eduroam

from Wikipedia, the free encyclopedia

Education Roaming ( eduroam ) is an initiative that gives employees and students from participating universities and organizations Internet access at the locations of all participating organizations using their own user name and password or a personal X.509 user certificate from a valid PKI via wireless local area Network (WLAN) or Local Area Network (LAN) wants to enable.

target

For guest lectures, semesters abroad, business trips and the like at the foreign university, employees and students do not have to apply for guest access, but can log in directly with their known data. Almost all European countries are now represented at eduroam and more and more universities in the respective countries are joining their research networks. The initiative now has many supporters around the world, for example in the Asia-Pacific region (e.g. India, Singapore), in North and South America (e.g. USA, Canada, Brazil) and in the African-Arab region (e.g. B. Saudi Arabia, South Africa).

Technical implementation

Each organization provides its own WLAN infrastructure. The authentication is done in the home organization of the user through the RADIUS protocol . TERENA, founder and owner of the eduroam brand, provides the root server , the research networks of the participating countries provide the country-specific server and the participating organization provides the server with the actual user IDs. In this way, the server network forms a hierarchical tree structure , similar to the Domain Name System . This means that no organization has to put their user IDs in the wrong hands, as all data remains on its own server. The user IDs are differentiated by specifying a realm: instead of a username , outside of your organization, you use username @ myorganization. tld . The request is then automatically forwarded to the correct server.

The local access authentication technology is always IEEE 802.1X . This ensures that user data and passwords are encrypted all the way to the home organization ( end-to-end encryption ).

Security concerns

At the time of the first eduroam prototype, in addition to 802.1X, the login was also operated via a web portal . End-to-end encryption of user data is conceptually very difficult on this channel; Encryption of user data on the WLAN medium is only possible via higher protocols, for example IPSec / TLS - VPN etc. The use of web login portals was therefore prohibited in the 2005 operating conditions.

The login with IEEE 802.1X can be secured to the extent that the user can verify that he is actually connected to his own home organization before he reveals personal data (password). This security check takes place on the device of the user himself. It is therefore your own responsibility to properly configure your 802.1X supplicant . In the event of a misconfiguration on the part of the user (for example, a disabled check of the server certificate or the server name), the confidentiality of the login is therefore not guaranteed.

Web links