Author: Edward Wincott, Eduroam service manager
The new academic year has begun, and the return of students to campus means a huge increase in the usage of eduroam.
Connecting to eduroam can be frustrating and fraught with difficulty for some students, and staff too, and since eduroam is the primary Wi-Fi service at most universities and colleges, this can quickly disrupt their day, their studies, and their overall experience.
This need not be the case, however, and with careful preparation and user education, ‘just open your device and connect’ can become a reality.
In this blog, we dive into the most common problems users face connecting to eduroam and how best to tackle them, including:
- Provide clear and easily accessed guidance for users connecting to eduroam – this includes having your support staff well briefed for solving the most common issues.
- Get the device configuration right the first time around. A quick spoiler on this one… the geteduroam app is often the answer. We really can’t recommend this enough, particularly for solving BYOD device configuration.
- Monitor your RADIUS server logs as these can reveal undetected issues and help you to proactively deliver a great service to your users.
- Keep your RADIUS system in good working order. The eduroam support server portal is designed to help you do just that.
- Stay up to date – join the EDUROAM-UK Jiscmail list or a free eduroam live online clinic on the first Tuesday of every month.
We hope the information below will prove useful as you help students new and old setup with easy, secure Wi-Fi connectivity. And remember, if you have any questions about the eduroam service or need some help, our service desk is on hand. You can e-mail via help@jisc.ac.uk or call on 0300 300 2212.
Educating students and support staff
Although eduroam is long established in the higher and further education community in the UK, it will, in most cases, be completely new to first year students. Anecdotally we are aware of students, some of several years standing, who are not aware that they can use eduroam on multiple devices and at institutions other than their own. Education, education, education is, as the slogan goes, key to a successful experience with eduroam.
I guess the main message is – your username is ‘fred.smith@institution.ac.uk’ (always with the realm component) and ‘use the geteduroam App’ to set up your Android, iOS and Windows devices, and for macOS and Linux devices, ‘use the CAT website’ – or your institution’s alternative onboarding system if it uses one. There’s more about geteduroam and CAT below.
The key elements of eduroam: what it is, how to configure devices and where to find eduroam services can best be conveyed to students through institutions – since it is the universities and colleges which deliver eduroam who have a direct relationship with their students.
There are a number of ways you can achieve this:
- Through e-mailed joining instructions for new students
- Via your eduroam Service Information web page (which is a requirement of the Technical Specification); a guide on content can be found here.
- Posters and messaging around campus and through any social media channels you run
The eduroam Companion App provides a powerful tool to enable users to discover where eduroam is available when roaming away from campus.
Supporting students’ diverse IT needs is a mammoth undertaking, and the challenges presented in helping students connect to eduroam in a constantly evolving device operating system environment are not underestimated. Your IT service desk staff can also be brought up to speed on issues like device configuration and incorrect realms and ways to quickly help students. Our diagnostics help cards may be of help, which can be found here.
Device configuration
Many users whose experience has been limited to home broadband networks with security based on pre-share keys (Wi-Fi password) or coffee shop type captive portals understandably face challenges when faced with a WPA2-Enterprise network such as eduroam. Not only are usernames in form of a userID together with a realm – which must always be used together – but device setup involves selection of the EAP authentication method to use, the option of ‘anonymous’ outer identity and validation of the authentication server (RADIUS server) certificate.
Certainly, if setting up their devices themselves, users can try to guess the options or use trial and error; less than best security practice may be adopted, such as unticking validate server certificate or clicking to trust the first certificate presented. But there is considerable scope for error even if following written instructions – and user frustration is often the result.
The setup of managed devices owned and issued by the university or college to staff and students is of course controlled by yourselves. For example, by using Group Policy Objects or Intune, Wi-Fi profiles can be created and pushed out to your managed devices. There are also alternative tools which can be used, including SecureW2, Ruckus Clearpath ES, built-in provisioning tools within Wi-Fi management platforms, as well as home brew solutions.
