Using eduroam as the single primary SSID

Download as PDFDownload as PDF

Gareth Ayres

Summary

Universities and other organisations commonly offer a large number of wireless networking services and consequently broadcast a multitude of SSIDs (service set identifiers), including eduroam. There are a number of understandable reasons for this but the result has been a bewildering array of options for the user, complexity of management of wireless services and less than optimal technical efficiency of wireless network delivery.

The use of a single primary SSID, namely ‘eduroam’ for both home and visiting guest users has a number of immediate benefits:

  • Less confusion for the user – fewer SSIDs in supplicant.
  • Promotes network connection when roaming – users correctly set up to connect at other eduroam sites without further supplicant configuration.
  • Reduced user stress and IT Services workload since devices are ready-configured to work at remote sites.
  • Reduced WLAN configuration and management workload for IT Services – all authorization/
  • network decisions managed through backend RADIUS infrastructure.
  • More RF space available to users, with fewer SSIDs broadcast by access points.
  • Better battery lifetime for users’ devices – less traffic to ‘wake’ clients.
  • Encourages building of user knowledge base – promoting peer-group self-help.

Since the introduction of the new single SSID eduroam system at Swansea, users have been providing enthusiastic feedback on their success when seamlessly connecting to eduroam wireless networks at other institutions around the world.

Background

In 2009 Swansea University recognised that its wireless network service provision was unduly complex and took the decision to migrate from the multiplicity of SSIDs to a single identifier for its primary network. The aim was to present wireless users with the simplest possible choice of options when attempting to connect to network services, whilst at the same time reducing the burden for IT Services of supporting multiple configurations.

The ‘eduroam’ SSID was selected for three reasons:

  1. Under the terms of membership of Janet’s UK eduroam federation, in order to provide the eduroam service, the ‘eduroam’ SSID must be broadcast regardless of any other SSIDs being advertised.
  2. The technical specifications of the eduroam service matched those of Swansea University’s own requirements.
  3. The eduroam brand is rapidly becoming pervasive, so the benefits of adopting it are considerable. These include user recognition that network services are available wherever they see ‘eduroam’ being broadcast, whether at the Swansea campus or when visiting other sites, leading to a greater level of  connection whilst roaming.

Benefits of a single SSID

  1. The single ‘eduroam’ SSID solution results in enhanced user satisfaction.  A single SSID presents the user with the simplest possible choice of options when attempting to connect to network services. In fact in normal circumstances the user need not make a choice at all; supplicant software will usually by default connect automatically using the preferred SSID. Furthermore, since in most cases the eduroam network meets all user requirements, the user will normally only ever need to connect to ‘eduroam’ rather than having to choose from a bewildering list of SSID profiles, each providing access (after user authentication) to different sets of resources for the various user-groups. As the eduroam network is built on 802.1X, the user can be connected automatically to the relevant VLAN/network segment, the decision being made in accordance with policies defined on the RADIUS server/user database. This also allows access to be provided for guests through the same eduroam SSID and enables such guests to be placed on a separate, possibly more restrictive VLAN.
  2. A single SSID network presenting eduroam also promotes roaming connection of users when visiting other institutions, which further improves user satisfaction and return on investment in the eduroam federation. At Swansea, when students and staff first connect their Wi-Fi capable portable devices to the network, the devices go through an automated configuration process which means the user is set up ready to enjoy the benefits of eduroam, often without even being aware eduroam is there. The user’s first appreciation of eduroam’s ability to provide network service at a non-Swansea location is when their device seamlessly authenticates and connects when they visit another institution.
  3. The problem of trying to configure users’ devices at the last minute or whilst they are away is eliminated: having all users’ devices preconfigured, and the users successfully connecting to the home institution eduroam network, means that users are ready for roaming. A single SSID also removes the need to configure multiple profiles when devices are initially set up.
  4. Reducing the complexity of the wireless network clearly has benefits for the IT Services team. Less work is involved in configuring and maintaining the wireless equipment in a simple WLAN than in one utilising multiple SSIDs. Administration is made easy though the use of 802.1X: managing access to network resources on a user group basis is streamlined since all authorization/network access decisions are managed through the backend RADIUS infrastructure.
  5. A single primary network service SSID solution has technical efficiency advantages, besides the benefits to the user and IT Services teams. More bandwidth becomes available for users’ network traffic since limiting the number of SSIDs vastly reduces the service advertising transmissions (beacons) being broadcast from every access point. See: How Many SSIDs are too Many? Users also benefit from increased battery lifetime as reduced beacon transmission means less traffic to ‘wake’ clients.
  6. Having only one wireless profile to configure for both local connection and roaming helps build a knowledge base amongst users,  so promoting self-help and peer-group troubleshooting.

