Using eduroam - for end users
Any member of a participating organisation who has a network logon account can use eduroam. You do not need to individually join the service. Individuals wanting to use eduroam should consult their own organisation's eduroam information web page - follow links on 'eduroam sites listing - where you can use eduroam' in the box below.
This page is intended as a guide to the key things you need to do in order to use the service. It is not intended to replace the full user guide which you are encouraged to read and to keep for reference.
By your use of the service you agree to abide by the acceptable use policies of your home organisation and of the visited organisation and accept the UK eduroam Policy and you undertake to remove the eduroam profile from all devices that you use with the service when your network account at your authenticating organisation expires.
eduroam sites listing and locations map - where you can use eduroam |
- first time user |
|
- everytime pre-visit checklist |
- FAQs, documentation, conditions |
- Checklist 1 - one-off operations to enable your use of service
- Checklist 2 - each time before you go
- Conditions of use
- Published user guides / documentation / setting up laptop to use eduroam
- Concepts
- How to determine WPA/WPA2, TKIP/AES setting and IPv6 and no-NAT availabilty
- What applications will work at all Visited sites
- FAQs
- Reference
- Glossary
- Advisories
- Support
eduroam is a very useful service, but if you are an eduroam user planning to visit another eduroam participant site, it does require a little prepartion BEFORE arriving at the site at which you want to use the service. This involves general preparation for using eduroam (CHECKLIST 1) and specific steps you need to take each time before going to a site (CHECKLIST 2).
Test - if your organisation is both a Home and Visited site, the key is to test the operation of eduroam authentication on your own site - if you take your own laptop, using the service is then simply a matter of connecting to the visited site's wireless LAN when you arrive.
The following checklist 1 is quite long, but once you have been through it once, on subsequent visits you'll only need to check the key parameters in detailed in checklist 2.
EDUROAM CHECKLIST 1 - one-off operations to enable your use of the service
|
EDUROAM CHECKLIST 2 - each time before you go!
|
Conditions of Use
Use of eduroam on JANET is subject to the JANET Acceptable Use Policy the JANET Security Policy and the JANET eduroam Policy.
By using the service users are deemed to have read the JANET eduroam Policy and agree that they will abide by the terms of the policy.
Published User Guides
UNINETT website "How to connect to an eduroam site" - useful configuration guide and technical information for users
Windows XP built-in 802.1x supplicant configuration (Word) - extract from eduroam User Guide details setup of the client in Windows XP.
Setting up Windows XP to user eduroam - animated slide show by Stefan Winter
Setting up the Intel PRO wireless supplicant - animated slide show by Stefan Winter
Setting up the SecureW2 supplicant - animated slide show by Stefan Winter
Support
Users experiencing any technical problems with the eduroam service or with remote access facilities provided by their Home Organisation, should in the first instance consult their Home Organisation IT Support dept.
Concepts
Organistations may offer eduroam as either a 'Home' or a 'Visited' service or both. Most organisations endeavour to provide a full Home and Visited service.
With a Home service, users can gain authentication at other eduroam sites they might visit (ie the Home site acts as an identity provider). Visited service sites provide an eduroam guest network that supports users visiting from organisations that provide a Home service. The idea of such a flexible approach is to be as inclusive as possible and to allow organisations to implement the type of service that suits their policies and local infrastructure/technical expertise.
eduroam can be used from users' own laptops over wireless networks or via hardwired desktop PCs and MACs (for example in IT suites or libraries) that have been suitably configured. eduroam can be used at Visited organisations and in many cases at Home organisations too.
End-users at customer organisations which have deployed eduroam should consult their IT Support dept. for one-off setup of their laptops prior to travelling to Visited sites providing the eduroam service. They will also be able to learn what facilities at the Home Organisation site are offered for remote access from Visited Organisations, (eg. e-mail, VPN). This information should be available on the eduroam pages of the Home Organisation web site, which can be found on the Participating Organisations Map by clicking on your eduroam radio mast icon.
