Eduroam is a great Wi-Fi login system for students and researches that works with certificates for secure access of on-campus Wi-Fi networks and has the added benefit that Eduroam users can attach to any other Eduroam network around the globe without changing their Wi-Fi configuration. That’s the theory and paper is patient. So when I recently was at the University of Utrecht in the Netherlands I tested if the theory holds up with an Eduroam setup of the University of Vienna.
And indeed it just worked as promised! As soon as my notebook saw the Eduroam SSID it attached to the network and I was online within seconds. No extra passwords, no reconfiguration, no nothing. Perfect!
The Roaming Technlogoy Explained
The core of Eduroam’s roaming ability is that the Radius authentication servers of all universities participating in Eduroam can forward authentication requests of visitors to the Radius server of their home networks. The remote Radius authentication server then supplies a public key / certificate for the WPA2-Professional EAP-PEAP authentication procedure that is used by the Wi-Fi hotspot. With the help of this public key / certificate the notebook (or smartphone or any other Wi-Fi device) then performs an end-to-end encrypted EAP-PEAP authentication procedure between itself and the Radius server of the home university. If the authentication procedure was successful the remote radius server then informs the local Radius server that the access request is legitimate and access is then granted with individual Wi-Fi air interface encryption put into place.
In essence this means that local students get their local public key / certificate while visitors get the public key / certificate from their home university when connecting to the network. I made a trace to confirm this particular piece of theory and sure enough I got the public key / certificate from the University of Vienna and not the one from the University of Utrecht. The screenshot on the left shows a part of the certificate delivered in Utrecht compared to the same part of the certificate that was previously delivered in Vienna. As can be seen the certificate really was delivered from Vienna. Very cool!