The eduroam network allows you to use the Internet safely and securely all over the world. How to ensure user authentication and the security of using a net?
What is eduroam? It is the network, which offers roaming customers involved in many countries around the world. We all want to use Wi-Fi. We have LTE, but because of the 'specific market' we are able to run out of the FUP every twenty minutes. So we want Wi-Fi. In addition, in many places, especially in "concrete cathedrals", mobile connections are unavailable. All you have to do is connect to a local network that usually has better coverage.
Wi-Fi networks can be broken down by security: from unencrypted network through captive portal to WPA and 802.1X security. Experts have warned against unencrypted networks without a password, which can easily be intercepted. Today's devices are actively calling known Wi-Fi networks and there are routers that can tailor networks and let users connect to them. Known networks are actively invoked if they use a hidden SSID. The WiFi Pineapple Router can respond to such challenges and create a tailor made network. Any unsuspecting user then sends all of his data over this network.
Very problematic, but unfortunately also widespread, is how users log in to a web browser. The worst is the captive portal, which is very dangerous for the user and is also uncomfortable. The client connects to an unencrypted network, its HTTP traffic is blocked and "carried" towards the web authentication portal. After verification of the name and password, communication for the given MAC address is enabled. Captive portals are not compatible with HTTPS, IPv6, DNSSEC, and are not standardized. Moreover, it does not even solve the security at all because all communication is transmitted unencrypted.
Easily configurable and usable is WPA network security, which is very secure for the user. It is not possible to easily intercept the network, even if you know the password that the user used for the connection. On the other hand, this prevents simple user authentication - usually everyone shares one common password. Such a network is usable for a home or small office, but not for large organizations with thousands of users.
The last variant is the use of the 802.1X protocol on which eduroam is built. This is very safe for both operators and users. However, it is very difficult to operate and to operate properly. User Authentication solves the anonymity of Wi-Fi networks that can otherwise be abused to commit cybercrime. When someone goes through your network to steal large money, the police will come. And it will be very uncomfortable for you at least. Therefore, it is necessary to have a well-authenticated user in such an "open" network who can be traced if necessary.
All of the aforementioned problems have the task of solving the eduroam project. It originated in the Netherlands in 2002 because it was necessary to register MAC addresses for Wi-Fi cards by then, and for example, when traveling between universities, it was necessary to borrow cards. This was a matter of authentication on the physical level, but it was very impractical. Nowadays, users travel with a whole host of devices and all need to be connected to the internet.
The Czech Republic arrived eduroam very quickly, already in 2004. Originally, it was implemented using three different authentication methods: 802.1X, VPN, and captive portals. Since 2007, captive use has been disabled and VPN has not worked properly anywhere. Almost ten years ago, only authentication on the second network layer has been used on the network. It is not limited to Wi-Fi, but it can be deployed on wire ethernet in the same way.
Eduroam addresses user authentication but does not care about their home connectivity. When you have eduroam from Prague and you come to America, it does not mean you get a Czech IP address. The local network only verifies that you can let go and then connects you to your own infrastructure. It's up to a particular university, for example, whether it offers you IPv6, how you get addresses or other services.
The principle can be described very simply: If you connect to a 802.1X network, all traffic is blocked for you in its default state. An AP or switch authenticator will prompt the client for an EAP-over-LAN protocol. The client must have a supplicant available to communicate with the authentication server authenticator. In case of positive authentication, the client is allowed into the network. Suddenly everything works just like you did before. From the point of view of the network you have demonstrated your identity, the friendly server has confirmed its legitimacy and the obstacle in the form of the original block has been removed.
Eduroam adds federation and hierarchy to this scheme. Each organization runs its own authorization server (RADIUS) and the authorized users database. If the client reports to his home network, a local server query will be performed and the access point will be dropped by the user. However, if a user travels and attempts to connect to another network in the federation, the authentication server detects that the user is not a member of the federation and sends the query to the national RADIUS server. If this also does not know the answer, it sends the query even higher to the root server that already has the directory of all the national servers and the path then ends in the home organization. The user's server verifies it and responds in the same way that it can be put into the network. The home organization then only knows that the user has been admitted and that is why it ends.
EAP communications always follow from the client supporter to the home organization authentication server (IdP). Other servers should not interfere with the message and should only pass it on. Thus, the user does not know the difference whether they are in their own network or abroad. Everything happens to him transparently, and he still uses the same credentials.