Users MUST also check the Participating Organisations Map to check that their laptop setup is compatible with the authentication method offered by the Visited Organisation and to learn the SSID which they must input into their laptop.
Once at Visited eduroam sites, end-users will be able to log on to the guest network by using their unique credentials (the same for all sites they might visit) - these are their own home organisation username and the organisation realm name in the form: username@foo.ac.uk. (Nb. this is NOT necessarily the user's e-mail address). Users will be able to do this at eduroam enabled hotspots at the Visited sites, which should be marked "JANET Roaming", "JRS" or "eduroam".
Link to End-user FAQs on main FAQs page (opens new window)
What's the difference between JANET Roaming and eduroam?
JANET Roaming was the old name for the eduroam service offered over JANET. eduroam is a confederation of national research and education network providers (NRENs). JANET (as the UK NREN) has been a member of the federation since its inception. The eduroam confederation has established a trust relationship between members and an infrastructure of RADIUS servers to enable the exchange of authentication exchanges between the national RADIUS infrastructures of participating NRENs.
Essentially JANET Roaming enables the eduroam service to be provided in the UK by managing the federation of participating UK organisations. JANET Roaming provides the infrastructure, support framework and technical authority for the academic and research community to offer eduroam. JANET Roaming is a member of the international eduroam confederation - enabling worldwide roaming.
JANET Roaming has its own independent Technical Specification designed specifically for the UK community, to which all participating organisations in the UK must comply. This has enabled the service to be tailored to suit the unique demands of the UK community over time - and enables the UK eduroam service to be the most application-open there is. The eduroam service is fully compliant with the eduroam SA specification and has adopted "eduroam" as its SSID to make it identifiable to visitors from overseas and to enable UK based users to recognise similar guest network access services overseas.
Throughout the eduroam confederation, eduroam service is advertised through the eduroam SSID. Users from UK organisations participating with eduroam Home site (IdP) compliance can gain guest access on networks at any eduroam organisation, worldwide.
Why is connecting to a network so complicated?
Why can't I just switch my machine on and get onto the network?
It is quite useful to understand the basic steps that are involved in getting out onto any network. The key thing to remember is that unlike domestic and cyber cafe networks (which are of low security and are extremely vulnerable to being compromised), the networks at academic institutions are vastly larger, supporting thousands of users and are far more secure and provide much better JANET-backed performance. The security mechanisms are there for your benefit and protection. The result of this is that the steps that you need to take to get onto the network are slightly more involved.
To get onto any academic network:
a) you have to connect to the medium, wireless or via wired wall socket
b) then to get any further you need to have a user account and have to be granted permissions to use certain facilities
c) next you need to be authenticated to ensure that only legitimate users can access the network
d) finally you are connected onto an appropriate VLAN and can use the network
The result of this is that; you need a unique set of user credentials - username and password (for eduroam you have a specific form of username consisting of your own network username and the realm name of your organisation. This will work at any eduroam site. Your user account may also have to be included in a particular "roaming users" group).
To connect to a wireless medium (more properly to "associate with a wireless access point") you need to select the appropriate wireless network service - in any one area there may be several wireless networks sharing the airwaves. These are differentiated by the SSIDs that they advertise. Of course with a wired connection to an Ethernet wall socket, this association phase does not take place.
Having associated to a wireless network your logon attempt has to be authenticated. This involves the exchange of user name and password information with the authentication server, which compares the credentials supplied with those registered on the home organisation user database.
After a successful authentication, the access point or switch connects you to the appropriate secure network to enable you to access your desired resources. The other users sharing your particular part of the network and the resources available to you are governed by the VLAN that you are connected to.
The above applies to any academic network. There are various ways of implementing the above, with varying levels of security. When it comes to providing a service for mobile users (using laptops or connecting at wired wall sockets) the mechanism becomes more complicated. "Web redirection" is a common method but has considerable security vulnerabilities; we recommend against this method. The 802.1x standard provides a far more robust solution, although it does involve a degree of initial set up complexity. That's why you can't just plug in and go!
