Versions Compared

Old Version 30

changes.mady.by.user Wenche Backman-Kamila

Saved on

compared with

New Version 31

changes.mady.by.user Wenche Backman-Kamila

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

This information is meant for eduroam Identity Providers (IdPs) and assumes familiarity with eduroam in general and a working IdP RADIUS server. For general information about both topics, please visit the eduroam in a nutshell and eduroam on site page; in particular the chapters "eduroam in a nutshell" and chapter "eduroam IdP".

Helpdesk Principles

As an eduroam Identity Provider, you are the first point of contact for your end users, regardless whether they are using eduroam at your own campus or whether they are roaming nationally or internationally with an account issued by you.

...

You are also responsible for providing enough technical information so that users can set up their device securely.

Parameters for Secure Device Configuration

The security of your end-users' credentials (which often means: their institutional username and password) depends on the question whether they verify that they are revealing their password only to their own IdP's RADIUS server or whether they tell it to any random other server. Failure to verify the identity of the RADIUS server means that anyone can set up a fake RADIUS server, wait until your users connect to it, and log the passwords they used for this login.

...

  • the Certification Authority (CA) that issued the EAP Server Certificate of your RADIUS Installation
  • the Common Name (CN) of the server certificate of the EAP Server Certificate of your RADIUS Installation (this detail is mandatory in most cases; it is optional ONLY if the Certification Authority exclusively issues server certificates to your own eduroam EAP servers)
  • the EAP type(s) you support
  • information regarding which credential users need to use when logging in

Using eduroam CAT for popular operating system support

For many common operating systems, the above information can be configured automatically on your end user devices; either by pushing a configuration file to the device, or by executing a configuration program which installs certificates and makes all required settings on the device.

eduroam Operations has created a tool which allows you to upload the information above, and in return generates custom installers for your IdP, for immediate consumption by your end users. The tool is called the "eduroam Configuration Assistant Tool" (eduroam CAT website; IdP Administrator manual). For the operating systems supported by CAT, helpdesk instructions can be limited to "go to this website, use the installer". Please see the section on compatible devices further down on this page.

Manual configuration instructions for other operating systems

For other operating systems, you need to create installation instructions (screenshots, click-through videos, ...) yourself. Be aware though that the security model of eduroam depends heavily on the validation of the EAP server certificate; due to that, your end-user instructions for all devices MUST include

...