Eduroam via Easyroam

    With the service "easyroam" of the German Research Network (DFN) you can create up to five profiles for your devices (e.g. laptop, smartphone, tablet). The profiles (certificates) are each valid for 6 months and can be extended easily on the site (https://www.easyroam.de/). The service uses EAP-TLS and thus no longer stores any passwords on your devices for using eduroam. With this method, only client/user certificates are used for login. These certificates are individual for each device and do not contain any name or other personal data. Via the easyroam website you can manage your profiles individually and also lock devices in case your device gets lost.

    There are apps for Windows, Android and iOS that automatically perform the configuration for you.

    DFN's instructions in german for Easyroam at a glance can be found here.
    A installation guide for a variety of operating systems can be found further down in this Wiki Page

    For iOS MacOS and Android please make sure that you are NOT connected to BayernWLAN (instead you need another internet connection for configuration).

    For Android, the eduroam WLAN profile must also be removed.

    easyroam is a further development of the eduroam service and is mainly aimed at small institutions in the DFN, but can also be used by large institutions in the DFN.

    The idea of merging eduroam and the DFN-AAI is nothing new and was unfortunately not possible for a long time, since the DFN-AAI did not yet exist in the area. This has changed for some time now, so that it is now possible to make the eduroam service more secure and simpler by merging eduroam and the DFN-AAI. The heart of easyroam is the easyroam portal: https://www.easyroam.de, which is a DFN-AAI service provider in the DFN-AAI-Basic, eduroam profiles for the common operating systems like: W10, MacOSX/iOS, ANDROID and LINUX derivatives. The easyroam portal can be entered in the configuration wizard on https://cat.eduroam.org via the entry of the eduroam - IdP's (Identity Provider) of the institutions.


    In eduroam, the authentication method EAP-TLS is available in addition to other methods for logging in. With this method, only client/user certificates are used for logon. The eduroam users can only generate these certificates for eduroam on www.easyroam.de if they are in possession of a valid DFN-AAI IdP ID with opt-in. The eduroam client/server certificates are part of a "Self-Signed PKI" and can only be used in eduroam. The easyroam server only stores the pairwise ID (pseudonym) of the DFN-AAI IdP account and the serial number of the client/user certificate. The latter is also part of the roaming identity. A special feature compared to current EAP-TLS offers is that the eduroam users are no longer identifiable by name in the certificate. This makes it impossible to create movement profiles of eduroam users. However, it is possible to establish an assignment between Pairwise ID and certificate serial number and to clearly associate the eduroam user with a person. So you are not generally anonymous in eduroam, as it is the case so far. The server software is a .NET development written in C-Sharp. PHP was deliberately omitted, because PHP did not provide the server security that was required of the server software. The server currently supports three languages: German, English and Chinese (currently being revised).



    Easyroam on WIndows 10:

    Make sur you have a Internet connection.

    If the GETEDUROAM app was installed please delete/remove the app and the saved WiFi.

    1. Download the easyroam app: https://www.easyroam.de/winapp/easyroam.msix and install.

    (if you dont have a Microsoft Store on your machine follow these instructions)

    2. Start the Easyroam App. Usually a Browser will be opened.

    3. In the WAYF (Where Are You From) locate Ostbayerische Technische Hochschule Amberg-Weiden and log in wit your OTH-AW Account.

     


    4. After a successful login wird the main menu „Home“ will be visible.After clickin on „install new profile“ a new easyroam profile will be installed.



    5. The new Profil will be shown as  „valid“ in the main menu.

    6. Wait a few Minutes for the configuration to finish.




    Easyroam on Android


    The easyroam app on ANDROID is downloadable from the Google Play Store: Easyroam

    Make sure that you have an existing internet connection other than eduroam during the following configuration.

    1. Delete the geteduroam app and also any existing eduroam profile. Download the easyroam app from the app Store and install.

