> DIO/ Système et réseau/ Eduroam wireless network at the Observatoire de Paris

(cette documentation est disponible en français)

Connect to Eduroam (Observatoire de Paris members)

At the Observatoire de Paris, before your venue, configure Eduroam with one of the following methods, that will be detailed below:

  • assisted with CAT (Windows, MacOS, Android, iOS, GNU/Linux)
  • manual (GNU/Linux, FreeBSD, Android)

Most methods will ask you for your fully qualified login. It is your LDAP login at the Observatoire (your e-mail login) followed by @obspm.fr.

The fully qualified login is not the e-mail address

For instance, if your are John Doe with the jdoe login and the John.Doe@obspm.fr e-mail, you must provide:

jdoe@obspm.fr

and not your e-mail John.Doe@obspm.fr.

The associated password is the e-mail password (Observatoire LDAP account).

Connect to Eduroam (non Observatoire de Paris members)

Before coming to the Observatoire de Paris, when at your regular office, configure Eduroam following the method recommended by your IT support (CAT or whatever else). When done, test Eduroam on your regular office network. If it is working, it should work at the Observatoire de Paris without any modification.

You can also have a look to this documentation (only for sites in France).

How to configure Eduroam?

At the time of this writing, here are the available methods and the ones recommanded by the Observatoire IT department (click on the link for further information):

System CAT manual method recommanded method
Windows ≥ 7 ? CAT
Windows ≤ Vista     none (use Eduspot)
MacOS ≥ 10.7 CAT
MacOS 10.6   manual
Linux manual
FreeBSD   manual
Android ≥ 4.3 CAT
Android ≤ 4.2   manual
iOS ? CAT (détails)
Other     none (use Eduspot)

CAT (assisted configuration)

The simplest method is to use the Configuration Assistant Tool (CAT).

For the Observatoire de Paris members:

  • go to the CAT homepage
  • click on « download your eduroam installer »
  • select « Observatoire de Paris »
  • select your operating system, with the right version
  • run (directly or after saving it) the selected program
  • follow the program instructions

The user name asked is the fully qualified login and the password is the e-mail password (Observatoire LDAP account)

For Windows users, it is likely that the antivirus program displays alerts. If so, please have a look at the next section.

Once the installation finished, select the eduroam network in the available networks list.

iOs: details for CAT

(Sorry, screenshots are in French)

iOS: CAT download

  • Step 2: select « Observatoire de Paris » then « iOS »

iOS: CAT download iOS

  • Step 3: download the module

iOS: CAT download iOS CAT

  • Step 4: install certificate by selecting « install »

iOS: CAT download iOS CAT (2)

  • Step 5: in the confirmation window, select again « install »

iOS: CAT check certificate

  • Step 6: the program asks for a code: use the one which unlocks the phone

iOS: CAT check certificate code

  • Step 7: go to setup and Wi-Fi then select eduroam

iOS: select network

  • Step 8: in the authentication window, type your fully qualified login and your e-mail password (Observatoire LDAP account)

iOS: selection réseau

After a little while (usually just a few seconds), the connexion should be OK.

Android ≤ 4.2: manual configuration

(Sorry, the screenshots are in French)

This configuration has been tested with Android 4.1 on a Samsung Galaxy S2 smartphone. With some minor adaptations, it should work on all versions. Icons and labels may vary from one vendor to another.

Step 1: go into Setup

Android: Setup

Step 2: select Wi-Fi

Android: Wi-Fi

Step 3: at the end of the network list, select Add a Wi-Fi network

Android: Add a Wi-Fi network

Step 4: enter the first parameters:

  • SSID: eduroam
  • Security: 802.1X EAP
  • EAP: TTLS (Tunneled TLS)
  • Phase 2 Authentification: PAP
  • CA certificate: let Undefined, the TERENA certification authority should be known by default by the Android system

Android: profile parameters (1)

Step 5: enter the other parameters:

  • User certificate: let the default Undefined
  • User name: enter your fully qualified login
  • Anonymous identity: enter anonymous@obspm.fr
  • Password: enter your e-mail password (Observatoire LDAP account) ; check Show password only temporarily, just to check if what you just entered is correct

Then save the profile.

Android: profile parameters (2)

After a little while (usually just a few seconds), the connexion should be OK.

GNU/Linux: manual configuration

This documentation is about Network Manager, which is widespread, and Wicd. In case of another tool, adaptation of this documentation should be quite straightforward.

Network Manager

(Sorry, the screenshots are in French)

This configuration has been tested with a Debian 9 (Stretch) system with Network Manager version 1.6. With some minor tweaks, it should work for all distributions. Icons and labels may slighty vary from one distribution to another.

