Connect to eduroam wifi with other devices

The information given here may help configure eduroam on wireless devices, operating systems and client software not listed in the main eduroam documentation.  It also gives some technical information about how it's provided at the University of Cambridge. It is intended for technical users such as Computer Science students.

The user and server authentication details are also used for SSIDs provided on the University Wireless Service using WPA2/WPA3 Enterprise with Lookup security.

What this information covers

• Wireless settings
• User authentication settings
• Server authentication settings

Wireless settings

These are the details of the wireless network itself:

• Network name (SSID): eduroam
• Security type: WPA2 Enterprise
• Data encryption: AES

User authentication settings

These specify the method and details required to prove your identity to the network.

EAP Authentication Type or Outer Authentication Protocol

PEAP or PEAPv0

Authentication Method/Protocol or Inner Authentication Protocol

MS-CHAPv2

Username

For new tokens: "CRSid+device@cam.ac.uk", for example, "abc123+laptop@cam.ac.uk".

For legacy tokens: "CRSid@cam.ac.uk", for example, "abc123@cam.ac.uk".

For institutional tokens: "inst-num@cam.ac.uk", for example, "botolphs-100@cam.ac.uk".

Password

The password for the same Network Access Token. Please note that this is not your University password.

Outer, Roaming or Anonymous Identity

See server authentication settings below.

Alternative EAP methods

The recommended authentication protocols to use (EAP-PEAP with MS-CHAPv2) are given above, there are many other available combinations:

• EAP-TTLS with MS-CHAPv2 will work but is unsupported.
• EAP-TTLS with PAP will work but is unsupported and strongly advised against: if used, the server must be authenticated by certificate and name) else it can reveal your Network Access Token to third-party sites.
• EAP-TTLS with CHAP and MS-CHAP will not work.
• EAP-LEAP will not work.
• EAP-FAST will not work.
• EAP-TLS is not supported and will not work, although we plan to offer this in future.

Combinations other than those listed above must not be used and are unlikely to work.

Server authentication settings

These are used so your device can confirm that it is securely talking to the University of Cambridge systems, before your username and password are handed over.  These settings can often be omitted but you may be giving your credentials to a third-party system. It may also result in frequent prompts to re-validate the certificate.

The University systems authenticate themselves using a certificate which is signed by a well-known public CA.

Certificate selection by outer identity

The EAP outer identity must be one of a number of known values:

• _token-public@cam.ac.uk (note the leading underscore) — recommended for manual configurations

• _public@cam.ac.uk (note the leading underscore)

• _publicYYYYMM@cam.ac.uk (note the leading underscore) — the YYYYMM portion will be the year and month the certificate was introduced (see below for the current date)

• @cam.ac.uk

• username@cam.ac.uk (not recommended as it will reveal your user identity to visited networks)

​​​​​​The outer identity cannot be any other value. If the username portion is specified before the "@" symbol, it must match that used in the inner ID field (the username).

If your system does not have the ability to specify the outer identity, it will usually use the username itself.  Some operating systems, for example Windows, only require you to enter the portion before the "@" symbol in the outer identity field and will automatically append the "@cam.ac.uk" from the username field. 

Certificate details

There are 2 ways to configure the use of the public certificate. Which method you use is selected by the outer identity and depends on whether you wish to manage the rollover to a new certificate automatically or manually.

The information below provides full details of the certificates and configuration but, it is recommended that you only configure the following settings:

• Outer identity: _token-public@cam.ac.uk
• Issuer / trusted certification authority: USERTrust RSA Certification Authority [root]
  The server will present to the connecting device a certificate, along with any chain certificates required to validate it back to this root.
• Server name / CN (Common Name): token-public.wireless.cam.ac.uk

The other details (such as the serial number and fingerprints) will change over time, but the above details should remain constant and avoid the need to frequently update the configuration or revalidate the server certificate.  Note that the serial number and fingerprints are those of the current certificate presented to the connecting device and NOT those of the root certificate authenticate authorities nor chain certificate(s).