But students’ own BYOD devices would rarely be managed by the above methods, and rather than leave students to face the challenge of configuring their own devices, it has long been recommended to use the eduroam Configuration Assistant Tool (CAT). The days of users hacking with device configuration (and invariably unticking the validate server certificate box) are drawing to a close as operating systems increasingly move towards mandating validation of your RADIUS server’s certificate – which of course needs your server’s CA root certificate to be added into the device trust store. iOS and Android 13 users can ‘trust on first use’ which is not ideal, leaving most folks with the tricky job of importing CA root/inter certificates.
CAT (with geteduroam) to the rescue! This free-of-charge combo, solves the problem of BYOD device configuration. There’s information about CAT on this web page and we’ve also published an information page about geteduroam. Essentially the system creates Wi-Fi profiles for all of today’s operating systems. Users can download and install these thereby ensuring that their devices are fully and correctly configured for use with eduroam. To prime the CAT system you, as system administrator, configure CAT with the essential details of realm name, EAP method, RADIUS server certificate name and issuing CA certificates.
Users of older Android devices (pre-Android 8) should install the classic CAT App and use that. But from Android 8 onwards, the geteduroam App is the one-stop solution for Android, iOS and Windows. It is easy to use, you simply install from the geteduroam website, select your organisation using the discovery tool, and enter your username and password when prompted. geteduroam has the advantage over the classic CAT App in that it adds username checking functionality on all platforms. And, for Windows users, unlike the installer from the CAT website, admin rights are not needed.
geteduroam doesn’t support macOS and Linux, so users still need to visit the CAT website and simply click to download the installer and select their organisation from the organisation list. The correct installer for their operating system will be presented and users can then simply download and run that installer.
I cannot recommend geteduroam more highly – last year the University of Sussex tried the geteduroam app for the first time and found that their support calls dropped significantly, so we strongly recommend all universities and colleges using CAT do promote it to their users.
What if your organisation doesn’t use the CAT tool yet? You can request an administrator account to be created by contacting the eduroam(UK) support team through the eduroam Support Portal or by e-mail to the Jisc Service Desk at help@jisc.ac.uk.
Commonly encountered problems:
Solving the username without realm problem – one of CAT’s features is that it enables you to steer your users to use a username that must contain a realm component and you can even set this to be exactly your organisation’s realm.
CAT installers and geteduroam cannot remove profiles that have previously been manually set up, so to avoid any potential issues it is good practice on devices when in range of the eduroam SSID for the user to remove such previously installed profiles. In the device’s setup menu, under connections or network settings, a previously set up eduroam profile should be ‘forgotten’ before a fresh installation is carried out using CAT/geteduroam.
Mistyped usernames – it is easy to mistype a username! Common errors include not entering the full username complete with correct realm name. We see many instances of users entering @gmail.com or @live.com. And it is so easy to include spaces or other characters inadvertently.
Other things to consider:
What about connecting devices that do not support 802.1X? Students may also wish to bring their own games consoles and other devices. eduroam cannot be used with non-802.1X devices so you would need to consider putting in place a non-eduroam network, particularly in student halls of residence.
Device setup provisioning service – whilst theoretically students could get their devices set up for eduroam before coming to campus e.g. using their home broadband or other service, it is more likely that most will arrive with no connectivity or only cellular connectivity on some of their devices. We mentioned device setup provisioning tools within Wi-Fi management platforms above, but alternatively you could consider creating your own device setup Wi-Fi SSID – the idea being for an open access Wi-Fi network to provide very restricted internet access or only intranet access to provide users with access to device setup resources, such as the geteduroam and CAT Apps and the CAT website.
From your device setup network you could direct users to the CAT website, but equally the profiles that CAT generates (mobileconfig and EAP config files) could be useful within your own provisioning service. You may decide to download the CAT-generated EAP config and mobileconfig files and make these available on the provisioning network.
An open Wi-Fi based device setup provisioning service may be a good option for a number of reasons: there are many Wi-Fi only devices that cannot connect mobile data services; although mobile data charges are much lower than they used to be, students are still reluctant to use their own data allowance to access the CAT or download geteduroam; your campus may not be in a good mobile data coverage area.
