Page tree
Skip to end of metadata
Go to start of metadata

 

You can usually connect at any eduroam organisation without re-configuring your computer because the actual network access points you are connecting to are configured similarly. The reason that the initial setup is specific to the organisation that provides your username is because, wherever you are, it is that ‘home’ organisation that verifies your username and password are correct.

If I’m already at Rose Bruford College, can you help me find my home organisation’s instructions?

Unfortunately there isn’t a directory of each organisation’s instructions so this can be difficult, but the IT Helpdesk should be able to do a quick search for you unless they are very busy

 


More information – A simplified example:

Alice comes from Wonderland University and she has been told her username for eduroam is alice@wonderland.ac.uk When Alice wants to connect to eduroam at RBC, this is roughly what happens:

  1. Alice’s computer says “Hello eduroam. I am a user from wonderland.ac.uk and I would like to connect. Please prove it is safe for me to send my password!”
  2. RBC's eduroam forwards the message to Alice’s home organisation wonderland.ac.uk
  3. wonderland.ac.uk replies with a ‘certificate’ that Alice’s computer has been configured to trust. RBC's eduroam forwards the certificate to Alice’s computer.
  4. If Alice’s computer is happy with the certificate, it says “Now I know I can trust you, here is my username and password, please let me connect [alice@wonderland.ac.uk, ReallySecretPassword]
  5. RBC eduroam then forwards the message containing Alice’s username and password to wonderland.ac.uk
  6. If Alice typed the username and password correctly, wonderland.ac.uk will reply to RBC eduroam “The username and password are correct, let Alice connect please”
  7. RBC eduroam then forwards the reply to Alice’s computer and then activates Alice’s connection.

All of the above conversation is encrypted so no one else can see the messages. Even RBC eduroam can not see Alice’s real username and password – The messages in step 4 and 5 are like a letter sealed in an envelope that can only be opened by the addressee, RBC eduroam is just the postman.

So if I use a different organisation’s instructions why won’t it work?

  • To protect users passwords, each organisation’s instructions should configure the computer to only accept that organisations certificate (step 4 above). This prevents the computer sending your password to anyone except your home organisation. Without this your computer would happily send your password to anyone – PasswordThief.ac.uk for example, which would be really bad. In the example above, if Alice had used RBC's instructions her computer would receive the certificate from wonderland.ac.uk. Her computer would think “If I send the password it will go to wonderland.ac.uk – that isn’t RBC – I’m refusing to send the password”. This is the first reason why using the wrong organisation’s instructions won’t work.
  • The second reason is more difficult to explain but it is to do with the type of each message. For example, if wonderland.ac.uk only understands messages that are written on green paper, and fairyland.ac.uk only understands messages that are written on blue paper. The Fairyland instructions would make sure the computer was configured to send it’s messages on blue paper, so that they can be understood by the fairyland.ac.uk system. If Alice used the Fairyland instructions her computer would be writing on blue paper, but Alice’s home organisation wonderland.ac.uk can only understand messages on green paper. This is the second reason that the wrong set of instructions won’t work (The organisation where Alice is trying to connect, RBC, doesn’t know or care about the paper colour because it’s just the postman – that’s why connecting works at any organisation if you use the right instructions initially).

Enough Alice examples, where can I find a technical explanation?

A starting point would the the wikipedia article on Extensible Authentication Protocol (EAP). Read the RFCs, eg TTLSv0 – RFC 5281, for a detailed explanation.