Internet2

InCommon is operated by Internet2

InCommon

About            Participants            Join InCommon

eduroam Service

What is eduroam and how does it work?

FAQ

Subscribe to eduroam

eduroam and InCommon

Connector Agreement and Fees Background


These links lead to ANYROAM

Administrative Login

Administrator Guide

Peering Overview

List of Subscribers

Map of Subscribers (US)

Global eduroam map




eduroam FAQ

General Questions

Our institution already has great wireless. Why do I need eduroam?

What technology do I need to run eduroam?

Why 802.1X (WPA2-enterprise)? How is 802.1X better than other network access control systems?

How long does it take to connect my institution to eduroam?

What is ANYROAM and what is its relationship with eduroam?

How does the local institution support visitors?

Do I need to join InCommon or Internet2 to subscribe to eduroam?

What steps are required before eduroaming?

What happens when an eduroamer joins the network and contacts their home institution?

Who can use the eduroam SSID?

How is abuse handled?

Connector Agreement and Subscription Fees

Do Internet2 Higher Education members pay for eduroam?

I already run eduroam on my campus. Why am I being asked to sign a connector agreement?

What is this $700 registration fee for?

I'm not an Internet2 Higher Education member, but am interested in eduroam. What will it cost?

Security

Does the fact that RADIUS relies on a shared secret constitute a security risk?

Our network relies on PAP/CHAP, can we join eduroam securely?

What tools are in place to address local security incidents on the eduroam network?

How does eduroam-US address SSL/TLS man-in-the-middle attacks against 802.1x and RADIUS proxies?


General FAQs

Our institution already has great wireless. Why do I need eduroam?

eduroam is not a replacement for your guest network, it is a complement to make your guest network and your community compatible with other eduroam participants.

Enabling eduroam on your campus provides four main features:

  1. It allows your campus to welcome eduroam enabled visitors in a strongly authenticated way (the strong authentication also provides a way to authorize users to different resources)
  2. It allows your own users to travel to eduroam enabled locations around the world (some places only have eduroam as a guest Wi-Fi)
  3. It saves provisioning time for your institution and for your visitors since eduroam authentication is automatic and access is immediate
  4. It improves security since your visitors use a standard protocol (WPA2-enterprise, 802.1X) that encrypts traffic between their devices and the Wi-Fi infrastructure

What technology do I need to run eduroam?

WPA2-Entrerprise (aka 802.1x) is required to join eduroam. The RADIUS server of the joining institution that is used to operate WPA2-Enterprise locally will be connected to the national infrastructure.

Why 802.1X (WPA2-enterprise)? How is 802.1X better than other network access control systems?

A perfect use case for eduroam is the smart phone. In that case, joining a traditional, web-based, visitor wireless network can be a trying endeavor.  First you have to determine the visitor network's SSID. Then, after associating to the network you may or may not be able to access email or the web. Opening a web-browser, zooming and moving around the web interface to read the user agreement and providing some degree of credentials is tedious enough on a mobile device. Add to that the difference in configurations for each visited institution and this problem is greatly magnified.

With eduroam, configuration of any device is simplified. The user credentials can be stored locally, the eduroam SSID is broadcast, and joining is automatic.

How long does it take to connect my institution to eduroam?

The connection of the institution's RADIUS server to the national infrastructure takes an average of two hours. This step will allow users of that institution to visit other eduroam campuses. Making the local campus an eduroam hotspot takes more time since it involves the broadcasting of the network name across campus and some backend network engineering (subnets and firewall configurations). You will also want to allow for time to inform your community about the new offering and its local support.

What is ANYROAM and what is its relationship with eduroam?

ANYROAM, LLC, is the contractor that operates the technical infrastructure of eduroam in the United States, under contract with Internet2. You can find out more about ANYROAM at the company's website.

How does the local institution support visitors?

One of the main rules of eduroam is that visitors have to first contact their home institution to seek support. This said, many places elect to support eduroam visitors locally since in many cases it doesn't add much burden to the local help desk.

How is abuse handled?

All eduroam users are authenticated in the form user@realm (e.g. username@institution.edu). In case of abuse, the local institution can block users the same way it is done locally (MAC address and username/realm filtering). For DMCA complaints, the request can be forwarded to the institution of the offending user either directly or by contacting ANYROAM.

Do I need to join InCommon or Internet2 to subscribe to eduroam?

No. Neither InCommon participation nor Internet2 membership is required for eduroam subscribers. InCommon and eduroam are complementary federations satisfying different needs in the academic communities. InCommon uses SAML and Web-based authentication and authorization and eduroam uses EAP and RADIUS. The InCommon Federation is intended for access to applications and services; eduroam facilitates access to wireless networks.

What steps are required before eduroaming?

For the individual, joining eduroam should appear no different from joining any other encrypted (WPA/WPA2) wireless network. Behind the scenes, the device will need to verify a certificate provided by the home institution via the encrypted tunnel. Details are in the administrative guide.

What happens when an eduroamer joins the network and contacts their home institution?

