- How to configure Eduroam?
- Connect to Eduroam (staff of Observatoire de Paris)
- Connect to Eduroam (visitors to Observatoire de Paris)
- CAT (assisted configuration)
- geteduroam mobile application
- iOs: details for CAT
- Microsoft Windows : manual configuration
- GNU/Linux: manual configuration
- FreeBSD: manual configuration
- Filtering policy for Eduroam at the Observatoire de Paris
- FAQ and known problems
- To get further information
(the reference version of these instructions is in French)
How to configure Eduroam?
At the time of this writing, here are the available methods and the ones recommended by the Observatoire IT department (click on the link for further information):
System | CAT | recommended method |
---|---|---|
Windows > 7 | ✓ | manual |
MacOS ≥ 10.7 | ✓ | CAT |
Linux | ✓ | manual |
FreeBSD | manual | |
Android ≥ 4.3 | ✓ | geteduroam |
iOS | ✓ | CAT (details) |
Other | none (use Eduspot) |
For recents MacOS, it is mandatory to use CAT and do not try to connect to Eduroam network before.
If you did so, the CAT installation will be non functionnal. You must first delete any reference to Eduroam in the network parameters and in the profile manager.
For modern Windows, the DIO IT team recommends the manual configuration over CAT because we feel that it is simpler to type a login/password than to install a software. Your mileage may vary and of course you can try CAT if you prefer.
Connect to Eduroam (staff of Observatoire de Paris)
At the Observatoire de Paris, before your venue, configure Eduroam with one of the following methods, that will be detailed below:
- assisted with CAT (Windows, MacOS, Android, iOS, GNU/Linux)
- manual (GNU/Linux, FreeBSD)
Most methods will ask you for your fully qualified login. It is your LDAP login at the Observatoire (your e-mail login) followed by @obspm.fr.
The fully qualified login is not the e-mail address
For instance, if your are Jane Doe with the jdoe
login and the
Jane.Doe@obspm.fr
e-mail, you must provide:
jdoe@obspm.fr
and not your e-mail Jane.Doe@obspm.fr
.
The associated password is the e-mail password (Observatoire LDAP account).
Connect to Eduroam (visitors to Observatoire de Paris)
Before coming to the Observatoire de Paris, when at your regular office, configure Eduroam following the method recommended by your IT support (probably CAT). When done, test Eduroam on your regular office network. If it is working, it should work at the Observatoire de Paris without any modification.
CAT (assisted configuration)
The simplest and safest method is to use the Configuration Assistant Tool (CAT).
For the Observatoire de Paris members:
- go to the CAT homepage
- click on « Click here to download your eduroam installer »
- select « Observatoire de Paris »
- click on Download your eduroam installer
- run (directly or after saving it) the selected program
- follow the program instructions
The user name asked is the fully qualified login and the password is the e-mail password (Observatoire LDAP account)
Once the installation finished, select the eduroam network in the available networks list.
geteduroam mobile application
Nothern European National Research and Education Networks have developped a mobile application named geteduroam. It's goal is to simplify the process of connecting to Eduroam for end users based on CAT data. It can be viewed as an overlay to CAT. For end users, it can be viewed as an alternative application to CAT. To the best of our knowledge, there is no official position on what to use, geteduroam or CAT.
For the Observatoire de Paris members:
- install geteduroam from your application store (Google Play or Apple Store, geteduroam editor is SURF B. V.)
- start the application
- follow the application instructions
The user name asked is the fully qualified login and the password is the e-mail password (Observatoire LDAP account)
Once the installation finished, select the eduroam network in the available networks list.
iOs: details for CAT
(Sorry, screenshots are in French)
- Step 1: go to CAT homepage
- Step 2: select « Observatoire de Paris » then « iOS »
- Step 3: download the module
- Step 4: install certificate by selecting « install »
- Step 5: in the confirmation window, select again « install »
- Step 6: the program asks for a code: use the one which unlocks the phone
- Step 7: go to setup and Wi-Fi then select eduroam
- Step 8: in the authentication window, type your fully qualified login and your e-mail password (Observatoire LDAP account)
After a little while (usually just a few seconds), the connexion should be OK.
Microsoft Windows : manual configuration
go to the network menu, at the bottom left of the workspace (usually)
select Eduroam network, type your fully qualified login and your e-mail password (Observatoire LDAP account)
at the warning message that asks if you are OK to keep on connecting, click on Show certificate details and check that you have:
Issued for: FR, Île-de-France, Observatoire de Paris, radius.obspm.fr Issued by: GEANT OV RSA CA 4 Fingerprint: F4 74 CA 80 BC 6A A4 89 FC 1A 40 06 3E 09 9C 23 25 DB 0B E2 19 F4 7B 43 D7 AE 7F 64 51 49 C2 30
if the informations are as above, proceed to Connect
GNU/Linux: manual configuration
This documentation is about Network Manager, which is widespread.