    2. Start the easyroam app.

    3.There are two Ways to login either „Login through Website“ or „Login using QR-Code“. Using „Login through Website“ youll have to log in to WAYF (Where Are You From) see section 4. . If you have a laptop or desktop at hand , you can login through portal at www.easyroam.de and generate a QR code (valid 5 minutes), Which you can thenscan with your easyroam app on your ANDROID Device. In this case you can skip section 4. and install the Profile as shown under section 5. .

    4.In the Search bar locate the DFN-AAI IdP Ostbayerische Technische Hochschule Amberg-Weiden and log in to your OTH-AW account.

    5. Click on „Install new profile“to start the installation process for the new profile.

    6. Click on „Confirm“.

    7. Click on  „Allow".

    8. The validity period for the certificate will be shown in green.

    Logging on to eduroam

    Shaould the easyroam Connection not work for once then pllease restart your devices WI-FI by turning it off and on again.

    Verwalten der Pseudoprofile

     As long as there is a valid pseudocertificate on the device, the device will log on regardless of operating system ANDROID oder iOS in easyroam. A log in through the DFN-AAI IdP account is no longer neccessary. in the main menu by pressing „Manage“ you can renew, install or revoke a certificate.

    Through the button „Other profiles“ you can revoke profiles on other devices.

    Einstellungen/Settings

    Through Settings, it is possible to change to Fingerprint verification,which is preventing unauthorized eduroam access on your device. You can also configure the App to warn you if your Certificate is abut to expire. Using „Reset this App“ you can revoke the certificate that is installed on the device. After that you can follow the above steps again.

    My account

    In the my account menu the logo of your organization (OTH-AW) should be displayed . You can also check how many of your Profiles are in use and how many can still be issued. The Status shows if your access to easyroam is still active. It is possible that you can no longer issue new Certificates, however the old ones might still be valid. Only the easyroam admins of your organization may remove this restriction.




    Easyroam on Linux

    Of course, easyroam can also be used on Linux derivatives. Unfortunately, there are no generally valid instructions. The following describes how the individual components that are required for a manual configuration of easyroam on Linux devices can be obtained from the easyroam portal:
    1. ensure that an Internet connection exists, LAN or WLAN.
    2. login to the easyroam portal select Ostbayerische Technische Hochschule Amberg-Weiden as IdP and login with your OTH-AW account : https:www.easyroam.de.
    3. click on "Manual options" directly after successful login to the portal and select PKCS12 by clicking on the selection box.
    4. Enter the profile name and click on Generate access.
    Please note. The name of the profile is not the name of the PKCS12 file. The name of the profile is used for the internal administration of the easyroam profiles. The name of the downloaded PKCS12 file is formed from the date and time of the generation of the PKCS12 file with the suffix .p12.
    5. The CLI of openssl is used to extract the individual components such as the client certificate, the private key and the RootCA certificate:
    Please note that Import Password of the .p12 - file is empty. When using openssl, pay attention to the wording: Enter Import Password with <return> acknowledge.
      Client certificate: 
    openssl pkcs12 -in my_easyroam_cert.p12 -legacy -nokeys > easyroam_client_cert.pem
    Please note, the -legacy option must be omitted here and in the following. Unfortunately, the use of the OpenSSL option is version dependent.
    Private Key:
    Please note, since the various network managers and the wpa_supplicant usually only accept password protected private keys, a password must be set during extraction. With the following command first Enter Import Password appears, so acknowledge with <Return>, then Enter PEM pass phrase appears: Here you enter a new password and remember it! 
    openssl pkcs12 -legacy -in my_easyroam_cert.p12 -nodes -nocerts | openssl rsa -aes256 -out easyroam_client_key.pem
    RootCA  certificate:
    openssl pkcs12 -in my_easyroam_cert.p12 -cacerts > easyroam_root_ca.pem
    The .p12 at a glance: 
    openssl pkcs12 -info -in my_easyroam_cert.p12 -legacy -nodes
    The certificate files can also be assembled with copy/paste. It should be noted that the private key must still be provided with a password.
    6. There are indeed instructions on the net for configuring EAP-TLS on various network managers from the specified components. As an example, the CLI netctl on Archlinux is used to show how EAP-TLS and thus easyroam/eduroam can be configured on a Linux device. The following is required:
    •    netctl
    •    wpa_spplicant
    •    easyroam .p12 pseudo certificate
    Place the files generated in step 5. (easyroam_client_cert.pem, easyroam_client_key.pem, easyroam_root_ca.pem) under /etc/netctl/cert and then create a file named easyroam, write the following into it and save it:
    description='easyroam connection'
Interface=wlan0
Connection=wireless
Security='wpa-configsection'
IP='dhcp'
WPAConfigSection=(
    'ssid="eduroam"'
    'key_mgmt=WPA-EAP'
    'eap=TLS'
    'proto=WPA RSN'
    'identity="76673789883214453797@easyroam.realm_der_einrichtung.tld"'   # Hier muss der CN (Common Name) aus dem easyroam Pseudozertifikat stehen!
    'client_cert="/etc/netctl/cert/easyroam_client_cert.pem"'
    'private_key="/etc/netctl/cert/easyroam_client_key.pem"'
    'private_key_passwd="FORYOUREYSEONLY"'
    'ca_cert="/etc/netctl/cert/easyroam_root_ca.pem"'
    'ca_cert2="/etc/netctl/cert/easyroam_root_ca.pem"'
)
    Run the following command with root privileges: 
    netctl start easyroam

