govroam - Technical FAQ

How does govroam work?
Is govroam secure?
Can we limit bandwidth to visitors?
Can visitors access our intranet?
How can I access the management interface?
How do I create a password and how do I reset it?
Need more technical information and useful links about govroam?

Configuration

How does the RADIUS server configuration work?
How to configure my RADIUS servers?
Client configuration: what is Open1X?

Belnet Multi-Factor Authentication (MFA)

What is the Belnet Multi-Factor Authentication (MFA)?
Why the Belnet Multi-Factor Authentication is important?
How to use the Belnet Multi-Factor Authentication for the first time?
How to use the Belnet Multi-Factor Authentication after enrolment?
What to do in case of loss of mobile?
What if my Belnet Personal Login is linked to several organisations?

 

 

 

How does govroam work?

The govroam service makes use of the RADIUS protocol which facilitates the sharing of data. Organization A is host to a user from organization B and this user logs onto the wireless network of organization A. At that moment, the RADIUS server of organization A will forward the user's data (user name and password) to the RADIUS server of organization B for verification.

This is done via the Belnet RADIUS server, which receives a request from the RADIUS server of Organization A. The Belnet server then immediately sends a request to the RADIUS server of organization B. Thanks to the creation of a Transport Layer Security tunnel between the user and their organization, the server of organization B can securely verify the form.

After verification, the RADIUS server of organization A receives a message that the user is known within Organization B. As result, the user gains access to the wireless network of organization A.

schema govroam

Is govroam secure?

The authentication is secure and uses an 802.1x protocol, once connected, you are connected to Internet, which by definition is open.

Can we limit bandwidth to visitors?

Yes, you can, although be sure to give them enough bandwidth to work comfortably.

Can visitors access our intranet?

Govroam was created to allow a secure authentication via Wi-Fi for Internet access. What you allow users to connect to is up to your configuration.

How can I access the management interface?

When the enrolment is completed you can fill in all your data on the govroam register interface.

You can log in at https://register.govroam.be/ with your Belnet personal login. You can find the user manual of the interface here in English, French and Dutch.

How do I create a password and how do I reset it?

When you have signed your contract, Belnet will create and send out your username and password. You can reset your password at https://changepassword.belnet.be/.

How does the RADIUS server configuration work?

we will provide you the RADIUS server configuration based on different RADIUS implementations. If you want to share your experience on an implementation not yet described in this section, contact us and we will certainly add it. Within our links section you can find further useful information.

When configuring your RADIUS server, you need to choose the EAP authentication mechanism that you will use.
You can use PEAP (Protected EAP) or EAP-TTLS. Both mechanisms have advantages and disadvantages but can be used in the govroam context.

The advantage of using PEAP is that you don't need to install third party software on a Windows based system. The disadvantage is that you are limited in the choice of "inner" authentication (or the user authentication itself) you can use.

Using EAP-TTLS has the advantage that you have more choice concerning the "inner" authentication method.

How to configure my RADIUS servers?

You can find here the GÉANT eduroam wiki. Event this documentation is related to eduroam same principles apply to govroam. You should normaly only change SSDI eduroam by SSID govroam where it is needed.

Client configuration: what is Open1X?

The Open1X is the IEEE 802.1X open source implementation software. We advise you to use Open1X as software in order to manage the 802.1X protocol. This software is available here. (for devices based on Windows, Mac OS X or, Linux).

Important!

Before configuring the 802.1X protocol be sure that your wireless adapter can support WPA. All recent cards should support it, but this is not the case for some old adapters.

Need more technical information and useful links about govroam?

If you want to share your experience on an implementation not yet described in this section, contact us and we will certainly add it.

What is the Belnet Multi-Factor Authentication (MFA)?

Multi-Factor Authentication is an electronic authentication method where a user is only granted access to an application or website after successfully providing two or more authentication factors, significantly reducing your organisation's risk of falling victim to cybercrime.

Why the Belnet Multi-Factor Authentication is important?

The main benefit of MFA is that it improves the security of your organisation by requiring your users to identify themselves with more than just a username and password.
By enforcing the use of an MFA factor such as a TOTP that your users have received on their smartphones, you can ensure better protection of user information and sensitive company data.

How to use the Belnet Multi-Factor Authentication for the first time?

Connect your username to an “Authenticator” that support TOTP like: Google Authenticator, Microsoft Authenticator or SaasPass.

  1. Install the authenticator of your choice on your mobile device.
  2. Log in to the Belnet application for which you need the Belnet Personal Login, for instance the Belnet Portal.
  3. In the beginning, you will have the possibility to select one from two possible authentication methods: with or without MFA. This is only temporary to allow you to get acquainted with the new methodology. In the future, only one option (the one with MFA) will be available. Select the version with MFA for your institution.
    screen Personal Login with MFA
  4. Select the organisation with MFA and login, as you were used to do before. After password verification, you will get a new screen:
    enrol to TOTP
  5. As you didn’t make the connection yet, select “Enroll to TOTP”.
  6. Authenticate once more with LDAP to create your TOTP seed code.
    select jouw organsatie
  7. A new screen will show a QR code and a TOTP seed:

    QR Code
     
  8. This QR code is unique and is offered just once. As a backup, you may opt to save this QR code (taking a screen shot or a picture). This may be relevant in case you decide not to make the connection with your authenticator app right now.
  9. Open the authenticator app that was installed on your mobile device. Select to add an additional authentication (this depends on the chosen authenticator app, please consult the description of the app) and select the option to scan a QR code to add a new authentication.
  10. You are now ready to use the authenticator to login with MFA with your Belnet personal Login. The Authenticator app will generate codes of 6 to 8 digits that are only valid for a limited amount of time.
  11. Note that it is not possible to use <Back> in your browser to go back to the login screen. Just proceed with step 1 under “Use of MFA after enrolment”. 

How to use the Belnet Multi-Factor Authentication after enrolment?

  1. Log in to the Belnet application for which you need your Belnet Personal Login.
  2. In the beginning, you will have the possibility to select from 2 possible authentication methods: with or without MFA. This is only temporary to allow you to get acquainted with the new methodology. In future, only one option (the one with MFA) will be available. Select the version with MFA for your institution.
  3. After password verification, you will get a new screen asking you to provide a Token Code:
    enrol to TOTP
  4. Open the Authenticator app, read the Token Code ( 6 to 8 digits) and provide these as an answer on the website of Belnet. Then you are logged in.

What to do in case of loss of mobile?

If your mobile device has been lost or does no longer function, act as follows:

  1. Log in to the Belnet application for which you need your Belnet Personal Login.
  2. In the beginning, you will have the possibility to select from 2 possible authentication methods: with or without MFA. This is only temporary to allow you to get acquainted with the new methodology. In future, only one option (the one with MFA) will be available. Select the version with MFA for your institution.
  3. Login, as you were used to do before. After password verification, you will get a new screen asking you to provide a Token Code:
    enrol to TOTP
  4. Select “Reset TOTP”. An e-mail will be sent to your mail address, you will see following message on the website: 

    a reset token message
     
  5. Open your mailbox. You will have received following message:
    mail for request of reset of a TOTP
    Click on the URL provided, you will be guided to a website that asks you to provide your username:

    Username login
     
  6. After providing your username, you will get following prompt:
    message TOTP
  7. Follow the procedure “First use of MFA” of this document to re-enrol yourself.

What if my Belnet Personal Login is linked to several organisations?

You’ll then need to set up MFA for each organisation separately in order to obtain a different token per organisation.

 

 

Access to the govroam interface

More technical information about the management interface? Read our manual

Did you find this FAQ useful?

Copyright © 2021 Belnet.