JANET Roaming Service: Information for end users

JANET roaming is a system whereby users visiting participating sites can authenticate to the network using the credentials of their home institution. BioSS operates JRS as a "Home Site", that is registered BioSS users can authenticate to wireless networks offering the "eduroam" SSID.

JANET roaming and eduroam are available at a variety of locations worldwide. In the UK, review the map of participating organisations to see where eduroam is available. Click on the "radio mast" icons to see the status of the service

Using JANET Roaming at HQ

Fortunately the University of Edinburgh provides wireless coverage including eduroam over the BioSS corridor. The strongest signal can be found at the end of the corridor nearest the coffee-shop area and in the coffee-shop itself.

We are negotiating the installation of access points on the BioSS corridor with the University.

Conditions of use

All BioSS users who use the JANET roaming service must comply with the conditions of use. These are as follows:

Be a member of staff, a student or a BioSS associate
Comply with the BBSRC Code of practice covering use of computer facilities and communications systems and the relevant BioSS local amendments. These are the computing documents you signed when joining BioSS.
Comply with the JANET roaming policy
Read the JANET roaming end-user documentation

Initial setup

Before you can use JANET roaming, you will need to upgrade your user account to include the relevant attributes for JANET roaming usage. To do this:

Log in to the portal
Select "Upgrade your Account" from the list of links. A web form will appear
Enter your username and password.
If the process reports anything other than "Success", contact the helpdesk for assistance

Client Setup: Microsoft Windows

For those users with self-managed Windows laptops an automated setup tool based on Cardiff University's SU1X deployment tool has been prepared.

Download the tool. and unpack it on your laptop.
Open the folder su1x-bioss and double-click su1x-bioss/su1x-setup.exe. The following window will appear:
You now need to enter your account details. In the boxed marked 1 in red, enter (yourusername)@bioss.ac.uk. In the screenshot you will see I've used test@bioss.ac.uk as an example. Please note:
- The @bioss.ac.uk part is important. If not present the remote site will not know where to send authentication requests
- bioss.sari.ac.uk will not work
In the box marked 2, enter your current BioSS logon password.
Finally, click button 3, "Start Setup"
After a minute or so the progress meter should fill up and the program report that setup is complete
The hint window should also appear:
Follow the hints to ensure you're connected. If you see the second bubble type, when you click on it you should get the following screen:
Enter your credentials as shown. Don't put anything in the "Logon Domain" box

Some troubleshooting hints are given below:

The above instructions are only tested on Windows XP Service Pack 3. Other Windows operating systems may behave slightly differently. Please let IT know how you get on
Make sure the site you are visiting actually offers the eduroam service by checking the map of participating organisations and ensuring they are listed as a "Visited" organisation
You may need to change the authentication method to WPA or even WEP depending on what the visited institution supports. See the "Wireless Settings" attribute on the map info bubbles for details.
The IT support at the institution you are visiting may be able to help with troubleshooting issues like that in point 3, but your first line of support is still the BioSS helpdesk.

Deleting eduroam

You can also use the SU1X tool to delete the eduroam configuration from your machine. You might want to do this when handing back a shared machine, or if you find eduroam interferes with other wireless networks you have configured on your system. To do this, run the su1x-setup.exe tool again and click button 4 "Remove Eduroam"

Doing this will disconnect you from eduroam if you are currently connected.

Security concerns

Unfortunately, windows likes to be "helpful" and will cache your credentials in the registry. This is not very good security-wise so we have provided a script to remove these credentials. It is especially important that you use this on "pool" laptops or non-BioSS machines which you have been loaned. To run the script:

Disconnect from Eduroam
Open up the su1x-bioss folder
Double click the credentials-cleanup.bat file
A DOS prompt window will appear and then disappear quickly
The credentials are now gone. You can test this by trying to reconnect to Eduroam, in which case you will be prompted by windows to enter your credentials again

Client Setup: Other Devices

The BioSS implementation of JANET Roaming Home support should enable most devices to connect. The configuration options required are given below.

Option name	Value	Notes
BioSS CA certificate file	PEM and DER (Windows) format	Most devices will use the PEM certificate. This cert is necessary to verify your device is actually talking to BioSS and not an impostor
Wireless SSID	eduroam	Ensure you connect to this network if you are trying to use Eduroam. Institutions may offer several networks with differing policies and Windows will connect to them at random
Wireless security method	WPA2 or WPA with any cipher	This is the responsibility of the institution you are visiting. WPA2 is the strongest so use that if available.
Authentication method	EAP/TTLS-PAP, PEAPv0/MSCHAPV2.	You will need the PEAPv0/MSCHAPV2 if using the built-in windows supplicant.
Authentication server	radius.bioss.ac.uk	This is the server to which authentication requests will be sent. Having the client know this is useful for detecting "impostor" servers.
Validate server	Yes	If possible, you should set this option. This will ensure that your supplicant only talks to the RADIUS server configured by BioSS and not an impostor.
Outer identity	anonymous@bioss.ac.uk	If prompted, enter this. This stops the wireless network operator from seeing our usernames. Such information is mildly advantageous to an attacker so it is good practice to hide it if you can.
Inner identity	(yourusername)@bioss.ac.uk	This is what you will actually try to authenticate. Windows's default supplicant does not allow you to set outer and inner identity values explicitly. If you are prompted for identity only once, this is the value you should enter

In due course instructions will be provided for other devices and Linux machines but in the meantime configuring any device other than a Windows XP Service Pack 3 laptop is left as an exercise for the reader. Most common devices will have good online instructions though: for example see these excellent instructions for iPhones and iPod Touch devices from OUCS.

Remote Working

Once you are connected, you may wish to look at the thunderbird setup instructions for remote users

Unless explicitly stated otherwise, all material is copyright © Biomathematics and Statistics Scotland. Biomathematics and Statistics Scotland (BioSS) is formally part of The James Hutton Institute (JHI), a registered Scottish charity No. SC041796 and a company limited by guarantee No. SC374831, Registered Office: JHI, Invergowrie, Dundee, DD2 5DA, Scotland