Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Don’t Use PEAP Credentials for eduroam Authentication

Eduroam has quickly become the standard for 802.1X implementation among top-tier universities, allowing students and staff to access remote campus wifi networks using their home university credentials. Increasingly, many universities choose to use eduroam as their sole SSID.

However, this also means eduroam is a likely target for attackers to spoof and farm student credentials. Just last year, a large public university in California came to us following a report of hundreds of credentials being stolen as a result of devices needing a manual connection to eduroam. Misconfiguration of authentication credentials was the root of the issue.

In this article, we discuss the configuration issues that cause eduroam login problems and potential solutions.

Drawbacks of Using PEAP Credentials for eduroam

In short, relying on end-users to manually connect to eduroam with their PEAP credentials is a major security concern and subpar user experience. But why?

EDUROAM USERS ARE DISCONNECTED WHEN PASSWORDS EXPIRE

Universities also face issues when implementing eduroam because the format of login credentials can cause, causing disconnects. If the credentials a user enters do not match the format required for eduroam, the only option is to reconfigure and re-provision the user’s device. In that case, this is a time-consuming irritating, and costly side project for IT and users alike.

When users are configured for PEAP-MSCHAPv2 authentication, their credentials are sent to the RADIUS, and it validates the credentials with the Identity Provider (IDP). With an IDP such as Active Directory (AD), usernames are matched against the sAMAccountName.

The eduroam disconnect occurs at this stage in the process of authenticating to an eduroam network. The user’s credentials are forwarded to the home campus’ RADIUS, based on the realm that hasn’t been identified yet. Eduroam requires a user’s credentials to be entered in the format of UserPrinicpalName, or UPN (ex. john.smith@university.com). Without identifying the user’s home campus, eduroam cannot authenticate that they belong to an eduroam-enabled campus.

Considering that PEAP authentication requires the sAMAccountName to authenticate network users, and eduroam requires UPN, it’s obvious that special consideration has to be taken to deliver credentials in the correct format. That’s a task that is unreasonable to expect end-users to handle and there is a high probability that many users will not enter their credentials in the correct format for eduroam. The connection issues that follow will lead to frustrated users and a failure to connect to eduroam.

PEAP CREDENTIALS CAN BE PASSED OVER-THE-AIR TO EVIL-TWIN NETWORKS

The best security practices require little to no end-user interaction because any IT professional will tell you that social engineering is one of the best ways to infiltrate networks. Imitation networks can be set up anywhere with open Wi-Fi. In the case of that California university we mentioned earlier, it was set up in their campus library.

Just posting some documentation on a web page and requiring end-users to manually connect will inevitably lead to students accidentally misconfiguring their devices.  A misconfigured device is a vector for hackers to steal legitimate credentials and gain access to your network.

The best defense against over-the-air attacks like the evil-twin-network is configuring your network for server certificate validation. This authentication security mechanism requires both the client and server to positively identify themselves using X.509 digital certificates.

Benefits of Using Certificates for eduroam Authentication

Understandably, some organizations may consider reconfiguring their credentials to be compatible with the UPN eduroam format as the best route forward. While a viable option, it’s more of a short-term fix that doesn’t address inherent issues while using credentials for authentication, especially in regards to security, user experience, and performance.

Assigning the task of credential reconfiguration to IT isn’t a viable option due to the workload. It would be necessary to reconfigure your credential management system and distribute new credentials to every user. The process would require rerouting significant IT resources to the task, which simply is not feasible for organizations of a given size. If your university allows for users to manually reconfigure, then support tickets for connection issues will skyrocket and further accelerate the slowdown.

A more effective solution is to deploy x.509 certificates using onboarding software to guide users through the reconfiguration process. With an onboarding solution in place, existing users are given self-service software that reconfigures their devices in just a few clicks. Upon completion, devices are configured for eduroam and secure Wi-Fi provisioning. Here are a few reasons why this is the superior option:

THE FQDN CAN BE ENCODED ONTO CERTIFICATES

After talking with dozens of university IT staff, we’ve learned that devices have trouble roaming because PEAP uses the machine’s hostname, which doesn’t contain the FQDN. For roaming to work properly, the remote campus RADIUS needs to know the eduroam federation to properly proxy the end-user the home RADIUS server and their home AD directory.

