Connect to eduroam wifi with other devices

The information given here may help configure eduroam on wireless devices, operating systems and client software not listed in the main eduroam documentation.  It also gives some technical information about how it's provided at the University of Cambridge. It is intended for technical users such as Computer Science students.

The user and server authentication details are also used for SSIDs provided on the University Wireless Service using WPA2 Enterprise with Lookup security.

What this information covers

• Wireless settings
• User authentication settings
• Server authentication settings

Wireless settings

These are the details of the wireless network itself:

• Network name (SSID): eduroam
• Security type: WPA2 Enterprise
• Data encryption: AES

User authentication settings

These specify the method and details required to prove your identity to the network.

EAP Authentication Type or Outer Authentication Protocol

PEAP or PEAPv0

Authentication Method/Protocol or Inner Authentication Protocol

MS-CHAPv2

Username

For new tokens: "CRSid+device@cam.ac.uk", for example, "abc123+laptop@cam.ac.uk".

For legacy tokens: "CRSid@cam.ac.uk", for example, "abc123@cam.ac.uk".

For institutional tokens: "inst-num@cam.ac.uk", for example, "botolphs-100@cam.ac.uk".

Password

The password for the same Network Access Token — note that this is NOT your Raven password.

Outer, Roaming or Anonymous Identity

See server authentication settings below.

Alternative EAP methods

The recommended authentication protocols to use (EAP-PEAP with MS-CHAPv2) are given above, there are many other available combinations:

• EAP-TTLS with CHAP, MS-CHAP and MS-CHAPv2 will work but are unsupported.
• EAP-TTLS with PAP will work but is unsupported and strongly advised against: if used, the server must be authenticated by certificate and name) else it can reveal your Network Access Token to third-party sites.
• EAP-TLS is not supported and will not work, although we plan to offer this in future.
• EAP-LEAP is not supported and will not work.
• EAP-FAST is not supported and will not work.

Combinations other than those listed above must not be used and are unlikely to work.

Server authentication settings

These are used so your device can confirm that it is securely talking to the University of Cambridge systems, before your username and password are handed over.  These settings can often be omitted but you may be giving your credentials to a third-party system.

There are 2 ways this can be accomplished, each using server certificates signed by a different Root Certification Authority (CA): one a local (University) CA and the other using a well-known public CA.  Which method you use is a matter of preference but will be influenced by the operating system your device is running.  The following table summarises the differences:

The separate instructions provided for each platform by UIS use the recommended certificate for that particular platform.  However, at the present time, Windows (desktop) will use the local CA. This will likely be changed at some point.

Certificate selection by outer identity

The University of Cambridge service allows you to select which certificate is desired by using the outer identity (also known as the roaming or anonymous identity):

Outer identity 

• _token@cam.ac.uk (note the leading underscore)

• _public202212@cam.ac.uk (note the leading underscore)
  _publicYYYYMM@cam.ac.uk (note the leading underscore)
  @cam.ac.uk
  username@cam.ac.uk

Signing root Certificate Authority (CA) selected

• Local (University of Cambridge Wireless Service) CA

• Public (well known) CA

The outer ID cannot be any other value. If the username portion is specified before the "@" symbol, it must match that used in the inner ID field (the username).

If your system does not have the ability to specify the outer identity, it will usually use the username itself, forcing you to use the public CA-signed certificate.  Some operating systems, for example Windows, only require you to enter the portion before the "@" symbol in the outer identity field and will automatically append the "@cam.ac.uk" from the username field. 

Local (University of Cambridge) CA

To use this certificate, you must download and install the University of Cambridge Wireless Service Root CA on your device.  The actual certificate which will be provided will be signed by this root CA.

When installing the root certificate, you are strongly advised to verify its fingerprint against one of the values shown below.  Note that they are the fingerprints of the certificate and not those of the downloaded file.

• SHA-1: 02:61:03:C0:D8:36:C9:EF:01:87:F2:94:34:75:9E:C3:06:2E:28:DA
• SHA-256: 8D:E6:D1:30:F1:32:B3:D7:05:84:56:58:22:7F:53:78:56:0B:70:E8:CB:0B:F0:E8:62:94:4C:14:BB:AE:E5:CF

If your operating system supports it, we strongly advise you to restrict the use of this certificate to connecting to wireless networks (and eduroam in particular, if possible), rather than be used as a general root CA.  This root CA is not intended to be used for any purpose other than authenticating wireless SSIDs on the University Wireless Service, or other services federated to it. For example, other eduroam sites.

