This information is meant for eduroam Identity Providers (IdPs) and assumes familiarity with eduroam in general and a working IdP RADIUS server. For general information about both topics, please visit the eduroam in a nutshell and eduroam on-site page; in particular the chapter "eduroam IdP".
As an eduroam Identity Provider, you are the first point of contact for your end users, regardless whether they are using eduroam at your own campus or whether they are roaming nationally or internationally with an account issued by you.
You are also responsible for providing enough technical information so that users can set up their device securely.
The security of your end-users' credentials (which often means: their institutional username and password) depends on the question whether they verify that they are revealing their password only to their own IdP's RADIUS server or whether they tell it to any random other server. Failure to verify the identity of the RADIUS server means that anyone can set up a fake RADIUS server, wait until your users connect to it, and log the passwords they used for this login.
eduroam Operations sometimes observes practices of eduroam IdPs who actively instruct their users to turn off server identity validation for "ease of use" sake. Such practices include "Uncheck the 'Verify Server Certificate' checkbox" or "when you are shown a certificate warning, just click Accept". We would like to note that such behaviour of IdPs is a breach of the eduroam policy; the instructions MUST include the proper verification of the server identity. In practice, this means:
The security-related public details of your RADIUS infrastructure must be readily available to to end users, including at least:
For many common operating systems, the above information can be configured automatically on your end user devices; either by pushing a configuration file to the device, or by executing a configuration program which installs certificates and makes all required settings on the device.
eduroam Operations has created a tool which allows you to upload the information above, and in return generates custom installers for your IdP, for immediate consumption by your end users. The tool is called the "eduroam Configuration Assistant Tool" (eduroam CAT website; IdP Administrator manual). For the operating systems supported by CAT, helpdesk instructions can be limited to "go to this website, use the installer". Please see the section on compatible devices further down on this page.
For other operating systems, you need to create installation instructions (screenshots, click-through videos, ...) yourself. Be aware though that the security model of eduroam depends heavily on the validation of the EAP server certificate; due to that, your end-user instructions for all devices MUST include
We understand that there is a temptation to use some devices with half-baked support for IEEE 802.1X and EAP, where half-baked means they either don't support server certificate validation at all or only in a suboptimal way (e.g. only CA check, no server name validation; or only validation of a certificate fingerprint without certificate chain check). Due to its popularity, we explicitly name Android at this point - it does not allow to configure the expected server name. You may want to support such devices as best as you can, but be aware that you may be putting your own users and their credentials at risk when doing so. In Android's case, a secure configuration is only possible if you deploy a private CA which issues server certificates exclusively to your own eduroam EAP servers.
In the compatibility matrix, devices with known deficiencies are marked as such.
You can also comment on this page if you have found a nifty way to ease eduroam configuration on devices not currently supported by CAT.