skip to primary navigationskip to content

IT Help and Support

University Information Services

Studying at Cambridge

 

Setting up eduroam: generic instructions

The information given here may help configure eduroam on wireless devices, operating systems and client software not listed in the main eduroam documentation.  It also gives some technical information about how it's provided at the University of Cambridge.

Note that the user and server authentication details are also used for SSIDs provided on the University Wireless Service using WPA2 Enterprise with Lookup security.

Contents

Wireless settings

This is the details of the wireless network itself:

Network Name (SSID) eduroam
Security Type WPA2 Enterprise
Data Encryption AES

User authentication settings

These specify the method and details required to prove your identity to the network:

EAP Authentication Type or Outer Authentication Protocol PEAP or PEAPv0
Authentication Method/Protocol or Inner Authentication Protocol MS-CHAPv2
Username Your CRSid followed by "@cam.ac.uk — e.g. xyz789@cam.ac.uk
Password Your Network Access Token — note that is is NOT your University (Raven) password
Outer/Roaming/Anonymous Identity See server authentication settings below

Alternative EAP methods

The recommended authentication protocols to use (EAP-PEAP with MS-CHAPv2) are given above, there are many other available combinations:

  • EAP-TTLS with CHAP, MS-CHAP and MS-CHAPv2 will work but are unsupported.
  • EAP-TTLS with PAP will work but is unsupported and strongly advised against: if used, the server must be authenticated by certificate and name) else it can reveal your Network Access Token to third party sites.
  • EAP-LEAP is not supported and will not work.
  • EAP-FAST is not supported and will not work.

Combinations other than those listed above must not be used and are unlikely to work.

Server authentication settings

These are used so your device can confirm that it is securely talking to the University of Cambridge systems, before your username and password are handed over.  These settings can often be omitted but you may be giving your credentials to a third party system.

There are two ways this can be accomplished, each using server certificates signed by a different Root Certification Authority (CA): one a local (University) CA and the other using a well-known public CA.  Which method you use is a matter of preference but will be influenced by the operating system your device is running.  The following table summarises the differences:

Signing root Certificate Authority (CA)Local (University of Cambridge Wireless Service) CAPublic (well known) CA
Certificate installation Requires installation of special root CA certificate. Usually, no need to install a special root CA.
Security risk

On some operating systems (e.g. Windows), installing a new root CA trusts it for all activities (including general web browsing): you could be open to security threats, if the root CA certificate is compromised from the UIS.

Other platforms can restrict the use of the use of a local root CA to just a particular function (e.g. Android and iOS will limit a certificate to being used for WiFi connections only, by default)

You are trusting the public root CA.  You are open to the same type of threats but a CA's business is based around securing their certificates, so the security tends to be greater.
Interval between reconfigurations The root CA certificate has a long lifespan and devices should not require reconfiguring during their lifetime (>10 years). The device may need reconfiguring every 1-3 years, as the certificate is updated.
Validation support Some platforms can only validate against a non-public CA (e.g. Android). Most platforms can validate against both local and public CAs.
Recommended for

Android
iOS
Linux
macOS

Windows
Windows Phone

The separate instructions provided for each platform by the UIS use the recommended certificate for that particular platform.  However, at the present time, Windows (desktop) will use the local CA — this will likely be changed at some point.

Certificate selection by outer identity

The University of Cambridge service allows you to select which certificate is desired by using the outer identity (also known as the roaming or anonymous identity):

Outer identitySigning root Certificate Authority (CA) selected
_token@cam.ac.uk [note the leading underscore] Local (University of Cambridge Wireless Service) CA

_public@cam.ac.uk [note the leading underscore]
@cam.ac.uk
username@cam.ac.uk

Public (well known) CA

The outer ID cannot be any other value; if the username portion is specified before the "@" symbol, it MUST match that used in the username field (e.g. CRSid@cam.ac.uk).

