eduroam's EAP authentication is secured using X.509 certificates — the same sort of security certificates you use for websites. However, unlike a web server, you shouldn't necessarily rush out and buy a certificate for eduroam…
There are a few ways to create a security certificate you can use for your eduroam RADIUS server, each with the relative pros and cons. You can either use a commercially signed certificate, one signed by an internal CA (e.g. by Active Directory Certificate Services), or use a long-lived self-signed one. The first of these is probably the easiest to do but comes with some security considerations; the last is generally considered best for security but has the additional problem of on-boarding a certificate onto users' devices.
Our recommendation for new deployments is as follows:
GÉANT (who maintain the global eduroam infrastructure) has published a useful guide on the various options available, and their relative pros and cons as part of their campus best practices project.
You'll note that there are several mentioned of eduroam CAT above. This is because eduroam CAT generates customised installers for all major operating systems, allowing your users to configure eduroam correctly by simply running an installer. CAT automatically configures the correct security settings for your users, and is the easiest way to onboard your certificates onto user devices.
It is absolutely critical that your users validate the security certificate used for eduroam. This is typically done automatically by their operating system, and eduroam CAT will set things up correctly without your users having to know anything about the process. Without CAT, users may be prompted to check the certificate the first time they connect, and you should publish details of the correct certificate so your users know what to look for.
We've seen a few institutions recommend disabling certificate validation to work around the problem of onboarding a certificate, or to continue using an expired certificate. This is the wrong approach and puts the security of your users' accounts at risk (and thus all the personal and other information they contain or have access to). Without certificate validation, a malicious attacker can conduct a man-in-the-middle attack against your users and decrypt their username and password from inside the EAP conversation.
Our monitoring system will let you know if your certificate is about to expire.
From time to time it may be necessary to renew or roll over the certificate you use for eduroam.
Certificate renewals are generally relatively painless — if you've anchored your installation on a CA certificate and you continue to use a certificate signed by the same certification authority with the same common name (as is typical with a commercial certificate renewal), most operating systems will accept the new certificate without any problems. We are aware of at least one, Apple iOS, that will prompt users to reaffirm acceptance of the certificate, but most users will probably not even be aware of the renewal.
If, however, you need to change the certification authority you use or have a self-signed certificate that is expiring, you need to plan a proper certificate roll over. This can take some time to get right, and we recommend planning for it at least six months in advance — you may, for instance, want to time it to coincide with a change in the academic year to minimise the impact on your help desk.
Fortunately, eduroam CAT can also help with this, as it will allow you to embed both an old and a new certificate within the installer. If you update your CAT installers well in advance of the anticipated change, you can greatly reduce the impact of this change.