JRS Home | About JRS/how JRS works | Where you can use JRS eduroam maps
Using JRS | Documentation | Technology/FAQs | Technical Support | How to Join
Using JANET Roaming eduroam
This page is brand new. We would welcome comments and feedback. Please bring any errors or omissions to the attention of the JRS service manager. |
This page is intended as a guide to the key things you need to do in order to use the service. It is not indended to replace the full user guide which you are encouraged to read and to keep for reference. By using the service you agree to abide by the acceptable use policies of your home organisation, the JANET Roaming Service and the visited organisation.
On this page:
- Checklist 1 - one-off operations to enable your use of service
- Checklist 2 - each time before you go
- Published user guides / documentation
- Support
- Concepts
- FAQs
- Reference
- Glossary
JRS eduroam is a very useful service, but if you are a roaming user planning to visit another JRS partipant site, it does require a little prepartion BEFORE arriving at the site at which you want to use the service. This involves general preparation for using JRS eduroam (CHECKLIST 1) and specific steps you need to take each time before going to a site (CHECKLIST 2).
Test - if your organisation is both a Home and Visited site, the key is to test the operation of JRS eduroam authentication on your own site - if you take your own laptop, using the service is then simply a matter of connecting to the visited site's wireless LAN when you arrive.
The following checklist 1 is quite long, but once you have been through it once, on subsequent roaming visits you'll only need to check the key parameters in detailed in checklist 2.
JRS CHECKLIST 1 - one-off operations to enable your use of the service
|
JRS CHECKLIST 2 - each time before you go!
|
JANET Roaming Service User Guide
JANET Roaming Service Connection Guide
UNINETT website "How to connect to an eduroam site" - useful configuration guide and technical information for users
Windows XP built-in 802.1x supplicant configuration (Word) - extract from JRS User Guide details setup of the client in Windows XP.
Users experiencing any technical problems with the Roaming service or with remote access facilities provided by their Home Organisation, should in the first instance consult their Home Organisation IT Support dept.
JANET Roaming can be used from users' own laptops over wireless networks or via hardwired desktop PCs and MACs (for example in IT suites or libraries) that have been suitably configured. JANET Roaming can be used at Visited organisations and in many cases at Home organisations too.
End-users at customer organisations which have deployed JANET Roaming should consult their IT Support dept. for one-off setup of their laptops prior to travelling to Visited sites providing the JANET Roaming service. They will also be able to learn what facilities at the Home Organisation site are offered for remote access from Visited Organisations, (eg. e-mail, VPN). This information should be available on the JANET Roaming pages of the Home Organisation web site, which can be found on the Participating Organisations Map by hovering over your city blob.
Users MUST also check the Participating Organisations Map to check that their laptop setup is compatible with the authentication method offered by the Visited Organisation and to learn the SSID which they must input into their laptop.
Once at Visited JANET Roaming sites, end-users will be able to log on to the guest network by using their unique credentials (the same for all sites they might visit) - these are their own home organisation username and the organisation realm name in the form: username@foo.ac.uk. (Nb. this is NOT necessarily the user's e-mail address). Users will be able to do this at JANET Roaming enabled hotspots at the Visited sites, which should be marked "JANET Roaming", "JRS" or "eduroam".
What's the difference between JANET Roaming and eduroam?
JANET Roaming is the service designed in the UK appropriate to the organisations comprising the UK academic and research community. JANET Roaming is a member of the eduroam federation.
In order to advertise the service and to make it identifiable to visitors from overseas, the service has selected "eduroam" as its SSID.
eduroam is a federation of national research and education network providers (NRENs). JANET (as the UK NREN) has been a member of the federation since its inception. The eduroam federation has established a trust relationship between members and an infrastructure of RADIUS servers to enable the exchange of authentication exchanges between the national RADIUS infrastructures of participating NRENs.
Throughout the eduroam federation, eduroam service is advertised through the eduroam SSID. Users from UK organisations participating with JRS home site compliance can gain guest access on networks at any eduroam organisation, worldwide.
Why is connecting to a network so complicated?
Why can't I just switch my machine on and get onto the network?
It is quite useful to understand the basic steps that are involved in getting out onto any network. The key thing to remember is that unlike domestic and cyber cafe networks (which are of low security and are extremely vulnerable to being compromised), the networks at academic institutions are vastly larger, supporting thousands of users and are far more secure and provide much better JANET-backed performance. The security mechanisms are there for your benefit and protection. The result of this is that the steps that you need to take to get onto the network are slightly more involved.
