Protection of eduroam credentials

Question

Recently my educational institution officially switched over from the their own wireless network to eduroam.

If I understand correctly from the FAQ, credential authentication is performed on the servers at my educational institution no matter where I log in from:

When a user tries to log on to the wireless network of a visited eduroam-enabled institution, the user's authentication request is sent to the user's home institution. This is done via a hierarchical system of RADIUS servers. The user's home institution verifies the user's credentials and sends to the visited institution (via the RADIUS servers) the result of such a verification.

In addition, it states that:

In eduroam, communication between the access point and the user's home institution is based on IEEE 802.1X standard; 802.1X encompasses the use of EAP, the Extensible Authentication Protocol, which allows for different authentication methods. Depending on the type of EAP method used, either a secure tunnel will be established from the user’s computer to his home institution through which the actual authentication information (username/password etc.) will be carried (EAP-TTLS or PEAP), or mutual authentication by public X.509 certificates, which is not vulnerable to eavesdropping, will be used (EAP-TLS).

Some questions that I have are:

1. How is eduroam different from a VPN in terms of security?
2. Is it any less secure to connect to eduroam somewhere other than my home institution?
3. How do I know that my credentials are encrypted between my device, the access point I'm connected to, and the authentication servers?
4. Is there a centralized database of domains and authentication servers (i.e. how does it know which server to check for user@uottawa.ca and user@ucalgary.ca)?

Answer 1

1. How is eduroam different from a VPN in terms of security?

Eduroam is only an infrastructure for authentication, it allows your institution's servers to prove that you're indeed the person that you claim to be. It only authenticates you, but doesn't tunnel your traffic or similar - your traffic is still at the mercy of whatever network you're connecting to, so you have to trust that network and its administrators to not be malicious or only use secure protocols such as HTTPS.

2. Is it any less secure to connect to eduroam somewhere other than my home institution?

Your Eduroam credentials are safe and only your home institution can see them. Your traffic is less safe and you have to trust the network and its administrators, though EAP uses a different key per user so someone else on the network wouldn't be able to eavesdrop on your traffic like they can with open or PSK-protected networks.

I'll leave the last two questions to someone else as I'm not 100% sure.

Answer 2

eduroam is based on 802.1X and WPA-Enterprise / WPA-EAP standards.

1. It is different from VPN in that your home institution is only performing the authentication; your data is secured with WPA in-air, but is then subject to whatever internet your local physical location is willing to provide you with.

2. Yes, it's less safe to use eduroam outside of your local campus, because, apart from the authentication performed by your home institution, all internet traffic will be originating through a local network where you're physically located (without being tunnelled through your home). E.g., you'll have a different IP address on a different network, which will also affect online access to academic subscriptions like IEEE Xplore.

3. This is the best question! Apparently, according to Obtain credentials by spoofing WPA/WPA2 Enterprise network? and Certificate validation with 802.1x PEAP, it's unclear whether any automatic protections are implemented in popular devices. According to UWaterloo's IST, there appears to be a web-site called eduroam Configuration Assistant Tool, located at https://cat.eduroam.org/, where you can download the settings for your institution and operating system combination, and these appear to include some sort of a root certificate (however, it appears to be a CA unrelated to the institution in question, so, it doesn't appear that any sort of real pinning is there (e.g., the eduroam CAT settings for Waterloo simply have a couple of GlobalSign root certs from Belgium, and it does match up the official instructions for Ubuntu, too -- go figure; I guess the idea is that a CA is to be trusted to always continue re-issuing the certificates to the institution annually or as needed, and to never issue certificates for the institution to an unrelated entity)).

4. Yes, at cat.eduroam.org as per above, and Ottawa is listed. However, a brief glance leads me to believe that it is not updated too frequently, as the U.S.A. is missing newer members such as University of Houston, Rice University and UTSA, for example.

Answer 3

Subquestions 1 and 2 are already answered, so I take the other two:

3. How do I know that my credentials are encrypted between my device, the access point I'm connected to, and the authentication servers?

Make sure that you use an encrypted WLAN connection (otherwise your credentials can be sniffed from the air) and secure protocols like https. Then you needn't worry about security of eduroam.

4. Is there a centralized database of domains and authentication servers (i.e. how does it know which server to check for user@uottawa.ca and user@ucalgary.ca)?

No there isn't. eduroam knows from the right-hand side of the @ sign which institution to contact.