Two protocols are used to authenticate users: EAP-TTLS and EAP-PEAP. Both work similarly: Build a TLS tunnel while the client verifies the server certificate; inside the assembled tunnel, the server authenticates the client password using the second (internal) authentication protocol. In practice, you have either a broken EAP-MSCHAPv2 protocol or an EAP-PAP protocol that has nothing to worry about either. Another option is the EAP-TLS, which uses certificate authentication on both sides. Then you just need to build a TLS connection and the user is verified. There is no need to send any messages inside the channel.
The communication of individual RADIUS servers is accomplished via UDP, where only password-shared passwords are encrypted. It was decided at the outset that this is not enough and for higher protection the protocol is transported in IPSec. However, this has the disadvantage of difficult configuration, transmission is incompatible with address translations, it is necessary to keep the tunnel alive and to restore the validity of the keys. These problems eliminate the new RadSec protocol, which encapsulates RADIUS messages into a common TLS. The vast majority of RADIUS servers now use this method.
Two-tier authentication also results in a pair of user identities. External identity travels through the federation in open form and is used only to route authentication requests to the user's home organization. For greater privacy protection, its user section may be anonymized because it does not matter in the name of a particular user.
An internal identity goes against it inside an encrypted tunnel to a home organization that verifies the user on its basis. To this identity, nobody but a home organization has access to it.
In practice, network operators are having problems primarily with searching for a particular IP address holder and blocking a specific user. 802.1X only addresses network access, not address allocation. Only some advanced L2 devices register client IP addresses in billing data. In addition, if NAT is used, translation information needs to be stored. It is not enough to configure access points correctly, but you need to build the infrastructure to store many data from different parts of the network.
If one of the users violates the rules, they usually want to prevent the network administrator from using the network again. In the case of user blocking, however, the administrator has only a MAC address that can be freely changed and an external identity. While external identity reveals the user's home organization, it does not have to reveal a specific username. Blocking can take with you all other users of the organization. Reliable blocking of one user therefore requires manual communication with the identity provider.
Identity Providers, in turn, solve problems with user passwords - for example, you need to choose whether the university uses the same user password for all systems including eduroam. All Czech universities are pushed for different passwords. But then the question is whether the user can choose the password or that its identity provider generates it. Some are definitely for generating secure passwords, but it also aggravates user convenience because some clients forget their passwords and want them over and over again. I'm talking about Windows. When you have a weak Wi-Fi signal and no response is received when you log in, the system evaluates the password as bad and forgets it. The identity provider also sees the two user identities as one and can decide whether to support the anonymization of external identities. Within the Czech Federation, admins do not recommend offering anonymous external identity, they believe that it brings more damage than good.
Users are often tempted to configure access to eduroam. A regular user is surprised by about the sixth choices that the operating system wants. Additionally, the client must authenticate the authentication server certificate correctly, otherwise the attacker can create a custom AP named eduroam and capture passwords. The problem is that the client does not know the server name and cannot recognize the correct certificate. Different platforms approach the issue differently. By default, Windows believes in any trusted certificate, Apple uses TOF access, and shows the fingerprint of the certificate for the first time. Other platforms usually do not perform any verification. Without the proper configuration, limited to the specific name of the authentication server, or to a particular private certification authority that issues certificates only for the authentication servers of that institution, authentication is not secure and the password can escape. You can defend yourself against password theft by using a client certificate if the identity provider supports it. This is usually very difficult for users who are not technically capable.
There is an eduroam Configuration Assistant Tool (CAT) that allows easy and secure configuration. Based on an XML profile that publishes an identity provider. Generates an installer for a specific institution and platform. Windows, Mac and Linux are supported in both desktop and mobile versions. For Android, it's even the only way to set restrictions on a particular certificate name because the standard operating system menu cannot set up such a check.
That it was a real threat, it turned out, when the leaders of the VSE sent a warning e-mail informing that there was a foreign person who was creating a false eduroam network and capturing the passwords of the users have joined.
Therefore, there is a risk of abuse here and you need to be careful about securing the connection to the eduroam network. Especially if the university uses the same credentials for other systems and services as well
EUR 12 / Month
EUR 136 / Month