To get onto any academic network:
a) you have to connect to the medium, wireless or via wired wall socket
b) then to get any further you need to have a user account and have to be granted permissions to use certain facilities
c) next you need to be authenticated to ensure that only legitimate users can access the network
d) finally you are connected onto an appropriate VLAN and can use the network
The result of this is that; you need a unique set of user credentials - username and password (for JRS eduroam you have a specific form of username consisting of your own network username and the realm name of your organisation. This will work at any JRS eduroam site. Your user account may also have to be included in a particular "roaming users" group).
To connect to a wireless medium (more properly to "associate with a wireless access point") you need to select the appropriate wireless network service - in any one area there may be several wireless networks sharing the airwaves. These are differentiated by the SSIDs that they advertise. Of course with a wired connection to an Ethernet wall socket, this association phase does not take place.
Having associated to a wireless network your logon attempt has to be authenticated. This involves the exchange of user name and password information with the authentication server, which compares the credentials supplied with those registered on the home organisation user database.
After a successful authentication, the access point or switch connects you to the appropriate secure network to enable you to access your desired resources. The other users sharing your particular part of the network and the resources available to you are governed by the VLAN that you are connected to.
The above applies to any academic network. There are various ways of implementing the above, with varying levels of security. When it comes to providing a service for mobile users (using laptops or connecting at wired wall sockets) the mechanism becomes more complicated. "Web redirection" is a common method but has considerable security vulnerabilities; we recommend against this method. The 802.1x standard provides a far more robust solution, although it does involve a degree of initial set up complexity. That's why you can't just plug in and go!
How can I get my Palm TX handheld to work with JANET Roaming?
Palmtops need 802.1x supplicant software to work at the vast majority of JANET Roaming sites (excepting those providing web redirect authentication JRS1) - the supplicant software must support the authentication protocols in use on your home network (EAP-TLS, EAP-TTLS, EAP-PEAP(v0 or v1)). The Palm TX uses Palm OS Garnet 5.4 which supports wireless connection, but unlike XP and Vista does not include an 802.1x supplicant. This software is however available in the Wi-Fi Enterprise Security Update (ESU) package which costs $5.99 from www.palm.com/us/software/esu.
JANET Roaming tiers
There are three service tiers defined within the JANET Roaming service: JRS1, JRS2 and JRS3. These were defined in order to accommodate the wide range of guest network and wireless implementations at the time that JRS was set up. The differences between the tiers are shown below.
| Service Tier | Authentication Method | NAT | IPv6 | WEP | WPA | WPA2 | SSIDs |
| JRS1 | Web redirect | May | May | Not applicable | eduroam or eduroam-web' | ||
| JRS2 | IEEE 802.1x | May | May | Must (either WEP or WPA) | May | eduroam or eduroam-wep² | |
| JRS3 | IEEE 802.1x | Must not | Must | Must not | May | Must | eduroam |
' Applicable where JRS 2 or 3 is offered as well as JRS 1 to enable services to be differentiated
² Applicable where service using WPA or WPA2 is offered as well as WEP
Table 1 - Tier requirements for Visited organisations
IP protocols guaranteed on JRS guest networks
Visited organisations must permit egress and established forwarding of the protocols listed in Table 2 below. This may not be the case at eduroam organisations overseas where more limited services may be available.
| IMSP | TCP/406 | egress and established |
| IMAP4 | TCP/143 | egress and established |
| IMAP3 | TCP/220 | egress and established |
| IMAPS | TCP/993 | egress and established |
| POP | TCP/110 | egress and established |
| POP3S | TCP/995 | egress and established |
| SMTPS | TCP/465 | egress and established |
| Message submission | TCP/587 | egress and established |
| Web | ||
| HTTP | TCP/80 | egress and established |
| HTTPS | TCP/443 | egress and established |
| VPN | ||
| Standard IPSec VPN | IP protocols 50 (ESP) and 51 (AH) | egress and ingress |
| TCP/500 (IKE) | egress only | |
| IPSec NAT traversal | UDP/4500 | egress and established |
| Cisco IPSec NAT traversal | TCP/10000 | egress and established |
| PPTP | IP protocol 47 (GRE) and TCP/1723 | egress and established |
| OpenVPN | TCP/5000 | egress and established |
| IPv6 Tunnel Broker NAT traversal | UDP/3653 and TCP/3653 | egress and established |
| Remote Desktop | ||
| RDP | TCP/3389 | egress and established |
| VNC | TCP/5900 | egress and established |
| Citrix | TCP/1494 | |
| Directory Services | ||
| LDAP | TCP/389 | egress and established |
| LDAPS | TCP/636 | egress and established |
Secure Shell SSH TCP/22 egress and established
File Transfer Passive (S)FTP TCP/21 egress and established
Table 2 - Minimum requirements for egress and established forwarding of protocols
Supplicant - configuration of this software will be necessary, WLAN settings vary site-site
The 802.1x supplicant is the software entity on the client workstation/laptop that enables the user to submit credentials to connect the computer to a secure network. Supplicant software is built in to Windows and MAC OS, but third party 802.1x supplicant software is available, notably Xsupplicant (being developed by Open SEA is association with JANET(UK)), wpa_supplicant and SecureW2.
