Skip to Content.

geteduroam - Re: getting started with geteduroam

Subject: An open discussion list for topics related to the geteduroam service

List archive

Re: getting started with geteduroam

Chronological Thread 
  • From: Gheorghiță Butnaru <gheorghita.butnaru AT>
  • To: Paul Dekkers <paul.dekkers AT>
  • Cc: geteduroam AT
  • Subject: Re: getting started with geteduroam
  • Date: Mon, 1 Mar 2021 17:15:44 +0200

Thanks for your fast response.

On Mon, Mar 1, 2021 at 4:15 PM Paul Dekkers <paul.dekkers AT> wrote:
We bring all eduroam CAT profiles into the list of institutions and profiles. If you're not listed, drop me a note. It's most likely stale cache (and our caching is a bit too aggressive now ;-) we need to work on that).

These are both the profiles that you use with your regular RADIUS accounts, as well as profiles that may use a specific "geteduroam-only" approach:

We are not listed, at least not on the android app.

So my previous answer is more or less in case you want to use "normal" CAT profiles.

If you want to create eduroam pseudo-accounts based on your federated eduGAIN SAML-authentication, that's indeed also part of geteduroam. You can use this as a service from GEANT, if your NRO agrees. (You'd get eg. as a realm.)

You also need to create a profile for this in CAT, so you can be discovered from both CAT and geteduroam. (CAT will however redirect you from the website. It works quite well actually.)

We are part of the eduGAIN, so this should be possible. Do we need to contact our NRO and ask them to confirm? Is there anything else that they need to do? From what I know, they are short on human resources.

If we are going to do these, it means that we will be geteduroam-only?
From what I know, right now, GEANT talks in every documentation for eduroam about CAT and not about geteduroam. Wouldn't that be puzzling for users?
Also, what changes do we need to make to our infrastructure? And at what level (radius, wireless access controllers)?

If you want to host your own pseudo-accounts, that's definitely possible! There is documentation.

However, this server part is the part of the concept that is still a bit "in flux". We're likely to make changes that will require database migrations and what not. Of course we implement this ourselves in the centralized infrastructure, so that will continue to work well. We may not be able to offer a lot of support on this if you host it yourself (considered "for the experts") but it is documented, with a reference implementation for Debian. And if you follow the commits and notes and have a test-implementation, you're problably fine.

Are there any advantages for the self-hosted server? Can you point me to some documentation?

In all this puzzle, where do the client certificates fit? Right now, we are using EAP-PEAP and EAP-TTLS for our eduroam infrastructure. I am interested in the EAP-TLS if it's not too complex to implement and does not become harder for our users.

Sorry if my questions sound dumb. I could not found more documentation besides

Also, if it's worth mentioning, we have around 18k users.

Gheorghita BUTNARU,
Gheorghe Asachi Technical University of Iaşi

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Archive powered by MHonArc 2.6.19.

Top of Page