Securing Campus Guest Access with eduroam
June 19, 2015
Campus wireless networks are secured by high grade encryption and driven by identity solutions for their constituents. Wireless networking would simply not be possible without this security and access control. Yet campus guest networks by contrast are not secured with ANY encryption and access is minimally controlled by a guest portal. IT departments are doing their best for their own constituents on campus, but what happens when those users travel to a remote campus? Fortunately eduroam has a simple solution that can protect your own community as they travel by offering the same high grade encryption and access control on campus guest networks without the need for time consuming registrations.
Securing Campus Networks
We live in a mobile generation where the absence of wireless connectivity simply cannot be tolerated. The rise of well-designed cloud based data services give us access to every piece of critical data regardless of platform or location. As these services become part of our work and academic processes, a campus without wireless networking is nearly inconceivable. None of this would be possible or permissible without the wireless security built into campus networks. This security on campus is driven by identity management solutions and tied into wireless networks with RADIUS servers and 802.1X authentication.
Guest access is generally provided by using an open network and a guest access portal that requires users to self-identify or sometimes request guest sponsorship. While these solutions are necessary and provide a reasonable level of identity they provide no level of encryption or protection as the network itself is NOT encrypted.
When campus users travel off campus to other campuses they must connect to that remote network via their guest access solution. This exposes them, and their un-encrypted data, to snooping on an un-encrypted network. While VPN solutions can minimize the risk, they can only cover a portion of the user experience and often require the user to enable the VPN. Users are also inconvenienced by the requirement of identifying themselves on each device they have to the remote guest portal.
Eduroam Global WiFi Roaming for Academia
Driven by a desire to provide secure roaming amongst five European institutions in the Netherlands, Finland, Portugal, Croatia and the UK, the task force on mobility created the eduroam network of connected institutions in 2003. The technology behind eduroam is based on 802.1X and a hierarchy of RADUIS proxy servers that pass authentication requests from one institution to another based on the user’s realm (@institution.edu) No new technology needed to be developed to enable eduroam, only an agreement and a centralized hierarchy of RADIUS servers with trust relationships needed to be established. The base technology provides reliable secure transmission of user credentials, via the home institution’s own certificate based encryption.
The RADIUS standard provides a tunneled process that encrypts the authentication process from the user’s device through to the identity provider (often Active Directory) As a result user credentials are never exposed to either the local institution or to the eduroam proxy servers.
Participating institutions advertise the eduroam SSID on their campus WiFi network. Home campus users connect to the eduroam SSID and enter their credentials using their fully qualified username (email@example.com). The credentials are processed locally, the same as a traditional 802.1X SSID and users are granted access to the network. When those users travel to a remote campus, participating in eduroam, they automatically connect to the eduroam SSID and their credentials are passed to the local RADIUS server. Because the users are identified by their fully qualified username, the RADIUS server knows to pass the authentication request to the eduroam proxy server. The eduroam proxy server then looks up who the home identity provider for that user is, based on the realm provided, and the authentication request is processed by the home RADIUS server. To the user they are simply connected to the network and have instant access. By using the eduroam network, remote users are secured by the same high grade encryption and identity based access as local campus users.
By participating in the eduroam network, campuses not only provide their own users access, but ensure those same users are protected when they travel around the globe to remote participating institutions. There are more than 74 countries participating in the eduroam network with more than 3000 institutions connected, and growing daily.
In the US eduroam is provided by ANYROAM LLC, funded by I2 and participating institutions. Members of I2 can connect to the eduroam network as part of their I2 dues, non-members can join eduroam for a nominal annual fee based on enrolled students ($0.10 / enrolled students or a minimum of $400/yr). Eduroam covers not only students, but also all faculty and staff as they travel to remote campuses.
Institutions, and other organizations, can join eduroam as a service provider (SP) where they advertise the eduroam SSID, but do not act as an identity provider (IDP). SP’s are free to join and are a great way to provide additional locations where eduroam can provide service. An example might be a museum or coffee shop.
For more information on how to get connected to eduroam in the US go to www.eduroam.us.
The process of connecting to eduroam is easy, but there are a number of considerations each campus must consider when connecting.
- Is your RADIUS infrastructure capable of RADIUS proxy?
- What kind of access policies will you create for local and remote users?
- Can you report on remote eduroam users and provide 6 months of logs for those users?
- How will you integrate local machine authentication into your eduroam network?
- What are the best practices that other institutions have found using eduroam?
- Will you still advertise your local secure SSID?
- How can you effectively advertise the eduroam service to your community?
- Can eduroam take advantage of modern 802.1X on-boarding software?