Integrating Eduroam Into the Existing Network
In 2018, the university networking team was urged by their CIO to set up an eduroam network on campus. They quickly realized that implementing eduroam would be no simple task. Android devices were already having issues getting configured for their Wi-Fi, creating a poor user experience and putting the network at risk for credential theft.
The team also knew that all their devices would need to be reconfigured if they were going to support eduroam, prompting Norman, the Senior Support Engineer, and his team to investigate a solution that could help configure all his devices.
Results
- Support a Wi-Fi security environment that combines both device and user authentication
- Now students and staff can easily self-configure their devices for secure eduroam network access.
- Implemented AD Domain and SCEP Certificate Distribution Gateways for managed device security.
- Students no longer experience disconnects, or need to reconfigure their devices, due to password change policies.
Android-Eduroam Difficulties and Configuring Users for Eduroam
Android 8 and newer devices were particularly difficult as students and staff were having trouble configuring their devices. The configuration had too many steps and the IT team discovered that students were often blindly trusting certificate prompts. This posed a huge security risk because these devices put the network at high risk for over-the-air credential theft.
The IT team also discovered that in order to use eduroam, all the end-users would have to reconfigure their devices. This was because eduroam required all the usernames to be configured for network access in a university email format (name@.edu).
Their existing configuration was not in this format, meaning each device would need to be manually reconfigured for network access. This was a concern for the university because they weren’t using any onboarding software, so every end-user would need to re-configure all their devices (the average college student has 7 internet-connected devices).
Implementing Eduroam with EAP-TLS
After initial discussions, Norman realized that SecureW2 could solve the issues that were affecting the university network. Through research and word of mouth from other universities, the school connected with SecureW2 to solve the growing issues. “You all came highly recommended,” Norman said.
SecureW2 introduced the idea of switching from their existing PEAP-MSCHAPv2 network to EAP-TLS. “Once we started talking to you all, it became apparent that you all had a pretty good solution for EAP-TLS,” Norman said. The overarching project of implementing Eduroam was the perfect opportunity to also improve their network authentication protocol.
The school used SecureW2’s PKI and found the process to be surprisingly simple. “As far as setting up the infrastructure, it was Plug-and-Play,” Norman said. “The fact that you all run the CA is fantastic. We don’t have to stand up something on campus to do, that is great.”
The university also used SecureW2’s Managed Device Gateways to automatically enroll their AD-Domain and Jamf managed devices for certificates. Previously, they had issues in which postal workers would experience network disconnects due to password-change policies and the use of managed devices, causing interruptions to the mail service. Certificate-based authentication fixed all the password-related disconnects while also improving network security.
Successful Deployment of Eduroam on Campus
With the new system set in place, the school was ready for the new semester. During the move-in weekend, about 5600 student devices were connected to the eduroam SSID. This was a security system completely new to the IT faculty and student, but the onboarding proved successful. With the help of SecureW2, the university accomplished the objective of implementing eduroam and improved the network’s security and user experience.
The university wanted to keep its PEAP network running for returning students, but every freshman and a new user would be onboarded using EAP-TLS.
Because deploying with SecureW2 was so easy, the most involved process for Norman and his team was customizing the page design where users downloaded SecureW2’s onboarding client.
The school had two problems: configuring Android devices for WPA2-Enterprise access and the transition to eduroam. They solved both issues by using SecureW2’s #1 rated device onboarding solution to configure their devices for secure network access. They improved their network security and user experience by implementing certificate-based authentication, eliminating the risk of over-the-air credential theft and password-related disconnects.