How can I get my Palm TX handheld to work with eduroam?
Palmtops need 802.1x supplicant software to work at the vast majority of eduroam sites (excepting those providing web redirect authentication JRS1) - the supplicant software must support the authentication protocols in use on your home network (EAP-TLS, EAP-TTLS, EAP-PEAP(v0 or v1)). The Palm TX uses Palm OS Garnet 5.4 which supports wireless connection, but unlike XP and Vista does not include an 802.1x supplicant. This software is however available in the Wi-Fi Enterprise Security Update (ESU) package which costs $5.99 from www.palm.com/us/software/esu.
Reference
eduroam tiers
Eduroam consists of participating organisations that have agreed to a common set of standards. Eduroam does however accomodate diversity through a small range of permissible 802.1X implementations to allow participants to deploy their own selection of equipment from various vendors and to implement technological nuances consistent with thier own technology and security policies. JANET has created 'service tiers' in order to promote inter-operability between participants, help the user prepare their devices for operation at the various sites and to assure the quality of the user experience.
There are currently two service tiers defined within the eduroam service on JANET: JRS2 and JRS3. The differences between the tiers are shown below.
| Service Tier | Authentication Method | NAT | IPv4 | IPv6 | WPA | WPA2 | SSIDs |
| JRS2 | IEEE 802.1x | May | Must | May | May | May | eduroam |
| JRS3 | IEEE 802.1x | Must not | Must | Must | Should | Must | eduroam |
Table 1 - Tier requirements for Visited organisations
IP protocols guaranteed on eduroam guest networks
Visited organisations must permit egress and established forwarding of the protocols listed in Table 2 below. This may not be the case at eduroam organisations overseas where more limited services may be available.
| IMSP | TCP/406 | egress and established |
| IMAP4 | TCP/143 | egress and established |
| IMAP3 | TCP/220 | egress and established |
| IMAPS | TCP/993 | egress and established |
| POP | TCP/110 | egress and established |
| POP3S | TCP/995 | egress and established |
| SMTPS | TCP/465 | egress and established |
| Message submission | TCP/587 | egress and established |
| Web | ||
| HTTP | TCP/80 | egress and established |
| HTTPS | TCP/443 | egress and established |
| VPN | ||
| Standard IPSec VPN | IP protocols 50 (ESP) and 51 (AH) | egress and ingress |
| UDP/500 (IKE) | egress only | |
| IPSec NAT traversal | UDP/4500 | egress and established |
| Cisco IPSec NAT traversal | UDP/10000 TCP/10000 |
egress and established |
| PPTP | IP protocol 47 (GRE) and TCP/1723 | egress and established |
| OpenVPN | UDP/1194 TCP/1194 |
egress and established |
| IPv6 Tunnel Broker NAT traversal | UDP/3653 and TCP/3653 | egress and established |
| Remote Desktop | ||
| RDP | TCP/3389 | egress and established |
| VNC | TCP/5900 | egress and established |
| Citrix | TCP/1494 | egress and established |
| AFS | UDP/7000 - UDP/7007 | egress and established |
| Directory Services | ||
| LDAP | TCP/389 | egress and established |
| LDAPS | TCP/636 | egress and established |
Secure Shell SSH TCP/22 egress and established
File Transfer Passive (S)FTP TCP/21 egress and established
Network Services NTP UDP/123 egress and established
Table 2 - Minimum requirements for egress and established forwarding of protocols
Glossary
Supplicant - configuration of this software will be necessary, WLAN settings vary site-site
The 802.1x supplicant is the software entity on the client workstation/laptop that enables the user to submit credentials to connect the computer to a secure network. Supplicant software is built in to Windows and MAC OS, but third party 802.1x supplicant software is available, notably Xsupplicant (being developed by Open SEA is association with JANET(UK)), wpa_supplicant and SecureW2.
