eduroam - Technical FAQ

Interface

How to access to the management interface?
How do I create a password and how do I reset it?
How to monitor the service?
I try to connect with my login and password but it is asking me for a CA certificate, what should I do?

Implementation (eduroam CAT, RadSec, RADIUS Hierarchy)

How to deploy eduroam on-site or on campus?
How do I implement the service in a few clicks with the eduroam CAT?
Do you want more infos about eduroam CAT?
How does the RADIUS server configuration work?
How to configure my RADIUS servers?
Client configuration: what is Open1X?
How does the RADIUS hierarchy protocol work?
What is RadSec?
Radius Hierarchy Protocol or RadSec Protocol?

More documentation (eduroam and Multi-Factor Authentication)

Where can I find more technical information and useful links about eduroam?
What is the Belnet Multi-Factor Authentication (MFA)?
Why the Belnet Multi-Factor Authentication is important?
How to use the Belnet Multi-Factor Authentication for the first time?
How to use the Belnet Multi-Factor Authentication after enrolment?
What to do in case of loss of mobile?
What if my Belnet Personal Login is linked to several organisations?

 

How to access to the management interface?

You can log in on https://register.eduroam.be/ with your Belnet personal login. You can find the user manual of the interface here in English.

How do I create a password and how do I reset it?

When you have signed your contract, Belnet will create and send out your username and password. You can reset your password on https://changepassword.belnet.be/.

How do I monitor the service?

The status of top level and national RADIUS servers can be found here. Details of request can be found here

How to deploy eduroam on-site or on campus?

Find all the steps on the GÉANT eduroam wiki.

How do I implement the service in a few clicks with the eduroam CAT?

CAT (Configuration Assistant Tool) is built as a cooperation platform and is available within the Belnet R&E Federation. Members of the Federation who want to implement eduroam can use CAT to simplify the implementation process. The platform is also available for users of the member organisations and is helpful when they are installing the connection profile of their organisation.

eduroam CAT is compatible with all important OS, smartphones and tablets.

Mail: servicedesk@belnet.be
Telephone : 02/790.33.00

Do you want more information on the eduroam CAT?

Visit the eduroam CAT official website.

How does the RADIUS server configuration work?

When configuring your RADIUS server, you need to choose the EAP authentication mechanism that you will use. You can use PEAP (Protected EAP) or EAP-TTLS. Both mechanisms have advantages and disadvantages but can be used in the govroam context.

The advantage of using PEAP is that you don't need to install third party software on a Windows based system. The disadvantage is that you are limited in the choice of "inner" authentication (or the user authentication itself) you can use.

Using EAP-TTLS has the advantage that you have more choice concerning the "inner" authentication method. The disadvantage here is that for windows based clients you need to install a third party software like securew2. Despite this securew2 provide mechanism to deploy the software with preconfigured settings. See the SecureW2 support website

How to configure my RADIUS servers?

You can find here the GÉANT eduroam wiki.

Client configuration: what is Open1X?

The Open1X is the IEEE 802.1X open source implementation software. We advise you to use Open1X as software in order to manage the 802.1X protocol. This software is available here. (for devices based on Windows, Mac OS X or, Linux).

Important!

Before configuring the 802.1X protocol be sure that your wireless adapter can support WPA. All recent cards should support it, but this is not the case for some old adapters.

How does the RADIUS hierarchy protocol work?

  • National level:

The eduroam service makes use of the RADIUS protocol to enable the easy exchange of data. Organisation A receives a user from organisation B and this user logs into organisation A's wireless network.

At this point, organisation A's RADIUS server will send the user's details (username and password) on to organisation B's RADIUS server for verification. This takes place via Belnet's RADIUS server, which receives a request from organisation A's RADIUS servers. The Belnet server then immediately sends a request to organisation B's RADIUS server.

Thanks to the creation of a Transport Layer Security tunnel between the user and their organisation, organisation B's server can identify its own user in a secure manner. Following verification, organisation A's RADIUS server receives a message that the user is known within organisation B. The user therefore gains access to organisation A's wireless network.

schema govroam

 

  • International level:

If organisation B is an international organisation, the same principle is followed. However, Belnet's RADIUS server now also sends a request to the European RADIUS server, which in turn sends a request to organisation B's national interchange. Organisation B's national RADIUS server then sends a request to the RADIUS server for the organisation itself. A reverse tunnel is created between the user and their institution, at which point organisation B's RADIUS server sends the necessary information to organisation A.

The user's home organisation therefore remains responsible for maintaining and verifying the username and password, even if the user is located at a guest organisation. This data is not shared with other affiliated institutions.

hierarchie radius eduroam

What is RadSec?

RadSec stands for Secure RADIUS protocol. This is a protocol which implements the radius protocol on top of TLDv3 transport layer as defined in the ietf draft “draft-ietf-radext-radSec-12”. You can only use RadSec if your organisation is a member of the Belnet R&E Federation. Only research and education organisations can become a member of the R&E Federation. You also need to subscribe to the Belnet personal certificate service.

Trust as a basis

RadSec as hierarchical model provides a good trust relationship between each participant. With RadSec you need to transmit certificates between RADIUS servers. The certificates need to be conform with a certificate policy. The usage of this policy and related certificates ensures the trust relationship between all participants. Currently Belnet uses the eduPKI private key infrastructure to get the certifiactes for the top level .be RADIUS servers.

Radius Hierarchy Protocol or RadSec Protocol?