By using certificate templates (with the right onboarding client), you can encode any attribute and value needed, such as the user’s UPN or FQDN. Users can even enroll for their certificate and get configured from any existing network prior to coming onto campus to attain a seamless and secure connection.

CERTIFICATES ELIMINATE PASSWORD RESETS

The crux of the argument for reconfiguring the network for certificates instead of updating credentials is the user experience during the initial update. With credentials, users have to manually reset their passwords and possibly experience a more involved process during the reconfiguration process. SecureW2’s certificate onboarding software can be completed in minutes and distributes a certificate that lasts as long as the organization decides (typically at a university they are set to automatically revoke after 4 years).

The use of certificates simplifies their network interactions considerably. To be authenticated to the network, users do not have to interact or enter a password that must be reset every 60 days. For regular, secure network authentication, the certificate is automatically authenticated when in range of the wireless network. And eduroam authentication is just as simple; the user’s device automatically connects to the eduroam network, their certificate is identified, and the user is rapidly authenticated.

FASTER RE-AUTHENTICATION AND ROAMING CONNECTIONS

Standard credential-based EAP methods such as EAP-PEAP MSCHAPv2 require a heavy challenge handshake protocol between RADIUS and Active Directory, which will affect the user connection speed, especially in high-density network environments like student orientation, for example.

Certificate-based authentication is inherently a much lighter approach. A valid certificate issued by a trusted Certificate Authority is intrinsically authorized through the nature of public-private key cryptography. Additional checks, like directory look-ups, can be added to the flow to increase security.

The Benefits of EAP-TLS for eduroam

When faced with the network overhaul that the eduroam scenario requires, forward-thinking organizations may see an opportunity to improve upon their current processes. When this top university faced the eduroam reconfiguration dilemma, they initially sought a credential-based solution to streamline the process of changing their network usernames. After in-depth research, they discovered that an EAP-TLS solution could improve the security and user experience of the entire network.

The college sought out SecureW2 to complete a PEAP reconfiguration to use credentials to connect to eduroam, but they began researching and ultimately implemented an EAP-TLS certificate authentication solution. Instead of users connecting to the secure network or eduroam with credentials, users would validate their identity and be distributed a digital certificate for authentication.

But how is reconfiguring the entire network for certificate authentication a more efficient solution than re-provisioning devices?

Enroll All Devices with the Right Onboarding Software

SecureW2 offers a plug-and-play solution to certificate-based authentication. We provide all the necessary tools to configure your network, and it integrates with existing infrastructure from any major vendor. The configuration is highly customizable for IT and can be completed in hours instead of days.

Our JoinNow solution allows institutions to leverage existing SAML providers (e.g., Azure, Google Apps, Okta, etc.) to be the source of truth for users to enroll for their unique client certificate. These client certificates can also be used for other applications such as wireless/wired 802.1X, VPN, and even web SSO.

The only interaction the user has with their authentication experience is the first few minutes it takes to complete the onboarding software. Once they are successfully onboarded, the device auto-connects when within range of the secure network.

Passwordless Authentication for eduroam

Eduroam is excellent for increasing the connectivity of your campus and users traveling throughout other campuses. Overcoming the obstacle of eduroam configuration can be a deterrent to some, but many see the utility in improving your users’ network experience. Implementing certificate-based authentication not only bypasses the credential disconnect that many organizations experience, but it is also an upgrade to security and vastly improves the user experience.

SecureW2 has affordable options for organizations of all shapes and sizes. It provides a turnkey solution that allows end-users to smoothly and securely configure their devices to use eduroam. Their devices are easily configured to use the Wi-Fi at their main campus and access Wi-Fi safely at other universities in just a few clicks. Click here to see our pricing.

Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

Don’t Use PEAP Credentials for eduroam Authentication