FAQ: Why must I refer to my home organisation for eduroam instructions?
You can usually connect at any eduroam organisation without re-configuring your computer because the actual network access points you are connecting to are configured similarly. The reason that the initial setup is specific to the organisation that provides your username is because, wherever you are, it is that ‘home’ organisation that verifies your username and password are correct.
If I’m already in Bristol, can you help me find my home organisation’s instructions?
Unfortunately there isn’t a directory of each organisation’s instructions so this can be difficult, but the Bristol IT Service Desk should be able to do a quick search for you unless they are very busy.
More information – A simplified example:
Alice’s comes from Wonderland University and she has been told her username for eduroam is firstname.lastname@example.org When Alice wants to connect to eduroam at Bristol, this is roughly what happens:
- Alice’s computer says “Hello eduroam. I am a user from wonderland.ac.uk and I would like to connect. Please prove it is safe for me to send my password!”
- Bristol eduroam forwards the message to Alice’s home organisation wonderland.ac.uk
- wonderland.ac.uk replies with a ‘certificate’ that Alice’s computer has been configured to trust. Bristol eduroam forwards the certificate to Alice’s computer.
- If Alice’s computer is happy with the certificate, it says “Now I know I can trust you, here is my username and password, please let me connect [email@example.com, ReallySecretPassword]
- Bristol eduroam then forwards the message containing Alice’s username and password to wonderland.ac.uk
- If Alice typed the username and password correctly, wonderland.ac.uk will reply to Bristol eduroam “The username and password are correct, let Alice connect please”
- Bristol eduroam then forwards the reply to Alice’s computer and then activates Alice’s connection.
All of the above conversation is encrypted so no one else can see the messages. Even Bristol eduroam can not see Alice’s real username and password – The messages in step 4 and 5 are like a letter sealed in an envelope that can only be opened by the addressee, Bristol eduroam is just the postman.
So if I use a different organisation’s instructions why won’t it work?
- To protect users passwords, each organisation’s instructions should configure the computer to only accept that organisations certificate (step 4 above). This prevents the computer sending your password to anyone except your home organisation. Without this your computer would happily send your password to anyone – PasswordThief.ac.uk for example, which would be really bad. In the example above, if Alice had used Bristol instructions her computer would receive the certificate from wonderland.ac.uk. Her computer would think “If I send the password it will go to wonderland.ac.uk – that isn’t Bristol – I’m refusing to send the password”. This is the first reason why using the wrong organisation’s instructions won’t work.
- The second reason is more difficult to explain but it is to do with the type of each message. For example, if wonderland.ac.uk only understands messages that are written on green paper, and fairyland.ac.uk only understands messages that are written on blue paper. The Fairyland instructions would make sure the computer was configured to send it’s messages on blue paper, so that they can be understood by the fairyland.ac.uk system. If Alice used the Fairyland instructions her computer would be writing on blue paper, but Alice’s home organisation wonderland.ac.uk can only understand messages on green paper. This is the second reason that the wrong set of instructions won’t work (The organisation where Alice is trying to connect, Bristol, doesn’t know or care about the paper color because it’s just the postman – that’s why connecting works at any organisation if you use the right instructions initially).
Enough Alice examples, where can I find a technical explanation?
A starting point would the the wikipedia article on Extensible Authentication Protocol (EAP). Read the RFCs, eg TTLSv0 – RFC 5281, for a detailed explanation.