eduroam - Technical FAQ

How to access to the management interface?
How do I create a password and how do I reset it?
How to monitor the service?
Where can I find more technical information and useful links about eduroam?
How do I implement the service in a few clicks with the eduroam CAT?
Do you want more infos about eduroam CAT?
How does the RADIUS hierarchy protocol work?
What is RadSec?
Radius Hierarchy Protocol or RadSec Protocol?
I try to connect with my login and password but it is asking me for a CA certificate, what should I do?

How to access to the management interface?

You can log in on https://register.eduroam.be/ with your Belnet personal login. You can find the user manual of the interface here in English.

How do I create a password and how do I reset it?

When you have signed your contract, Belnet will create and send out your username and password. You can reset your password on https://changepassword.belnet.be/.

How do I monitor the service?

The status of top level and national RADIUS servers can be found here. Details of request can be found here

How do I implement the service in a few clicks with the eduroam CAT?

CAT (Configuration Assistant Tool) is built as a cooperation platform and is available within the Belnet R&E Federation. Members of the Federation who want to implement eduroam can use CAT to simplify the implementation process. The platform is also available for users of the member organisations and is helpful when they are installing the connection profile of their organisation.

eduroam CAT is compatible with all important OS, smartphones and tablets.

Mail: servicedesk@belnet.be
Telephone : 02/790.33.00

Do you want more information on the eduroam CAT?

Visit the eduroam CAT official website.

How does the RADIUS hierarchy protocol work?

  • National level:

The eduroam service makes use of the RADIUS protocol to enable the easy exchange of data. Organisation A receives a user from organisation B and this user logs into organisation A's wireless network.

At this point, organisation A's RADIUS server will send the user's details (username and password) on to organisation B's RADIUS server for verification. This takes place via Belnet's RADIUS server, which receives a request from organisation A's RADIUS servers. The Belnet server then immediately sends a request to organisation B's RADIUS server.

Thanks to the creation of a Transport Layer Security tunnel between the user and their organisation, organisation B's server can identify its own user in a secure manner. Following verification, organisation A's RADIUS server receives a message that the user is known within organisation B. The user therefore gains access to organisation A's wireless network.

schema govroam

 

  • International level:

If organisation B is an international organisation, the same principle is followed. However, Belnet's RADIUS server now also sends a request to the European RADIUS server, which in turn sends a request to organisation B's national interchange. Organisation B's national RADIUS server then sends a request to the RADIUS server for the organisation itself. A reverse tunnel is created between the user and their institution, at which point organisation B's RADIUS server sends the necessary information to organisation A.

The user's home organisation therefore remains responsible for maintaining and verifying the username and password, even if the user is located at a guest organisation. This data is not shared with other affiliated institutions.

hierarchie radius eduroam

What is RadSec?

RadSec stands for Secure RADIUS protocol. This is a protocol which implements the radius protocol on top of TLDv3 transport layer as defined in the ietf draft “draft-ietf-radext-radSec-12”. You can only use RadSec if your organisation is a member of the Belnet R&E Federation. Only research and education organisations can become a member of the R&E Federation. You also need to subscribe to the Belnet personal certificate service.

Trust as a basis

RadSec as hierarchical model provides a good trust relationship between each participant. With RadSec you need to transmit certificates between RADIUS servers. The certificates need to be conform with a certificate policy. The usage of this policy and related certificates ensures the trust relationship between all participants. Currently Belnet uses the eduPKI private key infrastructure to get the certifiactes for the top level .be RADIUS servers.

Radius Hierarchy Protocol or RadSec Protocol?

The current implementation of eduroam (RADIUS hierarchy protocol) is working very well. However, due to the growing number of users and organisations around the world, certain issues related to the timing and reliability of communication have started to appear. The goal of RadSec is to resolve these issues and add some useful features and more flexibility.

RADIUS hierarchy protocol RadSec Protocol
  • Usage of UDP 
    The use of this protocol is more reliable between RADIUS servers. Timeout and reliability issues are diminished.
  • Usage of TCP
    The use of this protocol is more reliable between RADIUS servers. Timeout and reliability issues are diminished.                                        
     
  • MTU
    RadSec has a better MTU (maximum transmission unit) discovery and fragmentation management.
  • RADIUS server hierarchy
    A connection through the RADIUS server hierarchy implies cumulative communication flows and process times between each level of the hierarchy.
     
  • Realm management 
    Non-national top level domains, such as .net, .org, .edu, .eu, demand realm management.

     

 

 

  • Trust relationship
    Each RADIUS server must authenticate itself with special server certificates which allow the discovery of the home institution through a DNS query.
     
  • DNS Discovery use
    Using of DNS discovery helps to avoid a point to point connection. This way of working removes cumulative communication flows and process times.
     
  • Realm management 
    With DNS discovery, you can configure your own DNS with domains other than the national top- level one. This is just a matter of adding SRV and NAPTR records.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I try to connect with my login and password but it is asking me for a CA certificate, what should I do?

You must check that the certificate matches your institution's certificate and that the correct CA has been used. Please contact your institution's ICT department to find out how to proceed.

 

 

Access to the eduroam interface 

More technical information about the management inteface? Read our manual

Did you find this FAQ useful?

Copyright © 2021 Belnet.