Several years ago we created a guide to building a ‘walled garden’ network service for device setup using commonly available software. You may find this webpage of interest. It is of course not the only solution, and several commercial network management platforms contain device provision systems.
Monitoring logs for issues
Let RADIUS logs be your friend! Whether you look through your own RADIUS server logs or visit the eduroam Support server Troubleshoot page and look in the Grey Logs panel – you can select Radius errors or Radius authlog – the logs can reveal undetected issues and help you to proactively deliver a great service to your users. Of course the Support server logs only reveals issue related to your users roaming to other institutions. For a view of on campus activity you will need to look into your own RADIUS logs.
A couple of tips:
You can use your own RADIUS authentication logs to discover the identities of students who are omitting the realm name from their username. This can be used proactively to advise them that they must include the realm component otherwise eduroam won’t work for them off campus.
An handy way to find students who are trying to guess their username by using realms like ‘live.’ or ‘student.’ is to look in the eduroam Support server’s Radius authlog where authentication events which FAIL can be quickly be scanned for any attempted use of unregistered realms. Again you may wish to proactively contact the users, if you can identify them from the userID, to advise them of the correct realm component to use.
Healthcheck your eduroam deployment
None of the above hints will be entirely successful if your RADIUS system is not in good working order, so we would recommend that you conduct a health check of your system. There are some checklists to help you confirm your system’s compliance with the Technical Specification on this web page.
However, the most effective way to check your service is to visit the eduroam Support server portal. The ‘Status overview’ page gives you an at-a-glance view of the overall performance of your service as seen from the National RADIUS Server Proxies and any errors that Support server has detected. The eduroam(UK) systems cannot see inside your network, but by looking at the ‘Roaming user requests’ chart, you can gauge the experience of users when roaming to other sites and this will mirror the level of performance your users will be experiencing on your own campus.
The Roaming user requests chart allows you to make an immediate assessment of the health of your user device setup health/authentication system/RADIUS peering. Conditions that should be investigated include a large fraction of requests having ‘bad_username’ and ‘proxied’ (but rejected by your ORPS). Whilst you will always have some ‘proxied’ errors, if you see more than 50% errors then you should investigate (it is possible to achieve <20% error rate).
The ‘Visiting requests by response’ chart gives you an immediate view of whether or not your service for visitors is working! And an indication of authentication performance for them.
The Status overview page and charts are useful, but extremely important checks can be carried out from the Troubleshoot page. In the blue Tests panel you can check the RADIUS peering of your system. For each of your ORPS in turn and for each of the three NRPS in turn, run the Roaming authentication test. Most member organisations support the PEAP/MSCHAPv2 method, so having selected the source NRPS and the target ORPS, simply click on the [PEAP/MSCHAPv2] button. An ‘OK’ response is good. A ‘No reply’ response requires urgent investigation since this indicates that the performance of your service is degraded.
Whilst on the Troubleshoot page it is worthwhile carrying out a check on the certificate installed on your ORPSs – simply select each ORPS in turn and click on the [Certificate Check] button. Clicking on the response and scrolling to the bottom of the pop out box will provide further information.
And don’t forget the basics – has your RADIUS server got sufficient disk space for your RADIUS logs? It’s easy for the log files to grow in size unnoticed, eventually leading to a server crash – we’ve been guilty of this ourselves!
Join the EDUROAM-UK Jiscmail list
To chat with other institutions who use eduroam, learn about online support clinics, and see service updates the EDUROAM-UK Jiscmail list is a great resource. Signing up is free!
Attend a live online clinic
The eduroam(UK) support team run a free eduroam live online clinic on the first Tuesday of every month. It is open to all and a useful forum to discuss issues or get instant support on any technical or other matter.
For administrators new to eduroam this can be a good forum in which to pick up useful hints and tips.
Contact the Jisc Service Desk
If you have any questions about the eduroam service or need some help, our service desk is on hand. You can e-mail via help@jisc.ac.uk or call on 0300 300 2212.