Your organisation's choice of EAP type (mechanism for exchanging authentication messages) may require the use of specific supplicant software, but in many cases the supplicant software built-in to the operating system will support the required EAP type. Your IT Support team should supply/install/configure any third party or the built-in suplicant software for use with eduroam.
Supplicant software usually includes settings for the encryption method used on the WLAN. These settings vary from site to site so you'll need to check the encryption in use at the site you intent to visit on the site's eduroam info web page before you go. The WPA, WPA2, WEP settings can then be configured on your supplicant. The supplicant may include functionality to enable the selection of DHCP for IP address and DNS, if it does not then these settings must be configured in the network adaptor/WLAN card settings section of the operating system.
EAP type - the type used by your organisation configured first time you set up your laptop
EAP - Extensible Authentication Protocol is a framework for transporting authentication messages and provides for the negotiation of the authentication mechanism (EAP type) to be utilised. There are a number of different EAP types in existence. With eduroam, the EAP types that organisation have implemented are; PEAP, EAP-TTLS and EAP-TLS. With PEAP and EAP-TTLS there are also stage 2 methods that must be correctly configured.
In Microsoft network environments, PEAP is most commonly encountered, with a stage 2 method usually MSCHAPv2.
In other environments you will commonly find EAP-TTLS, with a stage 2 method of MSCHAPv2 or MD5 or PAP.
The final common method, EAP-TLS is a single stage protocol.
Certificates - enable mutual trust between client and authentication server and used in encryption of the message exchange.
The main EAP types in use utilise server certificates to verify the authenticity of the remote server that will authenticate your credentials and some EAP types also require client machines to have client certificates. In the latter case, the client certificate must be acquired from your IT Support team. (Installation may have been carried out by your organisation's IT Support team if third party supplicant software is used by yout organisation).
SSID - select the appropriate eduroam SSID from the popup list to connect to the WLAN
Service Set Identifier - the ‘name’ of a wireless network. Modern wireless access points enable a number of different wireless network services to co-exist in the same physical area. Multiple wireless network services are useful in an enterprise environment because different functions and policies can be enabled on each service and these can be tailored to match the different user types who may wish to connect. So you can have a service for staff, a service for students and another service for guests. These different services can be associated with different VLANs, so providing access to different resources on the network as appropriate to the type of user.
Usually SSIDs are broadcast by the wireless network access points, although in some deployments hidden SSIDs may be encountered. In the normal scenario, the wireless client scans for broadcast SSIDs and displays a list of those available. Alternatively the client can probe for a specific SSID or can probe for 'any'. By whatever means, in modern operating systems a list of the available SSIDs will be displayed whenever the wireless LAN card is enabled. From this list you will be able to pick the required service. For access via eduroam, the relevant SSIDs are:
'eduroam', 'eduroam-wep' and 'eduroam-web'.
VLAN (virtual local area network) - when visiting you'll be connected to the guest VLAN
A VLAN is a sub-network that exists within the physical network infrastructure of an organisation. It is dynamically created by the network software and links together users, servers, resources and Internet / Intranet facilities regardless of physical location within the organisation's network. A number of VLANs can co-exist on the network at the same time, spanning multiple network switches, wireless access points and routers. VLANs are used to securely provide access to different resources on the network as appropriate to the different types of user. So you can for example have a VLAN for staff, a VLAN for students and another VLAN for guests.
Security vulnerabilities
“Web redirect” systems have been disallowed for eduroam for some time now and so you should never encounter an eduroam login web page. If you do then you should not use your eduroam credentials (i.e. username and password) to connect to the network. (Your credentials should only ever be used with your 802.1X supplicant - wireless connection software). And never try to use your valuable eduroam credentials (i.e. username and password) to connect to ANY other web site. Eduroam is for authentication to a network via 802.1X only! Security vulnerabilities of web redirect systems - do not use web logins for eduroam
We would welcome comments and feedback about this page.
Please bring any errors or omissions to the attention of the eduroam service manager.