Eduroam(UK) Service: Information for end users

eduroam logo Eduroam(UK) (Formerly known as JANET roaming) is a system whereby users visiting participating sites can authenticate to the network using the credentials of their home institution. BioSS operates Eduroam(UK) as a "Home Site", that is registered BioSS users can authenticate to wireless networks offering the "eduroam" SSID.

Eduroam(UK) is available at a variety of locations worldwide. In the UK, review the map of participating organisations to see where eduroam is available. Click on the "radio mast" icons to see the status of the service

Using Eduroam(UK) at HQ

Fortunately the University of Edinburgh provides wireless coverage including eduroam over the BioSS corridor and in the coffee shop at the end of the corridor

Conditions of use

All BioSS users who use Eduroam(UK) must comply with the conditions of use. These are as follows:

  1. Be a member of staff, a student or a BioSS associate
  2. Comply with the BBSRC Code of practice covering use of computer facilities and communications systems and the relevant BioSS local amendments. These are the computing documents you signed when joining BioSS.
  3. Comply with the Eduroam(UK) conditions of use
  4. Read the Eduroam(UK) end-user documentation

Client Setup: Eduroam CAT

The Eduroam CAT service provides installers for most major operating systems and devices. All you need to enter is your Eduroam ID (in the form USERNAME@bioss.ac.uk) and your normal password. This is now the preferred method for install on mobile devices as the Eduroam CAT tool is available in the app store for both Android, Apple and Windows Mobile devices.

Users on desktop machines can download the relevant installers here

Client Setup: Microsoft Windows 7

BioSS-managed PCs should already have the Eduroam tool installed. Simply search for "Eduroam" in your windows start menu.

Otherwise you can Download the Windows 7 config tool and follow the instructions below.

For those users with self-managed Windows laptops an automated setup tool based on Cardiff University's SU1X deployment tool has been prepared.

  1. Open the folder su1x-bioss and double-click su1x-bioss/su1x-setup.exe. The following window will appear:
    SU1X Initial window
  2. You now need to enter your account details. In the boxed marked 1 in red, enter (yourusername)@bioss.ac.uk. In the screenshot you will see I've used test@bioss.ac.uk as an example. Please note:
    • The @bioss.ac.uk part is important. If not present the remote site will not know where to send authentication requests
    • bioss.sari.ac.uk will not work
  3. In the box marked 2, enter your current BioSS logon password.
  4. Finally, click button 3, "Start Setup"
  5. After a minute or so the progress meter should fill up and the program report that setup is complete
    SU1X Setup complete
  6. The hint window should also appear:
    SU1X hint screen
  7. Follow the hints to ensure you're connected. If you see the second bubble type, when you click on it you should get the following screen:
    Windows Wireless Credentials Entry
   Dialog
  8. Enter your credentials as shown. Don't put anything in the "Logon Domain" box

Some troubleshooting hints are given below:

Deleting eduroam

You can also use the SU1X tool to delete the eduroam configuration from your machine. You might want to do this when handing back a shared machine, or if you find eduroam interferes with other wireless networks you have configured on your system. To do this, run the su1x-setup.exe tool again and click button 4 "Remove Eduroam"

Doing this will disconnect you from eduroam if you are currently connected.

Security concerns

Unfortunately, windows likes to be "helpful" and will cache your credentials in the registry. This is not very good security-wise so we have provided a script to remove these credentials. It is especially important that you use this on "pool" laptops or non-BioSS machines which you have been loaned. To run the script:

  1. Disconnect from Eduroam
  2. Open up the su1x-bioss folder
  3. Double click the credentials-cleanup.bat file
  4. A DOS prompt window will appear and then disappear quickly
  5. The credentials are now gone. You can test this by trying to reconnect to Eduroam, in which case you will be prompted by windows to enter your credentials again

Client Setup: Other Devices

The BioSS implementation of Eduroam(UK) Home support should enable most devices to connect. The configuration options required are given below. Alternatively, you may use the Eduroam CAT configuration utilities; simply search for "BioSS" to download an installer for your platform.

Option name Value Notes
BioSS CA certificate file Various devices need certificates in particular formats:
PEM (Most common)
If your device is not specifically listed below, try this certificate format first
CRT (Android)
Click the link and follow the prompts to install the certificate in your device. Then, when setting up Eduroam make sure you select this certificate as the "CA certificate"
DER (Windows)
Most devices will use the PEM certificate. This cert is necessary to verify your device is actually talking to BioSS and not an impostor
Wireless SSID eduroam Ensure you connect to this network if you are trying to use Eduroam. Institutions may offer several networks with differing policies and Windows will connect to them at random
Wireless security method WPA2 or WPA with any cipher This is the responsibility of the institution you are visiting. WPA2 is the strongest so use that if available.
Authentication method EAP/TTLS-PAP, PEAPv0/MSCHAPV2. You will need the PEAPv0/MSCHAPV2 if using the built-in windows supplicant.
Authentication server radius.bioss.ac.uk This is the server to which authentication requests will be sent. Having the client know this is useful for detecting "impostor" servers.
Validate server Yes If possible, you should set this option. This will ensure that your supplicant only talks to the RADIUS server configured by BioSS and not an impostor.
Outer identity anonymous@bioss.ac.uk If prompted, enter this. This stops the wireless network operator from seeing our usernames. Such information is mildly advantageous to an attacker so it is good practice to hide it if you can.
Inner identity (yourusername)@bioss.ac.uk This is what you will actually try to authenticate. Windows's default supplicant does not allow you to set outer and inner identity values explicitly. If you are prompted for identity only once, this is the value you should enter

In due course instructions will be provided for other devices and Linux machines but in the meantime configuring any device other than a Windows XP Service Pack 3 or Windows 7 laptop is left as an exercise for the reader. Most common devices will have good online instructions though: for example see these excellent instructions for iPhones and iPod Touch devices from OUCS.

Remote Working

Once you are connected, you may wish to look at the thunderbird setup instructions for remote users

JunOS Pulse VPN

You may also install the client to access licence servers and the like. This is installed by default on BioSS-provided laptops but you can put it on non-BioSS machines too. Clients exist for the following:

Windows

There are two installers you can use:

In addition, you may also download the Pulse Secure Installer service. This allows non-administrative users to receive updates to the VPN. Most users will not require this.

MacOS X
MaxOS JunOS installer DMG

Unless explicitly stated otherwise, all material is copyright © Biomathematics and Statistics Scotland. Biomathematics and Statistics Scotland (BioSS) is formally part of the James Hutton Institute, a registered Scottish charity No. SC041796 and a company limited by guarantee No. SC374831, Registered Office: JHI, Invergowrie, Dundee, DD2 5DA, Scotland