Eduroam(UK) (Formerly known as JANET roaming) is a system whereby users visiting participating sites can authenticate to the network using the credentials of their home institution. BioSS operates Eduroam(UK) as a "Home Site", that is registered BioSS users can authenticate to wireless networks offering the "eduroam" SSID.
Eduroam(UK) is available at a variety of locations worldwide. In the UK, review the map of participating organisations to see where eduroam is available. Click on the "radio mast" icons to see the status of the service
Fortunately the University of Edinburgh provides wireless coverage including eduroam over the BioSS corridor and in the coffee shop at the end of the corridor
All BioSS users who use Eduroam(UK) must comply with the conditions of use. These are as follows:
The Eduroam CAT service provides installers for most major operating systems and devices. All you need to enter is your Eduroam ID (in the form USERNAME@bioss.ac.uk) and your normal password. This is now the preferred method for install on mobile devices as the Eduroam CAT tool is available in the app store for both Android, Apple and Windows Mobile devices.
Users on desktop machines can download the relevant installers here
BioSS-managed PCs should already have the Eduroam tool installed. Simply search for "Eduroam" in your windows start menu.
Otherwise you can Download the Windows 7 config tool and follow the instructions below.
For those users with self-managed Windows laptops an automated setup tool based on Cardiff University's SU1X deployment tool has been prepared.
Some troubleshooting hints are given below:
You can also use the SU1X tool to delete the eduroam configuration from your machine. You might want to do this when handing back a shared machine, or if you find eduroam interferes with other wireless networks you have configured on your system. To do this, run the su1x-setup.exe tool again and click button 4 "Remove Eduroam"
Doing this will disconnect you from eduroam if you are currently connected.
Unfortunately, windows likes to be "helpful" and will cache your credentials in the registry. This is not very good security-wise so we have provided a script to remove these credentials. It is especially important that you use this on "pool" laptops or non-BioSS machines which you have been loaned. To run the script:
The BioSS implementation of Eduroam(UK) Home support should enable most devices to connect. The configuration options required are given below. Alternatively, you may use the Eduroam CAT configuration utilities; simply search for "BioSS" to download an installer for your platform.
|BioSS CA certificate file||Various devices need certificates in particular formats:
||Most devices will use the PEM certificate. This cert is necessary to verify your device is actually talking to BioSS and not an impostor|
|Wireless SSID||eduroam||Ensure you connect to this network if you are trying to use Eduroam. Institutions may offer several networks with differing policies and Windows will connect to them at random|
|Wireless security method||WPA2 or WPA with any cipher||This is the responsibility of the institution you are visiting. WPA2 is the strongest so use that if available.|
|Authentication method||EAP/TTLS-PAP, PEAPv0/MSCHAPV2.||You will need the PEAPv0/MSCHAPV2 if using the built-in windows supplicant.|
|Authentication server||radius.bioss.ac.uk||This is the server to which authentication requests will be sent. Having the client know this is useful for detecting "impostor" servers.|
|Validate server||Yes||If possible, you should set this option. This will ensure that your supplicant only talks to the RADIUS server configured by BioSS and not an impostor.|
|Outer firstname.lastname@example.org||If prompted, enter this. This stops the wireless network operator from seeing our usernames. Such information is mildly advantageous to an attacker so it is good practice to hide it if you can.|
|Inner identity||(yourusername)@bioss.ac.uk||This is what you will actually try to authenticate. Windows's default supplicant does not allow you to set outer and inner identity values explicitly. If you are prompted for identity only once, this is the value you should enter|
In due course instructions will be provided for other devices and Linux machines but in the meantime configuring any device other than a Windows XP Service Pack 3 or Windows 7 laptop is left as an exercise for the reader. Most common devices will have good online instructions though: for example see these excellent instructions for iPhones and iPod Touch devices from OUCS.
Once you are connected, you may wish to look at the thunderbird setup instructions for remote users
You may also install the client to access licence servers and the like. This is installed by default on BioSS-provided laptops but you can put it on non-BioSS machines too. Clients exist for the following:
There are two installers you can use:
In addition, you may also download the Pulse Secure Installer service. This allows non-administrative users to receive updates to the VPN. Most users will not require this.