The supplicant (authentication client) on the eduroamer's device creates an encrypted tunnel from her device all the way back to her home institution's RADIUS server, whether it is in the next room, or across an ocean. The only parties privy to the contents of that tunnel are the eduroamer and the home institution. 

The home institution attempts to authenticate the eduroamer's credentials and replies, with either accept or reject, to the site from which the eduroamer is attempting to gain access. If the provided credentials are accepted by the eduroamer's home institutions then the local institution grants access to the eduroamer, who can now access the network the same as local users.

Who can use the eduroam SSID?

Anyone from a participating institution. This facilitates productivity for visiting faculty, students, and employees while away from home, without any additional configuration to their computers or mobile devices.


Connector Agreement and Subscription Fees

Do Internet2 Higher Education members pay for eduroam?

Internet2 Higher Education members do not pay the eduroam annual subscription fees; it is a benefit of Internet2 Higher Education membership. However, if you require changes to the legal agreement that are not state mandated, you will be charged the $700 registration fee. If there are no changes to the legal agreement, the $700 charge is waived. We may also waive the fee for changes that are mandated by state law, as determined by Internet2.

I already run eduroam on my campus. Why am I being asked to sign the Connector Agreement?

The Connector Agreement specifies the terms of service and clarifies the roles of the connectors and Internet2 as the operator of eduroam in the U.S. With hundreds of subscribers, a more formal approach is needed to ensure there are no misunderstandings.

What is this $700 registration fee for?

The registration fee covers the adminstrative work related to onboarding an eduroam subscriber. However, Internet2 will waive the registration fee for organizations that do not ask for changes in the Connector Agreement. When a change is requested by any subscriber, Internet2 incurs legal costs for reviewing the request. We may also waive the fee for changes that are mandated by state law, as determined by Internet2.

I'm not an Internet2 Higher Education member, but am interested in eduroam. What will it cost?

The cost is based on the total student enrollment at your campus, based on the U.S. Department of Education IPEDS data (http://nces.ed.gov/ipeds). There is a $400 minimum charge. If your organization is not listed in IPEDS, or you want more detail, see the eduroam fees page.


Security FAQs

Does the fact that RADIUS relies on a shared secret constitute a security risk?

The security of RADIUS does not only rely on the shared secret but rather the IP addresses of the servers configured to use that secret. A RADIUS server should not be configured to accept an authentication attempt from an unconfigured IP even using the correct RADIUS secret (please see the eduroam-US Best Practices document in the Administrators Guide for more details).

It is possible to spoof the source-address of a UDP packet but this should be mitigated by properly configured border and upstream routers which will drop addresses originating from incorrect networks.  Moreover each institution must take further local steps to prevent "rogue" users from impersonating the local RADIUS server(s).

The use of RadSec mitigates any risk posed by shared secrets through the use of SSL/TLS certificates in place of RADIUS shared secrets, along with using TCP as the transport which makes spoofing more difficult.  For more information on RadSec please see that section of the Administrator's Handbook.

Our network relies on PAP/CHAP, can we join eduroam securely?

While PAP passwords remain in plain text in the "inner-tunnel," the 802.1x SSL tunnel, in either TTLS or PEAP, exists from the users' supplicant all the way back to the home RADIUS server. All EAP authentication traffic, including the plain text password, is encrypted within the SSL tunnel which terminates on the RADIUS server itself. At that point the only users who should have access to the unencrypted traffic are local administrators/users on the RADIUS server itself. From there the transit to/from the directory service (IdP) must be secured according to local policy.

With CHAP the security challenge rests in the secure storage of unencrypted passwords at rest, rather than in the transit of the credentials over the network. This must be addressed by institution-specific security policy.

What tools are in place to address local security incidents on the eduroam network?

Many of the same tools you have to address local users and security incidents are still available but blacklisting of the users' MAC address is a common approach. One may be inclined to simply stop allowing eduroamers from an entire realm from joining to address a single user abusing the local network. In extreme circumstances this may be necessary and is a control applied at the RADIUS server itself.

In addition to traditional wireless access control mechanisms as described above, we are pursuing implementation of the Chargable User Identity (CUI). This unique identifier will allow an administrator to correlate a specific remote user with their login attempts at home. An eduroam administrator who is dealing with such a problem can block the CUI locally and report the CUI back to the home institution. The home institution may then can block the user's account locally, seek to remediate the problem if it is caused by malware, and if necessary pursue disciplinary procedures.

The same community trust fabric that makes eduroam responsive to brute-force attempts against eduroam institutions makes it responsive to other security incidents within the network.

How does eduroam-US address SSL/TLS man-in-the-middle attacks against 802.1x and RADIUS proxies?

Certificate Authority certificates must be stored in users' local certificate stores. This allows the user's supplicant to verify the authenticity of the certificate communicated to the supplicant at association/authentication time. It is very helpful if the user first connects to eduroam at the home institution for testing and debugging as well as being presented with the RADIUS server certificate. This helps to mitigate the risk of man-in-the-middle attacks.

Copyright 2004-2017 InCommon LLC. All rights reserved. admin@incommon.org. InCommon is operated by Internet2.