eduroam - Technical FAQ

Interface

How to access to the management interface?    
How do I enable the MFA layer to strengthen the security of my authentication processes?    
How do I create a password and how do I reset it?    
How to monitor the service?    
I try to connect with my login and password but it is asking me for a CA certificate, what should I do?

Implementation (eduroam CAT, RadSec, RADIUS Hierarchy)

How to deploy eduroam on-site or on campus?    
How do I implement the service in a few clicks with the eduroam CAT?    
Do you want more infos about eduroam CAT?    
How does the RADIUS server configuration work?    
How to configure my RADIUS servers?    
Client configuration: what is Open1X?    
How does the RADIUS hierarchy protocol work?    
What is RadSec?    
Radius Hierarchy Protocol or RadSec Protocol?    
 

More documentation 

Where can I find more technical information and useful links about eduroam?     
 

 

How to access to the management interface?

You can log in on https://register.eduroam.be/ with your Belnet personal login. You can find the user manual of the interface here in English.

 

How do I enable the MFA layer to strengthen the security of my authentication processes?

Check out our documentation and demo videos on our Multi Factor Authentication (MFA) FAQ page.

 

How do I create a password and how do I reset it?

When you have signed your contract, Belnet will create and send out your username and password. You can reset your password on https://changepassword.belnet.be/.

 

How to monitor the service?

The status of top level and national RADIUS servers can be found here. Details of request can be found here

 

I try to connect with my login and password but it is asking me for a CA certificate, what should I do?

You must check that the certificate matches your institution's certificate and that the correct CA has been used. Please contact your institution's ICT department to find out how to proceed.

 

How to deploy eduroam on-site or on campus?

Find all the steps on the GÉANT eduroam wiki

 

How do I implement the service in a few clicks with the eduroam CAT?

CAT (Configuration Assistant Tool) is built as a cooperation platform and is available within the Belnet R&E Federation. Members of the Federation who want to implement eduroam can use CAT to simplify the implementation process. The platform is also available for users of the member organisations and is helpful when they are installing the connection profile of their organisation.

eduroam CAT is compatible with all important OS, smartphones and tablets.

Mail: servicedesk@belnet.be     
Telephone : 02/790.33.00

 

Do you want more infos about eduroam CAT?

Visit the eduroam CAT official website.

 

How does the RADIUS server configuration work?

When configuring your RADIUS server, you need to choose the EAP authentication mechanism that you will use. You can use PEAP (Protected EAP) or EAP-TTLS. Both mechanisms have advantages and disadvantages but can be used in the govroam context.

The advantage of using PEAP is that you don't need to install third party software on a Windows based system. The disadvantage is that you are limited in the choice of "inner" authentication (or the user authentication itself) you can use.

Using EAP-TTLS has the advantage that you have more choice concerning the "inner" authentication method. The disadvantage here is that for windows based clients you need to install a third party software like securew2. Despite this securew2 provide mechanism to deploy the software with preconfigured settings. See the SecureW2 support website

 

How to configure my RADIUS servers?

You can find here the GÉANT eduroam wiki.

 

Client configuration: what is Open1X?

The Open1X is the IEEE 802.1X open source implementation software. We advise you to use Open1X as software in order to manage the 802.1X protocol. This software is available here. (for devices based on Windows, Mac OS X or, Linux).

Important!

Before configuring the 802.1X protocol be sure that your wireless adapter can support WPA. All recent cards should support it, but this is not the case for some old adapters.

 

How does the RADIUS hierarchy protocol work?

  • National level:

The eduroam service makes use of the RADIUS protocol to enable the easy exchange of data. Organisation A receives a user from organisation B and this user logs into organisation A's wireless network.

At this point, organisation A's RADIUS server will send the user's details (username and password) on to organisation B's RADIUS server for verification. This takes place via Belnet's RADIUS server, which receives a request from organisation A's RADIUS servers. The Belnet server then immediately sends a request to organisation B's RADIUS server.

Thanks to the creation of a Transport Layer Security tunnel between the user and their organisation, organisation B's server can identify its own user in a secure manner. Following verification, organisation A's RADIUS server receives a message that the user is known within organisation B. The user therefore gains access to organisation A's wireless network.

schema govroam

 

  • International level:

If organisation B is an international organisation, the same principle is followed. However, Belnet's RADIUS server now also sends a request to the European RADIUS server, which in turn sends a request to organisation B's national interchange. Organisation B's national RADIUS server then sends a request to the RADIUS server for the organisation itself. A reverse tunnel is created between the user and their institution, at which point organisation B's RADIUS server sends the necessary information to organisation A.

The user's home organisation therefore remains responsible for maintaining and verifying the username and password, even if the user is located at a guest organisation. This data is not shared with other affiliated institutions.

hierarchie radius eduroam

 

What is RadSec?

RadSec stands for Secure RADIUS protocol. This is a protocol which implements the radius protocol on top of TLDv3 transport layer as defined in the ietf draft “draft-ietf-radext-radSec-12”. You can only use RadSec if your organisation is a member of the Belnet R&E Federation. Only research and education organisations can become a member of the R&E Federation. You also need to subscribe to the Belnet personal certificate service.

Trust as a basis

RadSec as hierarchical model provides a good trust relationship between each participant. With RadSec you need to transmit certificates between RADIUS servers. The certificates need to be conform with a certificate policy. The usage of this policy and related certificates ensures the trust relationship between all participants. Currently Belnet uses the eduPKI private key infrastructure to get the certifiactes for the top level .be RADIUS servers.

 

Radius Hierarchy Protocol or RadSec Protocol?

The current implementation of eduroam (RADIUS hierarchy protocol) is working very well. However, due to the growing number of users and organisations around the world, certain issues related to the timing and reliability of communication have started to appear. The goal of RadSec is to resolve these issues and add some useful features and more flexibility.

RADIUS hierarchy protocol

RadSec Protocol

  • Usage of UDP      
    The use of this protocol is more reliable between RADIUS servers. Timeout and reliability issues are diminished.
  • Usage of TCP     
    The use of this protocol is more reliable between RADIUS servers. Timeout and reliability issues are diminished.                                             
     
  • MTU     
    RadSec has a better MTU (maximum transmission unit) discovery and fragmentation management.
  • RADIUS server hierarchy     
    A connection through the RADIUS server hierarchy implies cumulative communication flows and process times between each level of the hierarchy.     
     
  • Realm management      
    Non-national top level domains, such as .net, .org, .edu, .eu, demand realm management.

     

 

 

  • Trust relationship     
    Each RADIUS server must authenticate itself with special server certificates which allow the discovery of the home institution through a DNS query.     
     
  • DNS Discovery use     
    Using of DNS discovery helps to avoid a point to point connection. This way of working removes cumulative communication flows and process times.     
     
  • Realm management      
    With DNS discovery, you can configure your own DNS with domains other than the national top- level one. This is just a matter of adding SRV and NAPTR records.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Where can I find more technical information and useful links about eduroam?

GÉANT eduroam wiki     
NPS Configuration     
802.1X Port-Based Authentication HOWTO     
FreeRADIUS     
Open1X (Xsupplicant)     
WPAsupplicant     
GÉANT Documentations     
SecureW2 : open source EAP-TTLS client for Microsoft Windows     
Kismet, 802.11 Wi-Fi sniffer (for un*x>)     
Netstumbler, 802.11 Wi-Fi sniffer (for Windows)

 

 

 

 

 

 

Access to the eduroam interface 

More technical information about the management inteface? Read our manual

Did you find this FAQ useful?
Copyright © 2024 Belnet.