If your system does not have the ability to specify the outer identity, it will usually use the username itself, forcing you to use the public CA-signed certificate.  Also note that some operating systems (e.g. Windows) only require you to enter the portion before the "@" symbol in the outer identity field and will automatically append the "@cam.ac.uk" from the username field. 

Local (University of Cambridge) CA

To use this certificate, you must download and install the University of Cambridge Wireless Service Root CA on your device.  The actual certificate which will be provided will be signed by this root CA.

When installing the root certificate, you are strongly advised to verify the fingerprint of if against one of the values shown below.  Note that they are the fingerprints of the certificate and NOT those of the downloaded file.

AlgorithmFingerprint
SHA-1 02:61:03:C0:D8:36:C9:EF:01:87:F2:94:34:75:9E:C3:06:2E:28:DA
SHA-256 8D:E6:D1:30:F1:32:B3:D7:05:84:56:58:22:7F:53:78:56:0B:70:E8:CB:0B:F0:E8:62:94:4C:14:BB:AE:E5:CF

If your operating system supports it, we strongly advise you to restrict the use of this certificate to connecting to wireless networks (and eduroam in particular, if possible), rather than be used as a general root CA.  This root CA is not intended to be used for any purpose other than authenticating wireless SSIDs on the University Wireless Service, or other services federated to it (e.g. other eduroam sites).

To use this certificate, you should configure the following authentication settings:

Outer/roaming/anonymous identity _token@cam.ac.uk
Issuer / trusted certification authority University of Cambridge Wireless Service Root CA
Server name / CN (Common Name) token.wireless.cam.ac.uk

The actual certificate used by the wireless service will change over time, but it will continue to be signed by the above certificate authority and use the same server name. 

Public (well known) CA

Some of the information below will change as the certificate is updated (usually to be signed by a new CA, or re-signed by the same CA with a later expiry date).  There will usually be a period of parallel running, allowing devices to be updated, before the hard switchover

To use this certificate, you should configure the following authentication settings:

Outer/roaming/anonymous identity _public@cam.ac.uk [recommended]
@cam.ac.uk
username@cam.ac.uk
Issuer / trusted certification authority QuoVadis Root CA 2 G3
Server name / CN (Common Name) token-public.wireless.cam.ac.uk

When a new certificate is introduced the changeover process will be as follows:

  1. The new certificate will be introduced, selected with a new outer identity, e.g. "_newpublic@cam.ac.uk".  The UIS will notify users of this and advise them to reconfigure their devices.  Users will not experience an outage in service as long as they complete reconfiguration before the expiry of the old certificate.
  2. Close to the expiry of the old certificate, the 'plain' outer identities of "@cam.ac.uk" and "username@cam.ac.uk" will be switched over to the new certificate.  Users making use of these identities will most likely receive a warning that the certificate has been changed, at this point.
  3. The old certificate, selected by the old outer identity, will continue to work until it expires.  At this point, users who have not reconfigured their devices will most likely fail to connect after this point.  Any devices which are ignoring the expiry date may continue to work for short while after this, until the old certificate is completely removed.

When connecting, you may be asked to verify that the certificate presented by the server is the correct one.  The details you may be asked to check are shown below:

FieldExpected value
Issuer / trusted certification authority QuoVadis Global SSL ICA G3 [this is an intermediate CA between the root and the certificate]
Server name / CN (Common Name) See above
Serial number 02:4B:F8:95:B4:DF:28:08:BA:E9:04:2D:3D:7D:06:E4:C8:90:19:A2
SHA-1 fingerprint 39:1B:6C:29:61:2C:99:76:33:C5:C4:9F:49:83:34:87:95:D0:A7:EE
SHA-256 fingerprint B2:BD:47:FC:AD:8D:D3:BB:F7:0A:78:8A:A1:B8:99:B2:4C:63:63:E2:DF:93:E5:54:86:95:36:E3:4E:A7:66:D7

You are strongly advised to check this information and reject the connection, if alternative information is displayed, otherwise you may be handing over your credentials to a third party.  If this happens, please report it to the Service Desk, especially if you are on University or College premises. 

Last modified: 9th April 2019