Many operating systems support IEEE 802.1X and EAP authentication, but the user interfaces in supplicants differ significantly. For some supplicants, manually clicking through a series of GUI pages is the only option. This is sometimes tedious for end users.
If possible, an IdP administrator should prepare pre-configured packages which contain the necessary information to securely connect to eduroam:
- the SSID: "eduroam"
- the crypto setting: WPA2/AES
- the EAP type setting
- the CA that issued the eduroam IdP server's EAP server certificate
- the Common Name in the eduroam IdP server's EAP server certificate
There are tools that can be used to create such auto-installers. The use of one these windows 10 drivers update is recommended, because it will likely have a positive effect on user uptake, and reduce helpdesk load.
eduroam CAT
eduroam CAT has been created with the sole purpose to ease eduroam installation in many different client platforms through the use of auto-installers. The IdP administrator enters the information listed in the bullets above, after which installers are created for all kinds of platforms for the end users of the IdP. Please see the documentation; or visit the production website at https://cat.eduroam.org.
Others
In addition to eduroam CAT, there are other tools as well, e.g. su1x and XpressConnect (Cloudpath).
Devices that are compatible with eduroam
The following list is sorted alphabetically by vendors. The table notes which EAP methods are supported. Legend:
CAT - this device/EAP type combination is supported by eduroam CAT; can probably also be configured securely manually
Yes - the device can be configured securely manually for this EAP type
Deficient - the device lacks important security features, but workarounds exist which can make its use safe
Insecure - the device can be configured manually for this EAP type, but not all security parameters can be set up
No - device is known not to support IEEE 802.1X/EAP
? - Unknown
TPS - supported with Third-Party Software (possibly commercial)
Compatibility Matrix
Device/OS Vendor | Device/OS | Version | TTLS-PAP | PEAP | TTLS-MSCHAPv2 | TLS | PWD | TTLS-GTC | FAST |
---|---|---|---|---|---|---|---|---|---|
Android | tested on: Samsung Galaxy S2 Huawei Sonic u8650 | 2.3 | Deficient[1] | Deficient[1] | Deficient[1] | Deficient[1] | ? | Deficient[1] | ? |
Android | tested on: Motorola Xoom2 | 4.0+ | Deficient[1] | Deficient[1] | Deficient[1] | Deficient[1] | ? | Deficient[1] | ? |
Apple | iPhone | iOS 4.0+ | CAT | CAT | CAT | Yes | No | Yes | Yes |
Apple | iPad | iOS 4.0+ | CAT | CAT | CAT | Yes | No | Yes | Yes |
Apple | iPod touch | iOS 4.0+ | CAT | CAT | CAT | Yes | No | Yes | Yes |
Apple | Mac OS X | 10.7+ | CAT | CAT | CAT | Yes | No | ? | Yes |
Apple | Mac OS X | 10.4-10.6 | Yes[4] | Yes[4] | Yes[4] | Yes[4] | No | ? | Yes[4] |
Blackberry | Playbook OS | 2 | Yes | ? | ? | ? | ? | ? | ? |
Linux | NetworkManager | CAT | CAT | CAT | CAT | No | ? | ? | |
Linux | wpa_supplicant | CAT | CAT | CAT | CAT | Yes[2] | Yes | Yes | |
Microsoft | Windows | XP SP3 | TPS | Yes | TPS | Yes | No | TPS | TPS |
Microsoft | Windows | Vista | TPS | CAT | TPS | CAT | CAT | TPS | TPS |
Microsoft | Windows | 7 | TPS | CAT | TPS | CAT | CAT | TPS | TPS |
Microsoft | Windows | 8 / 8.1 | CAT | CAT | CAT | CAT | CAT | ? | ? |
Microsoft | Windows | 10 | CAT | CAT | CAT | CAT | CAT | ? | ? |
Microsoft | Windows Phone | 7.x | No | Insecure[3] | ? | No | ? | ? | ? |
Microsoft | Windows Phone | 8.x | No | Deficient[1] | ? | ? | ? | ? | ? |
Microsoft | Xbox | all | No | No | No | No | No | No | No |
Microsoft | XBoxONE | all | No | No | No | No | No | No | No |
Nokia | Symbian OS | Series 6 | No | Yes | ? | Yes | ? | Yes | No |
Nokia | Symbian OS | 9.x | Yes | Yes | ? | Yes | ? | Yes | No |
Sony | Playstation3 (PS3) | all | No | No | No | No | No | No | No |
Sony | Playstation4 (PS4) | all | No | No | No | No | No | No | No |
Jolla | Sailfish OS | 2 | Yes | Yes | Yes | Yes | ? | ? | ? |
[1] Installation and pinpointing of CA possible; verification of expected server name (CN) not possible. A secure configuration is only possible if the Identity Provider deploys a private CA which issues exclusively server certificates for his own eduroam EAP servers. All other Identity Provider deployments are INSECURE.
[2] Version 1.0 or higher required
[3] Verifying that the server is signed by the proper CA is not possible; this means users will not be able to detect fake hotspots and might send their username/password to an unauthorised third party.
[4] Only with 10.6.x (Snow Leopard) and later does OSX allow the configuration of of CA/server trust settings (Pinning 802.1X to specific CA and RADIUS server CommonName)
Reporting a new device
Please let us know in the "Comments" field what device you have, and what EAP method(s) you have found working. We will update the list periodically.