by a hierarchy of Radius servers.

If one of your users visits a participating eduroam institution site, then that site will ask your radius server to authenticate the visiting user. If your radius server is configured to be OK with the visiting user, then the remote site will also allow your visiting user to use the remote site's Internet connection - (No VPNs are configured).

If your campus gets a visitor from another participating eduroam site, e.g. from the CISR, then your radius server will ask the CSIR's radius server to authenticate the visitor. If the CSIR's radius server is OK with that user, then you will allow that user to use your Internet connection (usually just outside your firewall).

For more information see: www.eduroam.org


What technology does eduroam use ?


In eduroam, communication between the access point and the user's home institution is based on IEEE 802.1x standard; 802.1x encompasses the use of the Extensible Authentication Protocol (EAP), which allows for different authentication methods.



The two most popular EAP methods being used by eduroam is EAP-TTLS and EAP-PEAP. A secure tunnel will be established from the user’s computer to his home institution through which the actual authentication information (username/password etc.) will be carried.


Is eduroam safe to use ?


eduroam is based on the most secure encryption and authentication standards in existence today. Its security, by far exceeds typical commercial hotspots. Be aware though that when your users are using the general Internet at an eduroam hotspot, the local site security measures at that hotspot will apply to them as well. For example, the firewall settings at the visited place may be different from those they are used to at home, and as a guest of the visiting institution they may have access to fewer services on the Internet than they are used to having at home.


Can eduroam use a captive portal ?


No. A Web Portal, Captive Portal or Splash-Screen based authentication mechanism is not a secure way of accepting eduroam credentials, even if the website is protected by an HTTPS secure connection. The distributed nature of eduroam would mean that many different pages, languages and layouts would be presented to eduroam users making it impossible to distinguish between legitimate and bogus sites (even a consistent layout can be mimicked by an adversary).

eduroam requires the use of 802.1x which provides end-to-end encryption to ensure that your private user credentials are only available to your home institution. The certificate of your home institution is the only point you need to trust regardless of who operates any intermediate infrastructure. Web portals require you to trust their infrastructure as they receive your password in clear text, this breaks the end-to-end encryption policy of eduroam.


Does eduroam work on different platforms ?


eduroam uses open standards to enable cross platform uniform access. This means that eduroam works on Windows, Linux, BSD, MAC OS, Android, and even Windows CE.


Are there any prerequisites for eduroam ?


In order to enable your users to access eduroam in your campus, you need to maintain an Identity Management System (IdMs), where your users' electronic identities are stored.

You also need a RADIUS server, which will have to be connected to your IdMs.

Your wifi network must be configured to use WPA2 encryption in enterprise mode.


How do I get started with eduroam ?


1) Read through the National Policy for eduroam South Africa

2) To participate as an eduroam service provider and/or identity provider, please subscribe and send an email to the eduroam mailing list for South Africa:

http://lists.tenet.ac.za/mailman/listinfo/eduroam

The National eduroam Roaming Operator (RO) will contact you. The Roaming Operator for South Africa is in the process to move from CISR, SANReN to TENET.

3) Set up a Wireless network + Radius server with WPA2 enterprise mode authentication.

4) Create DNS entries for your radius server(s). E.g. eduroam0.abc.ac.za and eduroam1.abc.ac.za. It can also be a Canonical Name (CNAME) record that points to your own Radius server(s).

5) Let the RO know when your DNS is working so that he can add your domain to the eduroam servers and provide you with a shared secret.

6) Make sure your firewall will allow udp on port 1812 coming in from eduroam0.sanren.ac.za and eduroam1.sanren.ac.za to your servers.

7) If you are making use of FreeRadius

Add the following to clients.conf on your radius server

*********************************************
client eduroam0.sanren.ac.za {
   shortname = eduroam0
   secret = MySharedSecret
}

client eduroam1.sanren.ac.za {
   shortname = eduroam1
   secret = MySharedSecret
}
*********************************************

In proxy.conf you should have a realm rule to keep all the requests from abc.ac.za + any sub domains local and a default realm rule that forwards all other requests to the eduroam servers.

proxy.conf should look something like this (just merge it with your current one if you have some special realm rules)

