Introduction

This information is meant for eduroam Identity Providers (IdPs) and assumes familiarity with eduroam in general and a working IdP RADIUS server. For general information about both topics, please visit the eduroam in a nutshell and eduroam on-site page; in particular the chapter "eduroam IdP".

Helpdesk Principles

As an eduroam Identity Provider, you are the first point of contact for your end users, regardless whether they are using eduroam at your own campus or whether they are roaming nationally or internationally with an account issued by you.

It is your duty to inform your users about the applicable Terms of Use / Acceptable Use Policy (AUP) when connecting to an eduroam network (both your own AUP and that of the visited hotspot apply).

You are also responsible for providing enough technical information so that users can set up their device securely.

Parameters for Secure Device Configuration

The security of your end-users' credentials (which often means: their institutional username and password) depends on the question whether they verify that they are revealing their password only to their own IdP's RADIUS server or whether they tell it to any random other server. Failure to verify the identity of the RADIUS server means that anyone can set up a fake RADIUS server, wait until your users connect to it, and log the passwords they used for this login.

eduroam Operations sometimes observes practices of eduroam IdPs who actively instruct their users to turn off server identity validation for "ease of use" sake. Such practices include "Uncheck the 'Verify Server Certificate' checkbox" or "when you are shown a certificate warning, just click Accept". We would like to note that such behaviour of IdPs is a breach of the eduroam policy; the instructions MUST include the proper verification of the server identity. In practice, this means:

The security-related public details of your RADIUS infrastructure must be readily available to to end users, including at least:

  • the Certification Authority (CA) that issued the EAP Server Certificate of your RADIUS Installation
  • the Common Name (CN) of the server certificate of the EAP Server Certificate of your RADIUS Installation (this detail is mandatory in most cases; it is optional ONLY if the Certification Authority exclusively issues server certificates to your own eduroam EAP servers)
  • the EAP type(s) you support
  • information regarding which credential users need to use when logging in

Using eduroam CAT for popular operating system support

For many common operating systems, the above information can be configured automatically on your end user devices; either by pushing a configuration file to the device, or by executing a configuration program which installs certificates and makes all required settings on the device.

eduroam Operations has created a tool which allows you to upload the information above, and in return generates custom installers for your IdP, for immediate consumption by your end users. The tool is called the "eduroam Configuration Assistant Tool" (eduroam CAT website; IdP Administrator manual). For the operating systems supported by CAT, helpdesk instructions can be limited to "go to this website, use the installer". Please see the section on compatible devices further down on this page.

Manual configuration instructions for other operating systems

For other operating systems, you need to create installation instructions (screenshots, click-through videos, ...) yourself. Be aware though that the security model of eduroam depends heavily on the validation of the EAP server certificate; due to that, your end-user instructions for all devices MUST include

  • the installation of the CA certificate of your EAP server certificate
  • the configuration of the name (CN) of the EAP server certificate (verification of this detail can be omitted ONLY if the Certification Authority exclusively issues server certificates to your own eduroam EAP servers)
  • the EAP type to use

(warning) We understand that there is a temptation to use some devices with half-baked support for IEEE 802.1X and EAP, where half-baked means they either don't support server certificate validation at all or only in a suboptimal way (e.g. only CA check, no server name validation; or only validation of a certificate fingerprint without certificate chain check). Due to its popularity, we explicitly name Android at this point - it does not allow to configure the expected server name. You may want to support such devices as best as you can, but be aware that you may be putting your own users and their credentials at risk when doing so. In Android's case, a secure configuration is only possible if you deploy a private CA which issues server certificates exclusively to your own eduroam EAP servers.

In the compatibility matrix, devices with known deficiencies are marked as such.

You can also comment on this page if you have found a nifty way to ease eduroam configuration on devices not currently supported by CAT.

Devices that are compatible with eduroam

The following list is sorted alphabetically by vendors. The table notes which EAP methods are supported. Legend:

CAT - this device/EAP type combination is supported by eduroam CAT; can probably also be configured securely manually

Yes - the device can be configured securely manually for this EAP type

Deficient - the device lacks important security features, but workarounds exist which can make its use safe

Insecure - the device can be configured manually for this EAP type, but not all security parameters can be set up

No - device is known not to support IEEE 802.1X/EAP

? - Unknown

TPS - supported with Third-Party Software (possibly commercial)


Compatibility Matrix

Device/OS Vendor

Device/OS

Version

TTLS-PAP

PEAPTTLS-MSCHAPv2TLSPWDTTLS-GTC

FAST

Android

tested on:

Samsung Galaxy S2

Huawei Sonic u8650

2.3Deficient[1]Deficient[1]Deficient[1]Deficient[1]?Deficient[1]?
Android

tested on:

Motorola Xoom2

4.0+Deficient[1]Deficient[1]Deficient[1]Deficient[1]?Deficient[1]?

Apple

iPhone

iOS 4.0+

CAT

CATCATYesNoYes

Yes

Apple

iPad

iOS 4.0+

CAT

CATCAT YesNoYes

Yes

Apple

iPod touch

iOS 4.0+

CAT

CATCATYesNoYes

Yes

AppleMac OS X10.7+CATCATCATYesNo?Yes
AppleMac OS X10.4-10.6Yes[4]Yes[4]Yes[4]Yes[4]No?Yes[4]
BlackberryPlaybook OS2Yes?????

?

LinuxNetworkManager
CATCATCATCATNo??
Linuxwpa_supplicant
CATCATCATCATYes[2]YesYes

Microsoft

Windows

XP SP3

TPSYesTPSYesNoTPS

TPS

Microsoft

Windows

Vista

TPSCATTPSCATCATTPS

TPS

Microsoft

Windows

7

TPSCATTPSCATCATTPS

TPS

MicrosoftWindows8 / 8.1CATCATCATCATCAT?

?

MicrosoftWindows10CATCATCATCATCAT??
MicrosoftWindows Phone7.xNoInsecure[3]?No???
MicrosoftWindows Phone8.xNoDeficient[1]?????
MicrosoftXboxallNoNoNoNoNoNoNo
MicrosoftXBoxONEallNoNoNoNoNoNoNo

Nokia

Symbian OS

Series 6

No

Yes?Yes?Yes

No

NokiaSymbian OS9.xYesYes?Yes?YesNo
SonyPlaystation3 (PS3)allNoNoNoNoNoNo

No

SonyPlaystation4 (PS4)allNoNoNoNoNoNo

No

JollaSailfish OS2YesYes Yes Yes???

[1] Installation and pinpointing of CA possible; verification of expected server name (CN) not possible. A secure configuration is only possible if the Identity Provider deploys a private CA which issues exclusively server certificates for his own eduroam EAP servers. All other Identity Provider deployments are INSECURE.

[2] Version 1.0 or higher required

[3] Verifying that the server is signed by the proper CA is not possible; this means users will not be able to detect fake hotspots and might send their username/password to an unauthorised third party.

[4] Only with 10.6.x (Snow Leopard) and later does OSX allow the configuration of of CA/server trust settings (Pinning 802.1X to specific CA and RADIUS server CommonName)

Reporting a new device

Please let us know in the "Comments" field what device you have, and what EAP method(s) you have found working. We will update the list periodically.

  • No labels