To use this certificate, you should configure the following authentication settings:

• Outer/roaming/anonymous identity: _token@cam.ac.uk
• Issuer / trusted certification authority: University of Cambridge Wireless Service Root CA
• Server name / CN (Common Name): token.wireless.cam.ac.uk

The actual certificate used by the wireless service will change over time, but it will continue to be signed by the above certificate authority and use the same server name. 

Public (well-known) CA

There are 2 ways to configure the use of a public certificate. Which method you use is selected by the outer identity and depends on whether you wish to manage the rollover to a new certificate automatically or manually:

Automatic

• Outer identity:
  • _public@cam.ac.uk [recommended]
  • @cam.ac.uk
  • username@cam.ac.uk
• Issuer / trusted certification authority chain
  • AAA Certificate Services [root]
  • USERTrust RSA Certification Authority
  • GEANT OV RSA CA 4
• Server name / CN (Common Name)
  • token-public.wireless.cam.ac.uk
• Serial number
  • 3A:C3:C9:1C:6B:60:40:2D:2B:90:8E:D4:1D:9C:93:9F
• SHA-1 fingerprint
  • 79:63:B7:EB:D2:57:F8:E1:44:D5:2A:33:C5:96:2B:01:87:7C:C2:96
• SHA-256 fingerprint
  • BA:58:67:93:D7:CB:02:0B:EC:8E:B9:72:12:A5:BD:CD:C6:BE:2C:A2:76:EA:E3:85:21:EC:F1:E3:C3:5B:8A:9D
• Expiry of current certificate
  • Prior to 09 December 2023 at 23:59:59 GMT [rollover will be ahead of this]
• Certificate rollover behaviour:
  • The new certificate and configuration come into effect at an advertised time.
• Advance reconfiguration required
  • None, unless the CA or other aspects of the certificate change.  If this is required, this will be advertised in advance.
• Rollover experience
  • Likely seamless, although devices relying on certificate pinning will likely be prompted to authorise the new certificate.

Manual

• Outer identity:
  • _public202212@cam.ac.uk
  • [includes the year and month of issue]
• Issuer / trusted certification authority chain
  • AAA Certificate Services [root]
  • USERTrust RSA Certification Authority
  • GEANT OV RSA CA 4
• Server name / CN (Common Name)
  • token-public.wireless.cam.ac.uk
• Serial number
  • 3A:C3:C9:1C:6B:60:40:2D:2B:90:8E:D4:1D:9C:93:9F
• SHA-1 fingerprint
  • 79:63:B7:EB:D2:57:F8:E1:44:D5:2A:33:C5:96:2B:01:87:7C:C2:96
• SHA-256 fingerprint
  • BA:58:67:93:D7:CB:02:0B:EC:8E:B9:72:12:A5:BD:CD:C6:BE:2C:A2:76:EA:E3:85:21:EC:F1:E3:C3:5B:8A:9D
• Expiry of current certificate
  • 09 December 2023 at 23:59:59 GMT
• Certificate rollover behaviour:
  • The certificate and configuration do not change but must be manually updated in advance of the expiry of the old certificate.
• Advance reconfiguration required
  • Required:  the outer identity must be updated and any updated certificate settings made.
• Rollover experience
  • Seamless.

Note: separate serial numbers and fingerprint details for each method will only be shown during an overlap period, as a rollover is being prepared.

Most users will want to use the automatic method (if not the local CA method).  The manual method is more complicated to administer but some users may prefer it if they wish to perform any reconfiguration activities at a known point in time.

In both cases, users using the public CA method are strongly advised to check the serial numbers and fingerprints and reject the connection, if alternative information is displayed, otherwise you may be handing over your credentials to a third party.  If this happens, please report it to the Service Desk, especially if you are on University or College premises.

When a new certificate is introduced the changeover process will be as follows:

1. The new certificate will be introduced, selected with a new outer identity, "_publicYYYYMM@cam.ac.uk", in parallel with the old one.
2. UIS advertises this, along with the time and date of the rollover, as well as the time and date of for the expiry of the old certificate.  Manual method users will need to reconfigure their devices before the old certificate expires.
3. At the advertised rollover time, the identities selecting the automatic method will be switched over to the new certificate.  Users making use of these identities and using certificate pinning will receive a warning that the new certificate will need to be authorised, at this point.
4. The old certificate, selected by the old outer identity, will continue to work until it expires.  At this point, users who have not reconfigured their devices will most likely fail to connect after this point.  Any devices which are ignoring the expiry date may continue to work for short while after this, until the old certificate is completely removed.

Last modified: 12th December 2022