Step 1: right click on Network Manager icon and select Edit connections

Network Manager: Edit connections

Step 2: Select Add button

Network Manager : Add

Step 3: select Wi-Fi type

Network Manager: Wi-Fi

Step 4: create the eduroam wireless profile:

  • for connection name, enter eduroam
  • check Connect automatically

Network Manager: Wi-Fi: General tab

Step 5: select Wi-Fi tab:

  • as SSID name, enter eduroam

Network Manager: Wi-Fi: Wi-Fi tab

Step 6: select Wireless security tab to provide security settings:

  • Security: select WPA et WPA2 entreprise
  • Authentication: select Tunneled TLS
  • Anonymous identity: select anonymous@obspm.fr
  • CA certificate: click on No CA certificate required, as the Digicert certification chain is normally already known by the system
  • Internal authentication: select PAP
  • Login: enter your fully qualified login
  • Password: enter your e-mail password (Observatoire de Paris LDAP account) ; check Show password only temporarily, just to check if what you just entered is correct

And save the profile.

Network Manager: Wi-Fi: Wi-Fi security tab

Then, select this wireless network from the Network Manager icon, the connection should happen.

Wicd

Create a /etc/wicd/encryption/templates/eduroam file with the following content:

name = Eduroam
author =
version = 1
require anonymous_identity *Anonymous_Identity identity *Identity
password *Password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
   ssid="$_ESSID"
   proto=WPA
   key_mgmt=WPA-EAP
   eap=TTLS
   anonymous_identity="$_ANONYMOUS_IDENTITY"
   phase2="auth=PAP"
   identity="$_IDENTITY"
   password="$_PASSWORD"
}

Then add in the /etc/wicd/encryption/templates/active file the following line:

eduroam

When selecting this new wireless network, a pop-up window will ask for the fully qualified login and the e-mail password (Observatoire LDAP account).

FreeBSD: manual configuration

Method with password storage

This method has the drawback to store password in clear text into a file, don't forget the chmod 0700

Create a /etc/wpa_supplicant-eduroam.conf file with the following content:

network={
    ssid="eduroam"
    key_mgmt=WPA-EAP
    eap=TTLS
    phase1="peaplabel=0"
    phase2="auth=PAP"
    identity="votre_login@obspm.fr"
    password="your_password"
    }

Do protect the file:

chmod 0700 /etc/wpa_supplicant-eduroam.conf

Then, create a virtual network interface:

ifconfig wlan0 create wlandev PHYSICAL_INTERFACE

The value of PHYSICAL_INTERFACE of the wireless interface is found with:

ifconfig -a

Finally, launch the 802.1X (supplicant) and DHCP clients:

wpa_supplicant -B -c /etc/wpa_supplicant-eduroam.conf -i wlan0
dhclient wlan0

to establish the connection.

Variant without password storage

Create a /etc/wpa_supplicant-eduroam.conf file with the following content:

network={
    ssid="eduroam"
    key_mgmt=WPA-EAP
    eap=TTLS
    phase1="peaplabel=0"
    phase2="auth=PAP"
    identity="votre_login@obspm.fr"
    password="votre_mot_de_passe"
    }

Do protect the file:

chmod 0700 /etc/wpa_supplicant-eduroam.conf

Then, create a virtual network interface:

ifconfig wlan0 create wlandev PHYSICAL_INTERFACE

The value of PHYSICAL_INTERFACE of the wireless interface is found with:

ifconfig -a

Launch the 802.1X (supplicant) client:

wpa_supplicant -B -c /etc/wpa_supplicant-eduroam.conf -i wlan0

Then, launch the CLI who will bring a prompt and type the password command:

wpa_cli
password 0 your_password

no quotes around the password

In another terminal, launch the DHCP client:

dhclient wlan0

to establish the connection.

MacOS 10.6 (Snow Leopard): manual configuration

(Sorry, the screenshots are in French)

CAT doesn't work with this old MacOS version, so one have to configure the Eduroam profile manually.

Step 1: open System Preferences

MacOS 10.6: System Preferences

Step 2: select Network

MacOS 10.6: Network

Step 3: select Advanced

MacOS 10.6: Advanced

Step 4: select 802.1X tab then + button then Add user profile

MacOS 10.6: 802.1X : Add user profile

Step 5: enter security parameters:

  • User name: enter your e-mail login (identifiant LDAP)

in this particular case, do not enter your fully qualified login but only your e-mail login without the @obspm.fr.

  • Password: enter your e-mail password (LDAP account) or check Always ask for password
  • Authentication: select TTLS and uncheck all others
  • Wireless network: select eduroam
  • Security: select WPA2 entreprise

MacOS 10.6: 802.1X parameters

Step 6: select the TTLS line and click on Configure button:

  • Internal TTLS Authentication: select PAP
  • External identity: enter @obspm.fr

then validate this parameters with OK.

Validate the new profile with OK then Apply

MacOS 10.6: paramètres TTLS

Step 7: select Connect to use this newly created profile.