(Sorry, the screenshots are in French)
This configuration has been tested with a Debian 9 (Stretch) system with Network Manager version 1.6. With some minor tweaks, it should work for all distributions. Icons and labels may slighty vary from one distribution to another.
Step 0: download on your PC the GEANT TCS Certification Authority Certificate, currently runned by Sectigo (right click then Save link target as)
Step 1: right click on Network Manager icon and select Edit connections
Step 2: select Add button
Step 3: select Wi-Fi type
Step 4: create the eduroam wireless profile:
- for connection name, enter eduroam
- check Connect automatically
Step 5: select Wi-Fi tab:
- as SSID name, enter eduroam
Step 6: select Wireless security tab to provide security settings:
- Security: select WPA et WPA2 entreprise
- Authentication: select Tunneled TLS
- Anonymous identity: select anonymous@obspm.fr
- CA certificate: search and select the certificate previously
downloaded at step 0
If one does not select here the right certificate and if No CA Certificate is Needed is checked (do not do that), one will be more vulnerable to a LDAP login/password theft, see the explanation below
- Internal authentication: select PAP
- Login: enter your fully qualified login
- Password: enter your e-mail password (Observatoire de Paris LDAP account) ; check Show password only temporarily, just to check if what you just entered is correct
And save the profile.
Then, select this wireless network from the Network Manager icon, the connection should happen.
FreeBSD: manual configuration
Most of the operations described below needs to have root privileges.
Method with password storage
This method has the drawback to store password in clear
text into a file, don't forget the chmod 0700
Create a /etc/wpa_supplicant-eduroam.conf
file with the following
content:
network={
ssid="eduroam"
key_mgmt=WPA-EAP
eap=TTLS
phase1="peaplabel=0"
phase2="auth=PAP"
identity="your_login@obspm.fr"
password="your_password"
}
Do protect the file:
chmod 0700 /etc/wpa_supplicant-eduroam.conf
Then, create a virtual network interface:
ifconfig wlan0 create wlandev PHYSICAL_INTERFACE
The value of PHYSICAL_INTERFACE
for the wireless interface is found
with:
ifconfig -a
Finally, launch the 802.1X (supplicant) and DHCP clients:
wpa_supplicant -B -c /etc/wpa_supplicant-eduroam.conf -i wlan0
dhclient wlan0
to establish the connection.
Alternative without password storage
Create a /etc/wpa_supplicant-eduroam.conf
file with the following
content:
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="eduroam"
key_mgmt=WPA-EAP
eap=TTLS
phase1="peaplabel=0"
phase2="auth=PAP"
identity="your_login@obspm.fr"
}
Then, create a virtual network interface:
ifconfig wlan0 create wlandev PHYSICAL_INTERFACE
The value of PHYSICAL_INTERFACE
for the wireless interface is found
with:
ifconfig -a
Launch the 802.1X (supplicant) client:
wpa_supplicant -B -c /etc/wpa_supplicant-eduroam.conf -i wlan0
Then, launch the CLI which will show a prompt and type the password
command:
wpa_cli
password 0 your_password
With no quotes around the password
In another terminal, launch the DHCP client:
dhclient wlan0
to establish the connection.
Filtering policy for Eduroam at the Observatoire de Paris
When connected to the Eduroam network at the Observatoire de Paris, the following filtering policy is applied:
everything is allowed from Eduroam to the Internet, except port TCP 25 (SMTP), to prevent spam emission
nothing is allowed from the Internet towards Eduroam, except return traffic for initiated sessions
an Eduroam client with credentials from Observatoire is considered as an internal trusted workstation
an Eduroam client with credentials from an other organisation is considered on the outside of the Observatoire de Paris network
Nevertheless, besides the traffic normally allowed from the Internet towards the Observatoire, the following protocols are allowed from Eduroam towards the Observatoire, if the target machine is accepting them:
With credentials from an other organisation:
- web at large: HTTP, HTTPS (ports 80, 443, 8080-8090, 8443)
- remote connection: SSH, RDP
- printing: LPR, IPP, HP JetDirect
With credentials from Observatoire:
- same as above
- file transfer: FTP, AFP
- Microsoft protocols: file sharing, shared printers
- version control: Git, Subversion, CVS
- databases: MySQL, PostgreSQL, Firebird
- remote connection: VNC
- chat: XMPP
FAQ and known problems
No general problem is known for the moment, all major operating systems in a reasonably recent version should work with CAT.
Geteduroam
If the cateduroam configuration does not work there is alternative geteduroam.