*********************************************
proxy server {
        default_fallback = no
}

# realm's
realm LOCAL {
}
realm NULL {
}
realm abc.ac.za {
}
realm DEFAULT {
        pool = eduroam
        nostrip
}

# blackhole routing
realm myabc.com {
        nostrip
}
realm "~\\.3gppnetwork\\.org$" {
        nostrip
}

# home server defenitions
home_server eduroam0 {
     type = auth+acct
     ipaddr = 155.232.195.20
     ipv6addr = 2001:4200:ffff:14:5054:9aff:fed5:97cb
     port = 1812
     secret = MySharedSecret
}
home_server eduroam1 {
     type = auth+acct
     ipaddr = 155.232.195.21
     ipv6addr = 2001:4200:ffff:14:5054:17ff:fe36:5d3d
     port = 1812
     secret = MySharedSecret
}


8) Create a test user called nren_radius_test@abc.ac.za on your server to test your Idp from another site.

9) Configure an AP with a SSID "eduroam" and test a wifi client with your setup. You can also test it with a utility called radtest (it usually comes with FreeRadius).

10) Contact the RO to supply you with some eduroam test accounts to test your SP side.

11) You can ask the RO to test your Idp from another eduroam site. The RO has access to the National eduroam server logs and can also assist you with debugging.


 


Managing eduroam services - Idp and SP


Idp (ID provider)


In order to become an eduroam Idp, you also have to provide an eduroam SP service. As an eduroam Idp you are responsible for your own users. You should provide all the information and support for your own users to get connected to eduroam. Advise your users to test eduroam at your own campus before they visit other eduroam enabled sites.


If a user can use eduroam on your own campus then the same configuration should also work at any eduroam enabled site. To avoid configuration issues you should make use of the eduroam Configuration Assistance Tool (CAT). See: https://cat.eduroam.org/


The CAT tool gets the information about institutions from the Roaming Operators (RO) of the different NRENs. The South African RO will submit all the institutions that are registered on the SA eduroam web site. As an administrator you need to register and manage your institution on the SA eduroam web site, under the manage tab above.


An Idp should keep authentication logs for a recommended period of at least 3 months. If one of your own users is experiencing problems at another site then they should contact you to help them. You should do the following:


1) Verify the users configuratton and find out if eduroam worked before they left.


2) Analyze your own logs first. Your RADIUS server should receive an authentication request for the user from the National eduroam servers. Remember an invalid domain e.g. koos@cba.ac.za in stead of koos@abc.ac.za will cause the requests to be dropped along the way.


3) If you don't receive the requests, then you should contact the RO operator to assist with the debugging. The following info will assist the RO in debugging:


- The login name of the user. E.g. koos@abc.ac.za


- The name of the remote institution being visited and the domain they are using. E.g uct.ac.za


- Is eduroam working for other users at the remote site. IP address of one of those users.


4) If the RO does not see the requests on the National eduroam servers, then the RADIUS logs from the remote administrator might be useful to track down the problem. The contact details of the other eduroam administrators should be visible after you login as an administrator on the eduroam website.


SP (Service provder)


Any entity with an Internet connection can become an eduroam SP and any Idp should also be an SP. An SP should be configured with a SSID called "eduroam" with "WPA2 enterprise" user authentication that is connected to the national eduroam servers of the RO. It is normal practice to separate traffic from your own users and that of eduroam visitors. With FreeRadius you can place users and visitors in different VLANs by adding the following section in your virtual server config file (sites-enabled/eduroam)


       post-auth {
#                       reply_log

                Post-Auth-Type REJECT {
                        reply_log
                        attr_filter.access_reject
                }

                switch "%{Realm}" {

                   case "abc.ac.za" {
                        update reply {
                                Tunnel-type = "VLAN"
                                Tunnel-medium-type = "IEEE-802"
                                Tunnel-Private-Group-Id = "2505"
                        }
                   }
                   case {
                        update reply {
                                Tunnel-type = "VLAN"
                                Tunnel-medium-type = "IEEE-802"
                                Tunnel-Private-Group-Id = "2506"
                        }
                   }
                # switch realm
                }
       }


 


Please read through the National eduroam policy documents to see what rules a SP should comply with e.g. no portals, minimum service for visitor etc. The best way to ensure your SP is up and running is to let your own users use eduroam as well.


Contact your RO to provide you with some test accounts for testing your SP for visitors.


 


Additional information


The eduroam cookbook