MacOS 10.6: connection

FAQ and known problems

Eduroam doesn't function anymore on my device since 04/04/2017

The X.509 certificate from authentication Radius servers of the Observatoire de Paris was about to expire and has been changed. Thus, you have to redo your configuration. The simplest way is to do it by downloading again the CAT tool, which has been upgraded.

CAT and the antivirus (Windows)

We are not able to test all the antivirus of the market. We will complete this documentation as we will gather informations.

Norton

Norton could display the following message:

Our informations about this file is inconclusive

and propose either to delete the file or to allow to run it. You should allow to run it.

At the end of the installation, it is likely to have to reboot.

Unable to use Eduroam with Windows at the Observatoire since April, 15th 2015

In short

Every Windows system before 7 configured with CAT after April, 15th 2015 won't be able to function anymore for Observatoire de Paris members.

In details

The following explanation is our understanding of things, in a quite complicated field where it is difficult to find clear, complete and reliable documentation. If you find errors or approximations, please do not hesitate to tell us.

Eduroam uses 802.1X network access control based on the EAP protocol, which provides several methods (EAP-TLS, EAP-TTLS, etc.) to connect to a Radius server. We call here this method authentication stage 1. The Radius server will then connect to an authentication directory (typically a LDAP directory), with a method called here authentication stage 2. In the directory, passwords are stored in some specific format.

For stage 1 authentication, the EAP-TTLS method is an open IETF standard which provides a good security level. It is widespread (Apple MacOS and iOS, Linux, Android, etc.), but Microsoft has chosen to implement it rather lately. Indeed, Microsoft and Cisco choosed to develop an other method, close to EAP-TTLS: PEAP.

Concerning stage 2 authentication, in the Windows world, PEAP uses the MS-CHAPv2 method that in turn uses passwords "hashed" in the Windows specific NTLM format.

Historically, the LDAP directory of the Observatoire de Paris was designed solely for the Unix e-mail server. It does not store the hashed passwords in the Windows specific NTLM format. Thus, the only possible methode combination for the moment for Eduroam to the Observatoire de Paris members is EAP-TTLS-PAP.

Here is a table to sum up the typical situations:

typical Observatoire typical Windows
EAP EAP
stage 1 TTLS PEAP
stage 2 PAP MS-CHAPv2
password format SHA-512, etc. NTLM

Unfortunately, Windows in versions XP, Vista does not support EAP-TTLS-PAP. However, it is supported since version 7.

Stage Method Observatoire Windows XP, Vista Windows 7, 8, 10
0 EAP OK OK OK
1 TTLS OK No (OK if SecureW2) OK
1 PEAP No OK OK
2 PAP OK No (OK if SecureW2) OK
2 MS-CHAPv2 No OK OK

For the Windows XP, Vista case, Eduroam can function correctly for the Observatoire de Paris members only with the support of the EAP-TTLS-PAP. This was possible with the addition of the SecureW2 software, that was embedded in CAT. Unfortunately, the company behind SecureW2 decided that its software won't be free software anymore, thus not freely distributable, and ask Terena to remove it from CAT, which was done on April, 15th 2015.

The only solution is to upgrade to a later, supported, version: 7, 8 or 10.

We unfortunately do not have any easy solution for the Observatoire de Paris members that use a Windows XP or Vista system.

Nevertheless, there is a workaround: at the Observatoire de Paris and wherever it is available, use Eduspot (with your LDAP account, aka e-mail account).

How to configure a BlackBerry ?

CAT doesn't support the BlackBerry OS and we doesn't have such a system handy to make tests. If you own a BlackBerry and are OK to make tests, ask us for an appointment. Anyway, you can try to adapt the Cambridge documentation to the Observatoire de Paris parameters.

Filtering policy for Eduroam at the Observatoire de Paris

When connected to the Eduroam network at the Observatoire de Paris, the following filtering policy is applied:

  • everything is allowed in the output direction, except port TCP 25 (SMTP), to prevent spam emission

  • nothing is allowed in the input direction towards Eduroam, except return for established TCP sessions

  • an Eduroam client is considered in the outside of the Observatoire de Paris network

    As a result: an Observatoire de Paris member connected to Eduroam at the Observatoire faces the same filtering policy towards the Observatoire as if she was at home

  • Nevertheless, besides the traffic allowed from the Internet, the following (TCP) protocols are allowed from Eduroam to the Observatoire, if the target machine is accepting them:

    • web at large: HTTP, HTTPS (ports 80, 443, 8000, 8080-8090, 8443)
    • mail: SMTP (ports 25, 465, 587)
    • remote connection: SSH, telnet, RDP, VNC
    • file transfer: FTP, AFP
    • Microsoft protocols
    • printing (LPR, IPP, HP JetDirect)
    • DIO licence tokens
    • Version control (Subversion, Git, CVS)
    • XMPP

To get further information