CTS 126: Using Eduroam in Higher Education

We took Anders Nilsson away from a party during Cisco Live and asked him to talk about Eduroam. Eduroam Anders Nilsson joins us on the show to discuss the basics of eduroam, how it works, and why higher education institutions decide to deploy the eduroam SSID on their campus. Anders is from Sweden and you may know him through the Wi-Fi Moose. https://twitter.com/HerrNilsson2/status/1007630629272457216 Anders does work for the Swedish education network and is technically responsible for eduroam in Sweden. That makes him today’s subject matter expert for this topic. If you’re from a higher education institute you may be familiar with eduroam already. Or maybe you’re thinking about deploying eduroam or you don’t fully understand how it works. Anders provides a thorough introduction to eduroam which was started around 2003 in the Netherlands. The goal was to provide a better way for guest students at a visiting university to access Wi-Fi. In it’s early days, eduroam was implemented as an Open SSID with an access list that allowed VPN only. They quickly realized this method wouldn’t scale very well and went for the 802.1X solution instead. eduroam is WPA2 Enterprise based with a federation of RADIUS servers. This means an institution will peer its RADIUS server(s) to the eduroam federation RADIUS servers. When a visiting user wants to join the eduroam SSID but authenticate back to the home RADIUS servers, the local institution will forward the authentication requests up the eduroam chain. This allows for a seamless, convenient connection for the global academic community by using a single SSID, eduroam, at any participating institution. In the old days, a visiting user had to get ahold of the local IT department in order to gain access or use a visitor SSID. Since eduroam is implemented using WPA2 Enterprise, it is strongly suggested to start with using EAP-TLS. Although, other EAP methods are allowed to be used, the table below features the common EAP types deployed with eduroam. EAP-Type Native Supplicant Support Pros Cons EAP-TLS Windows (XP, Vista, 7), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+) • Validates client as well as infrastructure • Reduced risk of being Phished • Blocking user access is via certificate revocation • PKI infrastructure is required • Users must configure supplicant to use certificate* • Identity may be exposed in TLS exchange depending on contents of certificate EAP-TTLS Windows (8, 10), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+) • No native supplicant support on Microsoft Windows XP or 7 • Potential for Man-in-the-Middle attacks* EAP-PEAP Windows (XP, Vista, 7), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+) • Works on many platforms • Potential for Man-in-the-Middle attacks* • Identity may be exposed during Phase-1 of exchange Links and Resources Follow Anders on Twitter – @HerrNilsson2 Learn more about eduroam Read the eduroam FAQ