Security¶
eduroam is a security-sensitive service and should be operated as critical infrastructure.
Security Principles¶
- use WPA2-Enterprise or WPA3-Enterprise only
- do not deploy captive portals on the
eduroamSSID - validate RADIUS server certificates on all client devices
- keep authentication, proxying, and logging systems patched and monitored
- restrict administrative access to trusted networks and operators
Certificate Management¶
The RADIUS server certificate is central to EAP security. Institutions should:
- use a publicly trusted server certificate or a private CA distributed through managed profiles
- include the full certificate chain
- use a certificate whose subject/SAN matches the name configured in client profiles
- track expiry and renew well before the renewal deadline
- protect private keys with strict filesystem permissions
Recommended practice:
- separate server certificates from any internal CA private key
- automate renewal where possible
- test renewed certificates with eduroam CAT profiles before production rollout
Shared Secret Management¶
- use long, random shared secrets (minimum 32 characters) between RADIUS peers
- rotate shared secrets annually or after any suspected compromise
- never reuse the same shared secret for NRO connections and local AP connections
- store secrets in a password manager or secrets management system, never in plain text
- regularly audit
clients.confand remove stale AP client entries
RADIUS Hardening¶
- allow RADIUS traffic only from known APs, controllers, and federation peers
- use strong shared secrets generated per client or peer
- disable unused virtual servers and modules
- disable unused EAP types such as MD5 and GTC with plaintext password
- set TLS minimum version:
tls_min_version = '1.2' - use a strong cipher list:
HIGH:!aNULL:!MD5:!RC4:!3DES - run FreeRADIUS as the packaged service account (
freeradby default) - restrict
radiusd.confto listen only on necessary interfaces - use firewall rules to restrict RADIUS ports (UDP 1812/1813) to known peers only
- restrict shell access and use MFA for administrators where possible
Network Controls¶
- permit UDP
1812for authentication and UDP1813for accounting as required - limit management access with firewalls or ACLs
- separate management, server, and client traffic
- send eduroam users to controlled user VLANs or roles, not infrastructure networks
Rogue AP and MITM Risks¶
- rogue APs broadcasting the
eduroamSSID can harvest credentials when clients do not validate server certificates - misconfigured clients that accept any certificate are vulnerable to man-in-the-middle attacks
- always deploy eduroam CAT profiles with certificate pinning to protect users on unmanaged devices
- monitor for unusual authentication patterns such as brute-force attempts or credential stuffing
- enforce TLS 1.2 as the minimum; disable weak cipher suites
RADIUS Accounting and Logging¶
Logging is mandatory under federation policy and essential for abuse investigation. Required log fields:
| Log field | Purpose |
|---|---|
User-Name |
Track which realm authenticated; required for abuse response |
Calling-Station-Id |
MAC address of the connecting device; device tracking |
Called-Station-Id |
AP MAC/SSID; locate where the user connected |
Acct-Session-Time |
Session duration; billing and capacity planning |
Framed-IP-Address |
IP assigned; required for law enforcement requests |
| Timestamp | Auth time; correlate with other logs |
Data Protection and Logging¶
- log enough for incident response, abuse handling, and troubleshooting
- avoid exposing unnecessary personal data in exported logs
- protect SQL and log storage with backup and retention controls
- define retention periods in line with institutional and regulatory requirements
High Availability¶
Security includes resilience. Production deployments should have:
- at least two RADIUS servers where possible
- redundant uplinks and power
- health monitoring for authentication and accounting
- documented failover and certificate-recovery procedures