Your organisation's choice of EAP type (mechanism for exchanging authentication messages) may require the use of specific supplicant software, but in many cases the supplicant software built-in to the operating system will support the required EAP type. Your IT Support team should supply/install/configure any third party or the built-in suplicant software for use with JRS eduroam.
Supplicant software usually includes settings for the encryption method used on the WLAN. These settings vary from site to site so you'll need to check the encryption in use at the site you intent to visit on the site's JRS info web page before you go. The WPA, WPA2, WEP settings can then be configured on your supplicant. The supplicant may include functionality to enable the selection of DHCP for IP address and DNS, if it does not then these settings must be configured in the network adaptor/WLAN card settings section of the operating system.
EAP type - the type used by your organisation configured first time you set up your laptop
EAP - Extensible Authentication Protocol is a framework for transporting authentication messages and provides for the negotiation of the authentication mechanism (EAP type) to be utilised. There are a number of different EAP types in existence. With JANET Roaming eduroam, the EAP types that organisation have implemented are; PEAP, EAP-TTLS and EAP-TLS. With PEAP and EAP-TTLS there are also stage 2 methods that must be correctly configured.
In Microsoft network environments, PEAP is most commonly encountered, with a stage 2 method usually MSCHAPv2.
In other environments you will commonly find EAP-TTLS, with a stage 2 method of MSCHAPv2 or MD5 or PAP.
The final common method, EAP-TLS is a single stage protocol.
Certificates - enable mutual trust between client and authentication server and used in encryption of the message exchange.
The main EAP types in use utilise server certificates to verify the authenticity of the remote server that will authenticate your credentials and some EAP types also require client machines to have client certificates. In the latter case, the client certificate must be acquired from your IT Support team. (Installation may have been carried out by your organisation's IT Support team if third party supplicant software is used by yout organisation).
SSID - select the appropriate eduroam SSID from the popup list to connect to the WLAN
Service Set Identifier - the ‘name’ of a wireless network. Modern wireless access points enable a number of different wireless network services to co-exist in the same physical area. Multiple wireless network services are useful in an enterprise environment because different functions and policies can be enabled on each service and these can be tailored to match the different user types who may wish to connect. So you can have a service for staff, a service for students and another service for guests. These different services can be associated with different VLANs, so providing access to different resources on the network as appropriate to the type of user.
Usually SSIDs are broadcast by the wireless network access points, although in some deployments hidden SSIDs may be encountered. In the normal scenario, the wireless client scans for broadcast SSIDs and displays a list of those available. Alternatively the client can probe for a specific SSID or can probe for 'any'. By whatever means, in modern operating systems a list of the available SSIDs will be displayed whenever the wireless LAN card is enabled. From this list you will be able to pick the required service. For access via JRS eduroam, the relevant SSIDs are:
'eduroam', 'eduroam-wep' and 'eduroam-web'.
VLAN (virtual local area network) - when visiting you'll be connected to the guest VLAN
A VLAN is a sub-network that exists within the physical network infrastructure of an organisation. It is dynamically created by the network software and links together users, servers, resources and Internet / Intranet facilities regardless of physical location within the organisation's network. A number of VLANs can co-exist on the network at the same time, spanning multiple network switches, wireless access points and routers. VLANs are used to securely provide access to different resources on the network as appropriate to the different types of user. So you can for example have a VLAN for staff, a VLAN for students and another VLAN for guests
Any problems, comments or suggestions regarding this page, please e-mail the e-mail the JRS service manager