Joining eduroam AU
- 1. Build your Infrastructure
- 802.1X WPA Authentication
- 2. Choose an Authentication Type
- 3. Certificates
- 4. Determine your IP address allocation
- 5. Traffic Policy
- 6. Apply to join eduroam
- 7. Configure a RADIUS Proxy and get QA'd
- 8. Build your local eduroam Webpage
- 9. eduroam @ Home
- 10. Inform the community
If you don't have 802.11b and better infrastructure (802.11g, 802.11a or 802.11n) then this is your first task.
You also need to support 802.1X authentication. For this you need a RADIUS server to provide authentication services. Popular choices are:
|EAP-Type||Supported on eduroam||Inner Password||Notes|
|PEAP||MSCHAPv2||MSCHAPv2 can only be implemented with a reversible or cleartext password store such as NTLM or a database. |
MSCHAPv2 cannot be implemented via Kerberos or LDAP Authentication.
It has the added advantage that it can be implemented on Microsoft Windows clients without a 3rd party supplicant.
|TTLS||PAP, CHAP, MSCHAPv2||Works with MacOS X and Linux natively. MS Windows users can use the SecureW2 Supplicant.|
If doesn't matter what authentication type your organisation chooses they are all compatible with eduroam. You are not necessarily limited to only one authenticate type if your RADIUS service can support multiple types simultaneously. EAP-TTLS is certainly the most widely deployed method - and as such some organisations have historically not supported EAP-PEAP proxing via their own infrastructure back to your home organisation. The efforts of this document and the QA procedure is to remove this interoperability barrier.
The purpose of certificates is to overt a man-in-the-middle attack that could capture password from eduroam users.
Whether you use Self-Signed or Genuine certificates comes down to a user education issue. By ensuring that your users are able to understand the chain of trust in a certificate and that they can verify whether a certificate is legitimate or not.
Private IP addressing can be problematic with VPN services as NAT needs to be utilised. Even with NAT some VPN services only allow one concurrent user on a particular NAT range.
Private addressing (10.x.y.z, 192.168.x.y) vs Public IP addressing
Public addressing can consume valuable IPv4 address space and sites need to determine what address block size is appropriate for their projected number of eduroam visitors.
Currently deployment of IPv6 isn't popular and isn't mandated. It is a area of future expansion and for sites developing or renewing their wireless infrastructure it would be wise to include IPv6 as a topic of discussion with vendors.
The eduroam Policy doesn't allow back charging of bandwidth costs to the home institution of eduroam visitors.
This is dependent on your institutions own traffic accounting and charging policy as some organisations don't have a such a system and others do.
The eduroam Usability guide is useful in determining what type of access is suggested. The 08 Information for end-users document details the ease of use and coverage of eduroam networking within Australian organisations and could be useful to determine access provision that partners and competitors offer.
For eduroam organisations that have a local traffic accounting policy it is popular to allocate a fixed amount of bandwidth to visiting eduroam connections and adjust the available bandwidth of the connection to ensure that the costs are maintained.
It is permissible under the Policy to negotiate local peering agreements or implement bandwidth restrictions for neighbouring organisations or visiting users.
Send this document to email@example.com. Once your application is processed AARNet will provide you with:
- a shared secret to use in the configuration of your radius proxy
- the password to the AARNet Test Account so that you can test eduroam connectivity
If you haven't completed the necessary requirements for joining eduroam you'll have the opportunity to rectify your application and resubmit.
You'll need to either setup a radius proxy (or configure your RADIUS Authentication Server) to talk to the AARNet National RADIUS Proxy Servers.
You'll be able to authenticate with the AARNet test account. Follow the QA'd procedure.
|Can authenticate with AARNet Test Account||Proves that EAP-TTLS works|
|Can authenticate with __________ Test Account||Proves that EAP-PEAP works|
|Can authenticate with __________ Test Account||Proves that EAP-TLS works|
|Can authenticate to a PPTP VPN|
|Can authenticate to a IPSec VPN|
|Can authenticate to a L2TP VPN|
Now that you have eduroam working it is worth revising your:
- eduroam website
- documentation for clients
You can always see the different websites of other eduroam members.
With dynamic VLAN assignment there is increasing adoption within Australian institutions to offer eduroam @ Home.
From a support point of view - eduroam is often only utilised by staff and students when they visit an eduroam participating site. This can be problem because the support and documentation available may be difficult to obtain and diagnosing the problem can be difficult. Currently helpdesks don't always offer support to visiting eduroam users.
Write-up your eduroam deployment experience - revise and update this document and tell the community via the mailing list.
You can also join the AARNet eduroam Project Group. From time to time the membership of this group is reviewed - you can express your interest in joining by mailing firstname.lastname@example.org