On May 23, 2023, the server certificate of our authentication server “radius.rz.rwth-aachen.de” had expired. For that reason a new certificate was implemented in the system. In the first post of this blog series we informed you about this.
Now a larger change is coming up: In the future, the new certification instance GÉANT/TCS will be used and replace DFN-PKI Global. As a consequence a new Radius certificate and certification chain will be used. This migration will take place on August 1, 2023.
Eduroam will be affected with regard to registration and configuration. The exact background and what you have to do, to continue using eduroam, we will explain in the following blog post.
From DFN to GÉANT/TCS
Using the new certification instance GÉANT/TCS results in the authentication server RADIUS receiving a new certificate, which leads to a new root certificate. Depending on the eduroam configuration, not only the new RADIUS certificate has to be trusted, but also its root. The migration to the new RADIUS certificate of GÉANT/TCS will take place on August 01, 2023.
How Can I Continue to Use Eduroam?
After changing the RADIUS certificate on the server, the operating system of your mobile device (depending on the eduroam configuration) will inform you about the certificate change. This will happen the next time you log in to eduroam. You will be asked to decide whether you want to establish a WiFi connection or not. At this point, the connection to the RADIUS server will no longer be recognized as trusted and your devices will no longer be able to access eduroam.
For Windows devices, the warning will look like the following image:
Click on “Show certificate details” to display the message in full.
The following is listed under certificate details:
- The name of the server for which the certificate was issued, namely “DE, Nordrhein-Westfalen, RWTH Aachen University, radius.rz.rwth-aachen.de”.
- The name of the issuer of the new RADIUS certificate, in this case “GEANT OV RSA CA 4”.
- The SHA256 fingerprint of the RADIUS server’s RSA public key, which is “06:0B:12:1F:9E:C2:36:0C:69:36:8A:04:C6:E5:EB:79:3F:22:DF:48:2A:96:89:B4:47:BC:9E:C2:FE:8C:0A:B2”.
At this point it is important to check the fields displayed. All of them must match. Only then you can trust the connection.
Fingerprints
To support you, you can find the fingerprint and all relevant data of the currently used RADIUS certificate on IT Center Help. You compare this information in IT Center Help with the information displayed to you when you connect to eduroam. Since you do not have internet access to IT Center Help at the time when the operating system message is displayed, it is best to learn the next fingerprint by heart now – all joking aside!
If the fingerprint does not match, you have a roadmap below:
- You might assume that eduroam is offered to you by a WiFi access point that does not belong to the official eduroam infrastructure. In this case you do not trust the certificate, otherwise your eduroam login data will be tapped by unauthorized persons. So the part of the Windows message above “Otherwise, it may be a different network with the same name” would apply.
- Go to a different location where you know that the “real” university’s eduroam is offered.
- It makes no difference if you are at RWTH, at another university or in other city districts. You connect as a RWTH member with an “<egm>@rwth.edufi.de” identifier and therefore always with the RADIUS server of the RWTH.
Eduroam Access Data
You may have to re-enter your access data when you connect to eduroam after this change. You don’t know your access data anymore? Don’t worry! You can easily generate new ones via the eduroam device manager. Please have a look at our YouTube tutorial and our instructions on IT Center Help.
You Are Using the CAT App?
Behind the CAT app, both roots are now set. This should allow for a seamless migration transition if you reconfigure with the CAT App before August 1, 2023. After the deadline, only the new root will be available.
Further help and configuration instructions for the corresponding operating systems can also be found on IT Center Help.
Responsible for the content of this article are Jelena Ćulum and Ekaterini Papachristou.