govroam - Technical FAQ

How does govroam work?
Is govroam secure?
Can we limit bandwidth to visitors?
Can visitors access our intranet?
How can I access the management interface?
How do I create a password and how do I reset it?
Need more technical information and useful links about govroam?

Configuration

How does the RADIUS server configuration work?
How to configure my RADIUS servers?
Client configuration: what is Open1X?

Belnet Multi-Factor Authentication (MFA)

What is the Belnet Multi-Factor Authentication (MFA)?
Why the Belnet Multi-Factor Authentication is important?
How to activate Belnet Multi-Factor Authentication?
How to login with Belnet MFA?
How do I switch off Belnet Multi-Factor Authentication again?
What if my Belnet Personal Login is linked to several organisations?

 

 

 

How does govroam work?

The govroam service makes use of the RADIUS protocol which facilitates the sharing of data. Organization A is host to a user from organization B and this user logs onto the wireless network of organization A. At that moment, the RADIUS server of organization A will forward the user's data (user name and password) to the RADIUS server of organization B for verification.

This is done via the Belnet RADIUS server, which receives a request from the RADIUS server of Organization A. The Belnet server then immediately sends a request to the RADIUS server of organization B. Thanks to the creation of a Transport Layer Security tunnel between the user and their organization, the server of organization B can securely verify the form.

After verification, the RADIUS server of organization A receives a message that the user is known within Organization B. As result, the user gains access to the wireless network of organization A.

Is govroam secure?

The authentication is secure and uses an 802.1x protocol, once connected, you are connected to Internet, which by definition is open.

Can we limit bandwidth to visitors?

Yes, you can, although be sure to give them enough bandwidth to work comfortably.

Can visitors access our intranet?

Govroam was created to allow a secure authentication via Wi-Fi for Internet access. What you allow users to connect to is up to your configuration.

How can I access the management interface?

When the enrolment is completed you can fill in all your data on the govroam register interface.

You can log in at https://register.govroam.be/ with your Belnet personal login. You can find the user manual of the interface here in English, French and Dutch.

How do I create a password and how do I reset it?

When you have signed your contract, Belnet will create and send out your username and password. You can reset your password at https://changepassword.belnet.be/.

How does the RADIUS server configuration work?

we will provide you the RADIUS server configuration based on different RADIUS implementations. If you want to share your experience on an implementation not yet described in this section, contact us and we will certainly add it. Within our links section you can find further useful information.

When configuring your RADIUS server, you need to choose the EAP authentication mechanism that you will use.
You can use PEAP (Protected EAP) or EAP-TTLS. Both mechanisms have advantages and disadvantages but can be used in the govroam context.

The advantage of using PEAP is that you don't need to install third party software on a Windows based system. The disadvantage is that you are limited in the choice of "inner" authentication (or the user authentication itself) you can use.

Using EAP-TTLS has the advantage that you have more choice concerning the "inner" authentication method.

How to configure my RADIUS servers?

You can find here the GÉANT eduroam wiki. Event this documentation is related to eduroam same principles apply to govroam. You should normaly only change SSDI eduroam by SSID govroam where it is needed.

Client configuration: what is Open1X?

The Open1X is the IEEE 802.1X open source implementation software. We advise you to use Open1X as software in order to manage the 802.1X protocol. This software is available here. (for devices based on Windows, Mac OS X or, Linux).

Important!

Before configuring the 802.1X protocol be sure that your wireless adapter can support WPA. All recent cards should support it, but this is not the case for some old adapters.

Need more technical information and useful links about govroam?

• 'How To' Guide for 802.1X Port-Based Authentication
• More information about FreeRADIUS software. 
• More information about Open1X (Xsupplicant) software. 
• WPAsupplicant 
• IEEE 802.1X RADIUS Usage Guidelines
• RADIUS support for EAP

If you want to share your experience on an implementation not yet described in this section, contact us and we will certainly add it.

What is the Belnet Multi-Factor Authentication (MFA)?

Multi-Factor Authentication is an electronic authentication method where a user is only granted access to an application or website after successfully providing two or more authentication factors, significantly reducing your organisation's risk of falling victim to cybercrime.

Why the Belnet Multi-Factor Authentication is important?

The main benefit of MFA is that it improves the security of your organisation by requiring your users to identify themselves with more than just a username and password.
By enforcing the use of an MFA factor such as a TOTP that your users have received on their smartphones, you can ensure better protection of user information and sensitive company data.

How to activate Belnet Multi-Factor Authentication?

Connect your username to an “Authenticator” that supports TOTP like: Google Authenticator, Microsoft Authenticator or SaasPass.

1. Install the authenticator of your choice on your mobile device.
2. Open your web browser and go to one of the Belnet services, such as govroam, and click on the LOGIN button.
3. Select "Belnet Customers Personal Login with MFA" as identity provider on the webpage you've been redirected to.
4. Click on the button "Enroll to TOTP". 
   
5. Enter your Belnet credentials and click on Login.
   
    
6. Use your installed app to scan the generated QR code containing the TOTP code. This QR code is unique and is offered just once. As a backup, you may opt to save this QR code (taking a screenshot or a picture)
   
   
7. You may now surf back to the service, the login will have the TOTP enabled.

How to login with Belnet MFA?

1. Log in to the Belnet application for which you need your Belnet Personal Login.
2. Select "Belnet Customers Personal Login with MFA" as identity provider.
3. After password verification, you will get a new screen asking you to provide a Token Code:
   
4. Open the Authenticator app, read the Token Code ( 6 to 8 digits) and provide these as an answer on the website of Belnet. Click on login. 
5. Your are now logged in. 

How do I switch off Belnet Multi-Factor Authentication again?

1. Log in to the Belnet application for which you need your Belnet Personal Login.
2. Select "Belnet Customers Personal Login with MFA" as identity provider.
3. Click on “Reset TOTP”.
   
4. You’ll be asked to authenticate with LDAP to reset TOTP.
   
5. An e-mail will be sent to your mail address, you will see following message on the website:
   
6. Open your mailbox. You will have received following message:
   
7. Click on the URL provided, you will be guided to a website that asks you to provide your username, organisation and password:
   
8. After providing your credentials, you will get following prompt:
   
9. You can now log in again without MFA.

What if my Belnet Personal Login is linked to several organisations?

You’ll then need to set up MFA for each organisation separately in order to obtain a different token per organisation.