Information for Participating Institutions/Administrators


This page is aimed at institutional I.T. managers. If you're trying to work out how to get eduroam enabled on your campus, please refer your I.T. staff to this page.


Still needs to be ported/restructured.



How does eduroam work?


The idea of eduroam is to leave the administration of user accounts to the entity that a user comes from.
All the sites participating in eduroam all over the world are linked by a hierarchy of RADIUS servers.

If one of your users visits a participating eduroam institution site, then that site will ask your RADIUS server to authenticate the visiting user. If your RADIUS server is configured to be OK with the visiting user, then the remote site will also allow your visiting user to use the remote site's Internet connection - (No VPNs are configured).


If your campus gets a visitor from another participating eduroam site, e.g. from the CSIR, then your RADIUS server will ask the CSIR's RADIUS server to authenticate the visitor. If the CSIR's RADIUS server is OK with that user, then you will allow that user to use your Internet connection (usually just outside your firewall). This process is summarised for a student at the hypothetical MyUni university in the animation below:


eduroam Authentication Model


Note that neither the visited institution (the service provider) nor the national roaming operator needs to know who the user is; only where they are from. This is because all the necessary routing information (anonymous@example.ac.za above) is carried in the unencrypted outer identity whereas authentication information (Bob) need only be carried in the encrypted inner identity. This is good for protecting the privacy of users and reduces the amount of personal information the SP needs to handle (think POPI). However, eduroam is not anonymous — together the SP, IdP and NRO can work together to establish the real identity of a user, and this cooperation is required in certain circumstances (e.g. when requested by a law enforcement agency).


For more information see: www.eduroam.org


What technology does eduroam use?


In eduroam, communication between the access point and the user's home institution is based on IEEE 802.1x standard; 802.1x encompasses the use of the Extensible Authentication Protocol (EAP), which allows for different authentication methods.


The two most popular EAP methods being used by eduroam is EAP-TTLS and EAP-PEAP. A secure tunnel will be established from the user’s computer to his home institution through which the actual authentication information (username/password etc.) will be carried.


What is eduroam South Africa's architecture?


South Africa's eduroam architecture is shown in the diagram below:


eduoam Architecture


As you can see there are four instances of the public facing FLR RADIUS proxies, of which only two are normally active. These correspond to flr-jnb.eduroam.ac.za and flr-cpt.eduroam.ac.za, being the RADIUS servers you configure in your own RADIUS configs. The intent is to create a scalable, resilient architecture capable of handling hundreds of thousands of authentications a day.


If your RADIUS server does not load balance, please choose the FLR server that's geographically closer to you as the primary one.


Is eduroam safe to use?


eduroam is based on the most secure encryption and authentication standards in existence today. Its security by far exceeds typical commercial hotspots. Be aware though that when your users are using the general Internet at an eduroam hotspot, the local site security measures at that hotspot will apply to them as well. For example, the firewall settings at the visited place may be different from those they are used to at home, and as a guest of the visiting institution, they may have access to fewer services on the Internet than they are used to having at home.


Can eduroam use a captive portal?


No. A Web Portal, Captive Portal or Splash-Screen based authentication mechanism is not a secure way of accepting eduroam credentials, even if the website is protected by an HTTPS secure connection. The distributed nature of eduroam would mean that many different pages, languages and layouts would be presented to eduroam users making it impossible to distinguish between legitimate and bogus sites (even a consistent layout can be mimicked by an adversary).


eduroam requires the use of 802.1x which provides end-to-end encryption to ensure that your private user credentials are only available to your home institution. The certificate of your home institution is the only point you need to trust regardless of who operates any intermediate infrastructure. Web portals require you to trust their infrastructure as they receive your password in clear text, this breaks the end-to-end encryption policy of eduroam.


Does eduroam work on different platforms?


eduroam uses open standards to enable cross-platform uniform access. This means that eduroam works on Windows, Linux, BSD, MAC OS, Android, and even Windows CE.


Are there any prerequisites for eduroam?


In order to enable your users to access eduroam on your campus, you need to maintain an Identity Management System (IdMs), where your users' electronic identities are stored. Typically this is a directory system such as LDAP, eDirectory, or Active Directory.


You also need a RADIUS server, which will have to be connected to your identity management system.


Your WiFi network must be configured to use WPA2 security in enterprise mode.


How do I get started with eduroam?


1) Read through the National Policy for eduroam South Africa


2) Read through the info for new participants if you want to join as an eduroam service provider and/or identity provider.


3) Set up a Wireless network + RADIUS server with WPA2 enterprise mode authentication.


4) Create DNS entries for your RADIUS server(s). E.g. eduroam0.example.ac.za and eduroam1.example.ac.za. It can also be a Canonical Name (CNAME) record that points to your own RADIUS server(s).


5) Let the national roaming operator (NRO) know when your DNS is working so that they can add your domain to the eduroam servers and provide you with a shared secret.


6) Make sure your firewall will allow UDP on port 1812 coming in from flr-cpt.eduroam.ac.za and flr-jnb.eduroam.ac.za to your servers.


