eduroam
Education Roaming ( eduroam ) is an initiative that the staff and students of participating universities and organizations have Internet access at the sites of all participating organizations using their own user name and password or a personal X.509 user certificate, a valid PKI over Wireless Local Area will allow Network ( WLAN) or Local Area Network (LAN).
Target
Staff and students have at guest lectures, and the like apply for semesters abroad business trips to a foreign university is not only a guest account, but can log in directly with their known data. Meanwhile, nearly all European countries are represented at eduroam and more and more universities in the respective countries join their research networks at. Outside of Europe, can now be found first supporters in the Asia -Pacific region (eg Singapore) and North America (USA, Canada).
Technical implementation
Each organization makes its own wireless infrastructure. The authentication is done in the home organization of the user through the RADIUS protocol. It turns TERENA, founder and owner of the brand eduroam, the root servers, the research networks of the participating countries with the country- specific server and the participating organization the server with the actual user IDs. The Server composite thus forms a hierarchical tree structure, similar to the Domain Name System. This must lay their user IDs in the wrong hands, no organization, as all data will remain on your own server. The distinction of user IDs is done by specifying a Realms: instead of username used outside its organization [email protected]. The request is then automatically routed to the correct server.
The local access authentication technology is always IEEE 802.1X. This ensures that user data and passwords are encrypted all the way to the home organization. By using this end-to -end encryption of the safest and most trusted WLAN roaming network is eduroam world.
Safety concerns
At the time of the first prototype next to eduroam 802.1X and the log was run through a web portal. On this channel, an end-to -end encryption of user data is conceptually very difficult; encryption of user data on the wireless medium is only possible higher-level protocols, such as IPSec / TLS VPN, etc.. , the use of web login portals was therefore prohibited in the operating conditions of 2005.
The login with IEEE 802.1X can insure themselves so far that the user can verify that it is actually connected to the own home organization before he reveals personal information ( password). This security check will take place on the user's device itself. It is therefore in his own responsibility, to configure its 802.1X supplicant properly. With a user-side misconfiguration (such as a disconnected Verification of the server certificate or server name ) is not guaranteed the confidentiality of login.