eduroam | za : Certificates for eduroam

eduroam's EAP authentication is secured using X.509 certificates — the same sort of security certificates you use for websites. However, unlike a web server, you shouldn't necessarily rush out and buy a certificate for eduroam…

There are a few ways to create a security certificate you can use for your eduroam RADIUS server, each with the relative pros and cons. You can either use a commercially signed certificate, one signed by an internal CA (e.g. by Active Directory Certificate Services), or use a long-lived self-signed one. The first of these is probably the easiest to do but comes with some security considerations; the last is generally considered best for security but has the additional problem of on-boarding a certificate onto users' devices.

Certificate recommendations

Our recommendation for new deployments is as follows:

If you're using Windows NPS and Active Directory, make use of the server certificate that already exists on your RADIUS server. This is signed by AD's enterprise certificatation authority, which is automatically trusted by domain members. You must use a tool like eduroam CAT to onboard the AD CA certificate onto other devices. (See how to export the AD CA cert.)

If you already have your own internal/institutional certification authority, make use of this to sign a certificate. See eduroam's EAP Server Certificate considerations for information on what this certificate should look like. You must use a tool like eduroam CAT to onboard your institutional CA certificate onto devices.

If you do not have any certificate authority, consider making use of a long-lived self-signed certificate and using an onboarding tool like eduroam CAT to onboard this onto devices. (FreeRADIUS has a bootstrap script that will automatically create the correct sort of certificate for you.)

If you're not comfortable with any of the above options, make use of a commercially signed certificate as a last resort. If you do this, it is critically important that you configure devices to validate the certificate subject (eduroam CAT does this by default). Remember that TENET has a certificate service available to ac.za holders.

Note that irrespective of which option you choose, you should not use a wildcard certificate since this is known to be problematic in some versions of Microsoft Windows. Similarly, certificates that use a SHA1 hash do not work with Apple devices.

GÉANT (who maintain the global eduroam infrastructure) has published a useful guide on the various options available, and their relative pros and cons as part of their campus best practices project. You can also use the pre-selection approach described below to support multiple options.

eduroam CAT (geteduroam)

You'll note that there are several mentioned of eduroam CAT above. This is because eduroam CAT generates customised installers for all major operating systems, allowing your users to configure eduroam correctly by simply running an installer and/or installing the geteduroam. CAT automatically configures the correct security settings for your users, and is the easiest way to onboard your certificates onto user devices.

Onboarding tools like eduroam CAT are becoming increasingly important, particularly if the certificate you use is not part of the publicly key infrastructure and is not already trusted by your end users' devices (the first three options above). This is because modern operating systems make it difficult for users to accept an untrusted certificate on first use. CAT is, of course, not the only way to solve this problem. However, it is a freely available tool that is supported by the eduroam community.

You can enrol your institution for CAT via our management interface. You can read about how to use CAT to onboard certificates in the CAT administrator guide.

A note about certificate validation

It is absolutely critical that your users validate the security certificate used for eduroam. This is typically done automatically by their operating system, and eduroam CAT will set things up correctly without your users having to know anything about the process. Without CAT, users may be prompted to check the certificate the first time they connect, and you should publish details of the correct certificate so your users know what to look for. Many operating system vendors are starting to disable the option to trust-on-first use because users blindly accept certificates without adequately checking them.

We've seen a few institutions recommend disabling certificate validation to work around the problem of onboarding a certificate or continuing to use an expired certificate. This is the wrong approach and puts the security of your users' accounts at risk (and thus all the personal and other information they contain or have access to). Without certificate validation, a malicious attacker can conduct a man-in-the-middle attack against your users and decrypt their username and password from inside the EAP conversation. Because of the risks it presents, newer devices also remove the option to disable validation.

Our monitoring system will let you know if your certificate is about to expire.

Certificate renewals and rollovers

From time to time it may be necessary to renew or roll over the certificate you use for eduroam.

Certificate renewals are generally relatively painless — if you've anchored your installation on a CA certificate and you continue to use a certificate signed by the same certification authority with the same common name (as is typical with a commercial certificate renewal), most operating systems will accept the new certificate without any problems. We are aware of at least one, Apple iOS, that will prompt users to reaffirm acceptance of the certificate, but most users will probably not even be aware of the renewal.

If, however, you need to change the certification authority you use, have a self-signed certificate that is expiring, or want to change the certificate subject (server name), you need to plan a proper certificate rollover. This can take some time to get right, and we recommend planning for it at least six months in advance — you may, for instance, want to time it to coincide with a change in the academic year to minimise the impact on your help desk.

Fortunately, eduroam CAT can also help with this, as it will allow you to embed both an old and a new certificate within the installer. If you update your CAT installers well in advance of the anticipated change, you can greatly reduce the impact of this change.

Certificate pre-selection

An advanced approach to certificate roll-over, particularly where the certification authority may change, is to use the outer identity to pre-select a particular certificate. This was an idea first seen at the University of Cambridge and can be implemented in FreeRADIUS by making some relatively minor changes.

1) Create a new named instance of the eap module in mods-enabled/eap. This instance should be identical to your default instance except for changes to the certificate location. What follows assumes the named instance is called "eap.public".

2) Edit your outer tunnel virtual server (sites-available/eduroam) and make the following changes:

a) In the authorize section, find the reference to the eap module and replace it with this stanza:

 ## Preselection of CA certificates based on anonymous user-name
 if ("%{Stripped-User-Name}" =~ /^_public/i) {
     eap.public {
         ok = return
     }
 } else {
     eap {
         ok = return
     }
 }

b) In the authenticate section, replace the reference to the eap module with this stanza:

 # eap
 Auth-Type eap.public {
     eap.public
 }
 Auth-Type EAP {
     eap
 }

Once completed, these changes allow you to use an outer identity of _public@yourrealm to preselect the eap.public named eap instance (and therefore the particular certificate it uses).

You can couple this approach with eduroam CAT's ability to set the anonymous outer identity to create versioned CAT installers that use different certificates. This very gracefully handles the transition from one certificate approach to another.