The current implementation of eduroam (RADIUS hierarchy protocol) is working very well. However, due to the growing number of users and organisations around the world, certain issues related to the timing and reliability of communication have started to appear. The goal of RadSec is to resolve these issues and add some useful features and more flexibility.

RADIUS hierarchy protocol RadSec Protocol
  • Usage of UDP 
    The use of this protocol is more reliable between RADIUS servers. Timeout and reliability issues are diminished.
  • Usage of TCP
    The use of this protocol is more reliable between RADIUS servers. Timeout and reliability issues are diminished.                                        
     
  • MTU
    RadSec has a better MTU (maximum transmission unit) discovery and fragmentation management.
  • RADIUS server hierarchy
    A connection through the RADIUS server hierarchy implies cumulative communication flows and process times between each level of the hierarchy.
     
  • Realm management 
    Non-national top level domains, such as .net, .org, .edu, .eu, demand realm management.

     

 

 

  • Trust relationship
    Each RADIUS server must authenticate itself with special server certificates which allow the discovery of the home institution through a DNS query.
     
  • DNS Discovery use
    Using of DNS discovery helps to avoid a point to point connection. This way of working removes cumulative communication flows and process times.
     
  • Realm management 
    With DNS discovery, you can configure your own DNS with domains other than the national top- level one. This is just a matter of adding SRV and NAPTR records.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I try to connect with my login and password but it is asking me for a CA certificate, what should I do?

You must check that the certificate matches your institution's certificate and that the correct CA has been used. Please contact your institution's ICT department to find out how to proceed.

What is the Belnet Multi-Factor Authentication (MFA)?

Multi-Factor Authentication is an electronic authentication method where a user is only granted access to an application or website after successfully providing two or more authentication factors, significantly reducing your organisation's risk of falling victim to cybercrime.

Why the Belnet Multi-Factor Authentication is important?

The main benefit of MFA is that it improves the security of your organisation by requiring your users to identify themselves with more than just a username and password.
By enforcing the use of an MFA factor such as a TOTP that your users have received on their smartphones, you can ensure better protection of user information and sensitive company data.

How to use the Belnet Multi-Factor Authentication for the first time?

Connect your username to an “Authenticator” that support TOTP like: Google Authenticator, Microsoft Authenticator or SaasPass.

  1. Install the authenticator of your choice on your mobile device.
  2. Log in to the Belnet application for which you need the Belnet Personal Login, for instance the Belnet Portal.
  3. In the beginning, you will have the possibility to select one from two possible authentication methods: with or without MFA. This is only temporary to allow you to get acquainted with the new methodology. In the future, only one option (the one with MFA) will be available. Select the version with MFA for your institution.
    MFA choice screen
  4. Select the organisation with MFA and login, as you were used to do before. After password verification, you will get a new screen:
    enrol to TOTP
  5. As you didn’t make the connection yet, select “Enroll to TOTP”.
  6. Authenticate once more with LDAP to create your TOTP seed code.
    select jouw organsatie
  7. A new screen will show a QR code and a TOTP seed:

    QR Code
     
  8. This QR code is unique and is offered just once. As a backup, you may opt to save this QR code (taking a screen shot or a picture). This may be relevant in case you decide not to make the connection with your authenticator app right now.
  9. Open the authenticator app that was installed on your mobile device. Select to add an additional authentication (this depends on the chosen authenticator app, please consult the description of the app) and select the option to scan a QR code to add a new authentication.
  10. You are now ready to use the authenticator to login with MFA with your Belnet personal Login. The Authenticator app will generate codes of 6 to 8 digits that are only valid for a limited amount of time.
  11. Note that it is not possible to use <Back> in your browser to go back to the login screen. Just proceed with step 1 under “Use of MFA after enrolment”. 

How to use the Belnet Multi-Factor Authentication after enrolment?

  1. Log in to the Belnet application for which you need your Belnet Personal Login.
  2. In the beginning, you will have the possibility to select from 2 possible authentication methods: with or without MFA. This is only temporary to allow you to get acquainted with the new methodology. In future, only one option (the one with MFA) will be available. Select the version with MFA for your institution.
  3. After password verification, you will get a new screen asking you to provide a Token Code:
    enrol to TOTP
  4. Open the Authenticator app, read the Token Code ( 6 to 8 digits) and provide these as an answer on the website of Belnet. Then you are logged in.

What to do in case of loss of mobile?

If your mobile device has been lost or does no longer function, act as follows:

  1. Log in to the Belnet application for which you need your Belnet Personal Login.
  2. In the beginning, you will have the possibility to select from 2 possible authentication methods: with or without MFA. This is only temporary to allow you to get acquainted with the new methodology. In future, only one option (the one with MFA) will be available. Select the version with MFA for your institution.
  3. Login, as you were used to do before. After password verification, you will get a new screen asking you to provide a Token Code:
    enrol to TOTP
  4. Select “Reset TOTP”. An e-mail will be sent to your mail address, you will see following message on the website: 

    a reset token message
     
  5. Open your mailbox. You will have received following message:

    mail for request of reset of a TOTP
  6. Click on the URL provided, you will be guided to a website that asks you to provide your username:
    Username login
     
  7. After providing your username, you will get following prompt:
    message TOTP
  8. Follow the procedure “First use of MFA” of this document to re-enrol yourself.

What if my Belnet Personal Login is linked to several organisations?

You’ll then need to set up MFA for each organisation separately in order to obtain a different token per organisation.

 

 

Access to the eduroam interface 

More technical information about the management inteface? Read our manual

Did you find this FAQ useful?

Copyright © 2021 Belnet.