Automatic

• Outer identity:
  • _token-public@cam.ac.uk   [recommended]
  • _public@cam.ac.uk   [deprecated]
  • @cam.ac.uk
  • username@cam.ac.uk   [not recommended]
• Issuer / trusted certification authority chain
  • USERTrust RSA Certification Authority   [root]
  • GEANT OV RSA CA 4
• Root certificate details:
  • Serial number: 01:FD:6D:30:FC:A3:CA:51:A8:1B:BC:64:0E:35:03:2D
  • SHA-1 fingerprint: 2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E
  • SHA-256 fingerprint: E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
• Server name / CN (Common Name)
  • token-public.wireless.cam.ac.uk
• Server certificate details:
  • Serial number: 0B:71:CC:54:63:12:B7:61:4B:99:C4:E5:01:7D:DF:0B
  • SHA-1 fingerprint: AB:29:20:2B:C9:BA:5E:21:04:8C:93:F0:60:6D:FB:98:F9:DC:AA:46
  • SHA-256 fingerprint: FC:88:21:08:64:C0:9C:17:28:00:80:8D:04:85:CF:7F:D5:45:5F:82:EE:30:62:27:0B:4B:F9:2A:62:CC:37:92
• Expiry of current certificate
  • Prior to 27 November 2024 at 23:59:59 GMT [rollover will be ahead of this]
• Certificate rollover behaviour:
  • The new certificate and configuration come into effect at an advertised time.
• Advance reconfiguration required
  • None, unless the CA or other aspects of the certificate change.  If this is required, this will be advertised in advance.
• Rollover experience
  • Likely seamless, although devices relying on certificate pinning will likely be prompted to authorise the new certificate.

Manual

• Outer identity:
  • public202409@cam.ac.uk   [includes the year and month of issue]
• Issuer / trusted certification authority chain
  • USERTrust RSA Certification Authority   [root]
  • GEANT OV RSA CA 4
• Root certificate details:
  • Serial number: 01:FD:6D:30:FC:A3:CA:51:A8:1B:BC:64:0E:35:03:2D
  • SHA-1 fingerprint: 2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E
  • SHA-256 fingerprint: E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
• Server name / CN (Common Name)
  • token-public.wireless.cam.ac.uk
• Server certificate details:
  • Serial number: 0B:71:CC:54:63:12:B7:61:4B:99:C4:E5:01:7D:DF:0B
  • SHA-1 fingerprint: AB:29:20:2B:C9:BA:5E:21:04:8C:93:F0:60:6D:FB:98:F9:DC:AA:46
  • SHA-256 fingerprint: FC:88:21:08:64:C0:9C:17:28:00:80:8D:04:85:CF:7F:D5:45:5F:82:EE:30:62:27:0B:4B:F9:2A:62:CC:37:92
• Expiry of current certificate
  • 27 November 2024 at 23:59:59 GMT
• Certificate rollover behaviour:
  • The certificate and configuration do not change but must be manually updated in advance of the expiry of the old certificate.
• Advance reconfiguration required
  • Required: the outer identity must be updated and any updated certificate settings made.
• Rollover experience
  • Seamless.

Note: separate serial numbers and fingerprint details for each method will only be shown during an overlap period, as a rollover is being prepared.

Most users will want to use the automatic method.  The manual method is more complicated to administer but some users may prefer it if they wish to perform any reconfiguration activities at a known point in time, although this is likely to become more difficult as the frequency of certificate rollovers increases from early 2025.

If using certificate pinning, users are strongly advised to check the serial numbers and fingerprints and reject the connection (although this can be mitigated significantly by only attempting to connect in a place where University Wireless eduroam is available), if alternative information is displayed. Otherwise you may be handing over your credentials to a third party.  If this happens, please report it to the Service Desk, especially if you are on University or College premises.

When a new certificate is introduced the changeover process will be as follows:

1. The new certificate will be introduced, selected with a new outer identity, "_publicYYYYMM@cam.ac.uk", in parallel with the old one.
2. UIS advertises this, along with the time and date of the rollover, as well as the time and date of for the expiry of the old certificate.  Manual method users will need to reconfigure their devices before the old certificate expires.
3. At the advertised rollover time, the identities selecting the automatic method will be switched over to the new certificate.  Users making use of these identities and using certificate pinning will receive a warning that the new certificate will need to be authorised, at this point.
4. The old certificate, selected by the old outer identity, will continue to work until it expires.  At this point, users who have not reconfigured their devices will most likely fail to connect after this point.  Any devices which are ignoring the expiry date may continue to work for short while after this, until the old certificate is completely removed.

Last modified: 12 February 2024