Implementation – the Swansea Experience

As with most projects in the academic community, the migration from the old multiple SSID wireless system to the new single eduroam model at Swansea was implemented in the summer period, ready for the start of the new academic year in September.

Development of an eduroam wireless network can at first appear a daunting task, but the support, documentation (including technical specification and case studies) and training courses provided by Janet provided all the information necessary to tackle the project successfully.

A transition period of just over a month allowed the small group of users remaining on campus at Swansea during the summer to migrate gradually to the new system, acting as a test phase for both the new system and the new registration/configuration workflow. This also provided a suitable period of time for support staff to discover any new issues and challenges that users might have faced in using an 802.1X wireless network, before the inevitable chaos that comes with the start of a new term. The use of the SU1X setup tool together with detailed instructions available via Swansea’s open ‘setup’ wireless network (described below) helped to direct users into a registration process that was easy to follow and quick to complete.

Overall the transition to the single eduroam SSID primary wireless network at Swansea went smoothly and the migration from the previous system was readily accepted since users appreciated the benefits that eduroam brings. Having said this, however, a number of issues were encountered as detailed in the following section.

Support issues

Two of the biggest hurdles to overcome in deploying an 802.1X based wireless network such as eduroam are the provision of instructions, tools and support to users, and the task of getting users’ devices correctly set up. This latter problem was overcome at Swansea by the implementation of an open access ‘setup’ network, running alongside the eduroam primary service network. This is designed solely to facilitate the configuration of users’ machines. This restricted ‘setup’ wireless network is a captive portal type and only provides access to local resources to help users get their devices configured for eduroam or to receive support.

Certificates and configurations can easily be deployed to Microsoft Windows clients over the setup network with the SU1X wireless configuration tool. Additional manual instructions and guides are also provided including embedded screen casts to help users follow instructions.

A further problem area is ensuring that users’ devices are protected with up to date anti-virus software and that critical operating system and application patches have been applied. At Swansea, FreeRADIUS has been used to assign VLANs dynamically depending upon the status of the user and the device, so allowing devices to be connected to appropriate restricted network segments for remediation – all under the single eduroam SSID. This is currently achieved by providing a custom web interface to the MySQL backend of FreeRADIUS to IT Services, so users can easily be moved to/from remediation VLANs if necessary. Since all administrative activities necessary to bar or reinstate a device are carried out at the wireless authentication system back end, no client-side configuration changes are required. This makes it easier to deal with infected devices, ban users and resolve issues.

As an aside, it is worth mentioning that future versions of FreeRADIUS will incorporate Network Access Control and Statement of Health with 802.1X. This will allow for the remediation process to be partially automated based on the statement of health sent from a supplicant. This could allow devices that are not properly patched or that have no anti-virus software to be placed in a remediation VLAN.

Another challenge was the lack of support for 802.1X on games consoles. Games consoles are common in student residences but are designed for home wireless networks and not enterprise networks. The 802.1X-based eduroam network at Swansea is the sole network throughout the campus and also in all halls of residence. There is no alternative wired network available by which non-802.1X devices could be connected.

Swansea’s solution to this problem is the deployment of a gaming specific SSID in the halls of residence that is used only for games consoles with wireless support. This SSID is a traditional PSK network but has restrictions on registration to allow only gaming device MAC addresses to register and connect. A number of other security measures and traffic restrictions limit this network to gaming functionality only.

Conclusion

Migration to eduroam as the single primary network SSID can appear a daunting task when an existing system may already provide a wireless access service that users are familiar with and for which their devices are already configured. However the benefits of a adopting a single primary SSID system and eduroam are substantial.

Swansea wanted to implement eduroam so staff could easily make use of wireless networks at other institutions around the world. There is a long established recommendation that before people travel to an institution where they intend to use eduroam, the user’s device should be configured and tested to ensure that it works at the home institution. This of course can only be achieved if eduroam is available at the home institution as a user service. With this in mind, along with the additional benefits of reducing RF noise and increasing a userknowledge base for self-support, it was apparent that for Swansea, implementing eduroam as the single primary SSID was a sensible decision.

In the summer of 2009 Swansea made the transition to a primary eduroam SSID and moved all users from the old system to eduroam. A number of support issues were identified and addressed, such as configuring client devices and providing access to gaming devices that do not support 802.1X authentication.

The transition went smoothly through the use of the SU1X setup tool and the provision of detailed instructions through a restricted ‘open’ setup wireless network. Since the introduction of the new single SSID eduroam system, users have been providing enthusiastic feedback on their success when seamlessly connecting to eduroam wireless networks at other institutions around the world.