    If easyroam shall be installed permanently run the following command: 

    netctl enable easyroam



    Easyroam on iOS

    Ensure that an Internet connection exists, e.g. WLAN (not eduroam).

    1. Delete the current eduroam profile and, if available, the geteduroam app beforehand. Download and install the easyroam app from the Apple App Store.

    2. Start the easyroam app (example iPAD Pro).


    3. There are two options for logging into easyroam: "Login through Website" or "Login using QR code". Login through Website" requires the login via WAYF (Where Are You From) Ostbayerische Technische Hochschule Amberg-Weiden and its OTH-AW account see point 4. If one has his laptop or desktop device nearby, one can log in to easyroam with these devices via the portal www.easyroam.de in the browser and generate a QR code (valid for 5 minutes), which one can then scan in the easyroam app on the iOS device. In this case, skip point 4. and install the profile as indicated in point 5.


    4. Search for the appropriate DFN-AAI IdP in the search window and log in with your DFN-AAI IdP account.


    5. Click on "Install new profile" or "Request new profile" to start the installation process of the profile.


    6. Click on "Confirm" to continue.


    7. A system check box appears, "Easyroam wants to connect to WLAN eduroam." Selecting "Connect" will establish the connection to eduroam.

    In the "Other Profiles" area, profiles on other end devices can be revoked if necessary. However, the profiles on other end devices cannot be renewed.




    Easyroam on MACOS

    Make sure that there is an Internet connection, LAN or WLAN (not eduroam). If old eduroam profiles that were not installed with easyroam are still on the system, please be sure to delete them before using easyroam. see "System Prefences/System Settings" and Profiles. Old profiles that were installed with easyroan do not need to be deleted beforehand.

    1. Open a browser (usually Safari) and enter https://www.easyroam.de. And select the Ostbayerische Technische Hochschule Amberg-Weiden.


    2. After successful login with OTH-AW account click on "manual options" and select Mobile-Config (Apple).


    3. Click on "Generate access" and the download box will appear in the foreground of the browser window.


    4. Click on "OK" to continue. Then go to "System Prefences/System Settings" and select Profiles at the bottom right.


    5. A menu appears with the user profiles and the downloaded profile, triangle icon with yellow exclamation mark.


    6. Click on the downloaded profile and then "click" on Install, the next menu will appear.


    7. Now there is another possibility to look into the details of the profile or to finish the installation. When the installation is completed, the system asks for the user's password, which gives permission to install the profile on the system. After the installation, the MacOSX computer will try to connect to the eduroam network. If there is no eduroam network nearby, an error message may appear. However, the profile is installed and as soon as an eduroam network is found, an automatic login to the eduroam network is performed.
    The external identity must not be changed, because it is bound to the CN (Common Name) in the client certificate.
    Published