7a) If you are making use of FreeRADUS, add the following to clients.conf on your RADIUS server


# Always list the FLR server that's geographically closer
# to you first in your configs.
client flr-cpt.eduroam.ac.za {
   shortname = flr-cpt
   secret = MySharedSecret
}

client flr-jnb.eduroam.ac.za {
   shortname = flr-jnb
   secret = MySharedSecret
}


In proxy.conf you should have a realm rule to keep all the requests from example.ac.za + any sub-domains local and a default realm rule that forwards all other requests to the eduroam servers.

proxy.conf should look something like this (just merge it with your current one if you have some special realm rules)


proxy server {
        default_fallback = no
}

# your local realms
realm LOCAL {
}
realm NULL {
}
realm example.ac.za {
}

# blackhole routing - this is used by faulty Intel cards
realm myabc.com {
nostrip
}
# blackhole routing - EAP-SIM/MNOs
realm "~\\.3gppnetwork\\.org$" {
nostrip
}

# the default destination for unknown realms
realm DEFAULT {
pool = eduroam
nostrip
}
# home server definitions
home_server flr-cpt {
type = auth+acct
ipaddr = 155.232.195.20
port = 1812
secret = MySharedSecret
}
home_server flr-jnb {
type = auth+acct
ipaddr = 155.232.195.21
port = 1812
secret = MySharedSecret
}


7b) If you're making use of Active Directory, you may be able to make use of the Network Policy Server (NPS) feature. For information on how to configure this, read through GÉANT's documentation on Using Windows NPS as RADIUS in eduroam.


8) Create a test user called nren_RADIUS_test@example.ac.za on your server to test your IdP from another site. This user will ultimately be configured in the eduroam monitoring system so you check that your users are able to log in from a remote site.


9) Configure an AP with an SSID of "eduroam" and test a wifi client with your setup. You can also test it with a utility called radtest (it usually comes with FreeRADIUS).


10) Contact the NRO to supply you with some eduroam test accounts to test your SP side.


11) You can ask the RO to test your IdP from another eduroam site. The NRO has access to the National eduroam server logs and can also assist you with debugging.


12) When everything is working, update your site's details on this website.


Managing eduroam services


IdP (Identity Provider)


In order to become an eduroam IdP, you generally also have to provide an eduroam SP service (there is an expectation of reciprocity). As an eduroam IdP, you are responsible for your own users. You should provide all the information and support for your own users to get connected to eduroam. Advise your users to test eduroam at your own campus before they visit other eduroam enabled sites.


If a user can use eduroam on your own campus then the same configuration should also work at any eduroam enabled site. To avoid configuration issues you should make use of the eduroam Configuration Assistance Tool (CAT). See: https://cat.eduroam.org/


The CAT tool gets the information about institutions from the Roaming Operators (RO) of the different NRENs. The South African RO will submit all the institutions that are registered on the SA eduroam website. As an administrator, you need to register and manage your institution on the SA eduroam website, under the manage tab above. You can then self-provision for CAT.


An Idp should keep authentication logs for a recommended period of at least 3 months. If one of your own users is experiencing problems at another site then they should contact you to help them. You should do the following:



  1. Verify the user's configuration and find out if eduroam worked before they left.

  2. Check on monitor.eduroam.ac.za that your realm is working from outside your network.

  3. Analyse your own logs first. Your RADIUS server should receive an authentication request for the user from the National eduroam servers. Remember an invalid domain e.g. koos@cba.ac.za instead of koos@abc.ac.za will cause the requests to be dropped along the way.

  4. If you don't receive the requests, then you should contact the RO operator to assist with the debugging. The following info will assist the RO in debugging:


    • The login name of the user. E.g. koos@abc.ac.za

    • The name of the remote institution being visited and the domain they are using. e.g uct.ac.za

    • Is eduroam working for other users at the remote site? IP address of one of those users.



  5. If the RO does not see the requests on the National eduroam servers, then the RADIUS logs from the remote administrator might be useful to track down the problem. The contact details of the other eduroam administrators should be visible after you login as an administrator on the eduroam website.


SP (Service Provider)


Any entity with an Internet connection can become an eduroam SP and as a general rule, any IdP should also be an SP. A service provider should be configured with an SSID called "eduroam" with "WPA2 Enterprise" user authentication that is connected to the national eduroam servers of the NRO. It is normal practice to separate traffic from your own users and that of eduroam visitors. With FreeRADIUS you can place users and visitors in different VLANs by adding the following section in your virtual server config file (sites-enabled/eduroam)


post-auth {
# reply_log<
Post-Auth-Type REJECT {
reply_log
attr_filter.access_reject
}
switch "%{Realm}" {
# VLAN settings for your local users
case "example.ac.za" {
update reply {
Tunnel-type = "VLAN"
Tunnel-medium-type = "IEEE-802"
Tunnel-Private-Group-Id = "2505"
}
}
# VLAN settings for visitors to your campus
case {
update reply {
Tunnel-type = "VLAN"
Tunnel-medium-type = "IEEE-802"
Tunnel-Private-Group-Id = "2506"
}
}
} # switch realm
}

Please read through the national eduroam policy documents to see what rules an SP should comply with e.g. no portals, minimum service for visitor etc. The best way to ensure your SP is up and running is to let your own users use eduroam as well.


Additional information


The eduroam cookbook