IT Center Blog

Source: Freepik

The Wi-Fi network eduroam is available on the entire campus of the RWTH Aachen University. If you have already configured eduroam on your mobile devices and chosen an automatic connection, your devices will connect to eduroam in the background. This happens as soon as your devices detect a network with the name eduroam in the vicinity.

Behind a secure connection to eduroam lie certificate structures that guarantee this security. But how exactly do these processes work? In the following blog post, we hope to provide answers to these and other questions.

Where does my login information go?

Your eduroam credentials, which you have generated via the eduroam device manager, are transmitted via the wlan infrastructure to the authentication server of RWTH Aachen University, radius.rz.rwth-aachen.de (RADIUS). This happens every time you log on to the eduroam network. The connection from your device to the RADIUS server is encrypted so that your data is secure during transmission.

But how do you know if your credentials are being sent through a legitimate eduroam access point and to the correct (real) authentication server?

To do this, your device must check the certificate of the RADIUS server. To confirm the identity of this server, you have to validate and trust the SSL certificate (also called TLS certificate) of the RADIUS server once. You do this by comparing the fingerprint of the presented certificate with the fingerprint we have published in the rwth intranet when you connect for the first time or after a certificate change. You can read more about this in the first blog post “WLAN News – Part 1: New certificate for the RADIUS server”.

Changing the RADIUS certificate to the GÉANT/TCS certification authority

The RADIUS certificate was previously issued by the DFN-PKI and last replaced on May 23, 2023. A new certificate will be installed on August 1, 2023. This newer RADIUS certificate was issued by the GÉANT/TCS (PKI), as the service provider for certificates was changed at the end of 2022. The SSL certificates of the GÉANT/TCS belong to a new certificate chain which leads to a new root certificate, that of the certification authority Comodo CA Limited.

The new certificate chain has the following structure:

Future RADIUS certificate (from August 1, 2023):

Subject: C = DE, ST = Nordrhein-Westfalen, O = RWTH Aachen University, CN = radius.rz.rwth-aachen.de

Issuer: C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4

GÉANT certificate (intermediate):

Subject: C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4

Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

Usertrust certificate (intermediate):

Subject: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services

Comodo certificate (root):

Subject: C=GB,ST=Greater Manchester,L=Salford,O=Comodo CA Limited,CN=AAA Certificate Services

Issuer: C=GB,ST=Greater Manchester,L=Salford,O=Comodo CA Limited,CN=AAA Certificate Services

The eduroam CAT (Configuration Assistant Tool)

If you use the eduroam CAT to configure eduroam on your device, the name of the RADIUS server and the certificate chain are installed on your device. With the help of the server name, your device checks whether the correct RADIUS server is being addressed. The operating system then uses the root certificate to check whether this RADIUS server presents a certificate issued by a trusted certification authority. You can always find an overview of RADIUS certificates and certificate chains for the configuration of eduroam on IT Center Help.

Recently, in the first part of the blog series on WLAN News, we reported on the recent change of the RADIUS server certificate in May 2023. In the third part, we will take a closer look at the root certificate.

Responsible for the content of this article is Jelena Ćulum.

Kategorie: General, Announcements, IT-Security, IT-Managers, Employees, Support, Services & Updates, Students
Schlagworte: Certificate, eduroam, wifi, WLAN, Zertifikat, Zertifikate
Optionen: Antwort schreiben » | Trackbacks sind derzeit nicht möglich;