Introduction
The information on this page is meant for eduroam Identity Providers (IdPs) and assumes familiarity with eduroam in general and a working IdP RADIUS server. For general information about both topics, please visit the eduroam on site page; in particular the chapters "eduroam in a nutshell" and "eduroam IdP".
Helpdesk Principles
As an eduroam Identity Provider, you are the first point of contact for your end users, regardless whether they are using eduroam at your own campus or whether they are roaming nationally or internationally with an account issued by you.
It is your duty to inform your users about the applicable Terms of Use / Acceptable Use Policy (AUP) when connecting to an eduroam network (both your own AUP and that of the visited hotspot apply).
You are also responsible for providing enough technical information so that users can set up their device securely. In practice, this means that the public parts of your RADIUS infrastructure are communicated to end users, including at least:
- the Certification Authority (CA) that issued the EAP Server Certificate of your RADIUS Installation
- the Common Name (CN) of the server certificate of the EAP Server Certificate of your RADIUS Installation
- the EAP type(s) you support
- information regarding which credential users need to use when logging in
Using eduroam CAT for popular operating system support
For many common operating systems, the above information can be configured automatically on your end user devices; either by pushing a configuration file to the device, or by executing a configuration program which installs certificates and makes all required settings on the device.
eduroam Operations has created a tool which allows you to upload the information above, and in return generates custom installers for your IdP, for immediate consumption by your end users. The tool is called the "eduroam Configuration Assistant Tool" (eduroam CAT website; IdP Administrator manual). For the operating systems supported by CAT, helpdesk instructions can be limited to "go to this website, use the installer". Please see the section on compatible devices further down on this page.
Manual configuration instructions for other operating systems
For other operating systems, you need to create installation instructions (screenshots, click-through videos, ...) yourself. Be aware though that the security model of eduroam depends heavily on the validation of the EAP server certificate; due to that, your end-user instructions for all devices MUST include
- the installation of the CA certificate of your EAP server certificate
- the configuration of the name (CN) of the EAP server certificate
- the EAP type to use
You can also comment on this page if you have found a nifty way to ease eduroam configuration on devices not currently supported by CAT.
NB: this page used to contain very outdated and obsolete click-through instructions for Windows (SecureW2), Mac OS (version 10.5 only), and Linux (wpa_supplicant command-line only). A superset of these is supported automatically these days by simply using eduroam CAT. These instructions also mentioned Intel PRO/Set Wireless for Windows XP; an operating system which faces obsoletion by 08 APr 2014. You should not use any of those old instructions any more; they are merely linked to here for completeness.
Devices that are compatible with eduroam
The following list is sorted alphabetically by vendors. The table notes which EAP methods are supported. Legend:
CAT - this device/EAP type combination is supported by eduroam CAT; can probably also be configured securely manually
Yes - the device can be configured securely manually for this EAP type
Deficient - the device lacks important security features, but workarounds exist which can make its use safe
Insecure - the device can be configured manually for this EAP type, but not all security parameters can be set up
No - device is known not to support IEEE 802.1X/EAP
? - Unknown
TPS - supported with Third-Party Software (possibly commercial)
Compatibility Matrix
Device/OS Vendor | Device/OS | Version | TTLS-PAP | PEAP | TTLS-MSCHAPv2 | TLS | PWD | TTLS-GTC | FAST |
|---|---|---|---|---|---|---|---|---|---|
| Android | tested on: Samsung Galaxy S2 Huawei Sonic u8650 | 2.3 | Deficient[1] | Deficient[1] | Deficient[1] | Deficient[1] | ? | Deficient[1] | ? |
| Android | tested on: Motorola Xoom2 | 4.0+ | Deficient[1] | Deficient[1] | Deficient[1] | Deficient[1] | ? | Deficient[1] | ? |
Apple | iPhone | iOS 4.0+ | CAT | CAT | CAT | Yes | No | Yes | Yes |
Apple | iPad | iOS 4.0+ | CAT | CAT | CAT | Yes | No | Yes | Yes |
Apple | iPod touch | iOS 4.0+ | CAT | CAT | CAT | Yes | No | Yes | Yes |
| Apple | Mac OS X | 10.7+ | CAT | CAT | CAT | Yes | No | ? | Yes |
| Apple | Mac OS X | 10.4-10.6 | Yes[4] | Yes[4] | Yes[4] | Yes[4] | No | ? | Yes[4] |
| Blackberry | Playbook OS | 2 | Yes | ? | ? | ? | ? | ? | ? |
| Linux | NetworkManager | CAT | CAT | CAT | CAT | No | ? | ? | |
| Linux | wpa_supplicant | CAT | CAT | CAT | CAT | Yes[2] | Yes | Yes | |
Microsoft | Windows | XP SP3 | TPS | Yes | TPS | Yes | No | TPS | TPS |
Microsoft | Windows | Vista | TPS | CAT | TPS | CAT | CAT | TPS | TPS |
Microsoft | Windows | 7 | TPS | CAT | TPS | CAT | CAT | TPS | TPS |
| Microsoft | Windows | 8 / 8.1 | CAT | CAT | CAT | CAT | CAT | ? | ? |
| Microsoft | Windows | 10 | CAT | CAT | CAT | CAT | CAT | ? | ? |
| Microsoft | Windows Phone | 7.x | No | Insecure[3] | ? | No | ? | ? | ? |
| Microsoft | Windows Phone | 8.x | No | Deficient[1] | ? | ? | ? | ? | ? |
| Microsoft | Xbox | all | No | No | No | No | No | No | No |
| Microsoft | XBoxONE | all | No | No | No | No | No | No | No |
Nokia | Symbian OS | Series 6 | No | Yes | ? | Yes | ? | Yes | No |
| Nokia | Symbian OS | 9.x | Yes | Yes | ? | Yes | ? | Yes | No |
| Sony | Playstation3 (PS3) | all | No | No | No | No | No | No | No |
| Sony | Playstation4 (PS4) | all | No | No | No | No | No | No | No |
| Jolla | Sailfish OS | 2 | Yes | Yes | Yes | Yes | ? | ? | ? |
[1] Installation and pinpointing of CA possible; verification of expected server name (CN) not possible. A secure configuration is only possible if the Identity Provider deploys a private CA which issues exclusively server certificates for his own eduroam EAP servers. All other Identity Provider deployments are INSECURE.
[2] Version 1.0 or higher required
[3] Verifying that the server is signed by the proper CA is not possible; this means users will not be able to detect fake hotspots and might send their username/password to an unauthorised third party.
[4] Only with 10.6.x (Snow Leopard) and later does OSX allow the configuration of of CA/server trust settings (Pinning 802.1X to specific CA and RADIUS server CommonName)
Reporting a new device
Please let us know in the "Comments" field what device you have, and what EAP method(s) you have found working. We will update the list periodically.