2

If you authenticated with your eduroam credentials at a participating institution, your home institution is the one doing the authentication of the credentials, and the host institution is only providing the internet access.

What 802.1X authentication information will the host eduroam institution be able to see?

I assume they won't see your password, but will likely see your domain name (in order to route your auth correctly, or is it somehow done centrally by some other authority?). Will they see your username in full?

cnst
  • 1,884
  • 2
  • 19
  • 30

2 Answers2

1

Eduroam's RADIUS configuration creates a TLS-secured tunnel between your device and your home RADIUS server for the RADIUS Access Challenge.

While the local institution's RADIUS server will see who you are (i.e. your username) (they have to, in order to know whether to authenticate you locally or send you out to the Eduroam network), the actual authentication using the password is done completely inside the tunnel.

Here is a sequence diagram from the documentation:

Eduroam authentication sequence diagram

See the Eduroam US Technical Overview for System Administrators for more details.

NOTE: The RADIUS standard does allow you to specify a separate "outer identity" that the local server sees which is different from the one that you actually use for authentication. However, that is typically left unset by default. If you want to anonymize your username, Eduroam allows you to change the outer identity to anonymous@realm where realm is your university's domain.

If you set an outer identity, the local institution's RADIUS server uses the realm portion to determine where to send the request. While the local institution may be able to log the user portion of the outer identity, they do not use it for the authentication. Therefore, it is technically possible for someone else to pretend to be you to the local institution while still authenticating as themselves to their home institution. However, if the two institutions compare their RADIUS server logs, they will easily discover that the other person is pretending to be you. There is no way to hide such things as malicious or criminal activity as long as both institutions are logging access to their servers (which I know that at least some Eduroam institutions are doing). Additionally, the realm of the outer identity must be the correct one for your institution in order for the authentication to succeed, so there is no way to pretend that you are from a different institution.

For more information about this process, consult the paragraph above Figure 3 and Figure 3 itself on the page linked above.

Moshe Katz
  • 1,331
  • 1
  • 11
  • 17
  • Oh, so, this is what the outer identity field is? Doesn't it mean that anyone can pretend to be me by supplying the outer identity of myself? Does the outer identity gets checked by the Home RADIUS? How would the Access Point institution go about finding the actual identity of the user, then? – cnst Feb 23 '16 at 23:39
  • @cnst See update to answer. – Moshe Katz Feb 24 '16 at 00:18
0

not quite correct.

the local site you are visiting can see your OuterID - this can by anonymised such that if e.g. your userid is fred123@site.ac.uk then you can just have @site.ac.uk - thus the request will get back to your home organisation (if they support anonymous outerids) but the local site wont know exactly who you are.

local site will see the MAC address of your device

also, the local site may have all kinds of traffic analysers present so could, for example, view what sites you are going to and, if you use insecure protocols, they could read data being transmitted to/from your cleint (so always use secure TLS methods and use a VPN for privacy/security

alan buxey
  • 1
  • are you saying that the outer ID goes as part of the encrypted request in addition to being exchanged in the original non-encrypted request? – cnst Feb 24 '16 at 21:39