Friday, September 11, 2009

EduRoam @ CBS - Mac OS X 10.6 guide

I've often wondered what the eduroam network is all about? The network frequently pops up when I'm at Copenhagen Business School, but since I couldn't connect to it I ignored it. I guess most students simply ignore it, and use the public WiFi with the html login (captive portal), provided by CBS.

The eduroam network is a international network which you can access as a student or teacher of a connected university. In addition to being able to connect to the eduroam network at any connected university (at least I'm told), it's also encrypted, which means users can't eavesdrop on your wireless traffic.
The eduroam network uses an extended authentication standard (802.1X). This additional layer of security makes it slightly more difficult to set up. Also it would seem that Snow Leopard makes it more difficult to use, since you are now required to manually import the certificate.

There was no guides for Snow Leopard provided by CBS, and most of the guides to other eduroam networks I could find, weren't updated for Snow Leopard yet. Having fiddled with the settings for some time before getting it to work, I thought; I might as well create a guide, and upload it as my first post on this blog, hoping someone will find it useful.

You poor windows users can find guides for CBS eduroam at e-campus or generic ones at eduroam.dk in (danish).

The guide for Snow Leopard follow below.

Step 1: Network preferences
 
Click-and-hold the apple icon at the upper left corner of the screen, and select "System Preferences" from the dropdown list. From there click the network icon as shown above.
Step 2: Advanced AirPort settings

Select the "AirPort" interface from the list, and click the "Advanced" button.

 Step 3: Add 802.1X user profile
Click on the 802.1X tab, then click on the "+" button to add a new profile. Select "Add User Profile" from the list and name it.

Step 4: Enter credentials
Enter your credentials for the eduroam network. My username is hadu08ab@student.cbs.dk. Then select or enter "eduroam" from the "Wireless Network" dropdown.

Step 5: Enable TTLS

Make sure TTLS is enabled and at the top of the list. It should be by default, but if not click the box and drag it to the top of the list. Disable PEAP. Then click "Configure"

Step 6: Set outer-identity

Select PAP as the inner authentication and enter the outer identity. This could be identical to your username or something else. "@student.cbs.dk" worked for me, but I'm not sure it's necessary.


Step 7: Configure Trust
 
This part is different from other guides. In most other guides OS X simply imports the correct certificate after prompting you to accept it. I seems this has changed in Snow Leopard, and is replaced by a "Configure Trust" button, which was missing in some other guides.
Step 8: Add trusted server
First click the "Servers" tab, then click the "+" button to add a new trusted server. For CBS students enter "radiator.cbs.dk", but don't click "OK" yet. Others might try to skip this step.

Step 9: Add certificate
This next step is a bit odd. Either I simply got something wrong, or there is a small blunder in the User Interfaces for this part.
For Snow Leopard, you need to manually add the "Equifax Secure Certificate Authority" certificate to your list of trusted certificates. The above direct link goes to the page https://www.geotrust.com/resources/root-certificates/. You should really only add cerficates you really trust. You can trust the geotrust certificate, but that is really something you should decide yourself.

So download the certificate file linked above (right click and use "Save link as"), and save it somewhere you can find it again. I saved it on my desktop.

Click the "Certificates" tab. Then click the "+" button and select "Select Certificate File" from the list. An open dialog will appear.

Step 10: Select downloaded certificate
Select the downloaded certificate file from the list (step 9), and then click "Open". When you click the "Open" button it might not show up on the trusted certificates list, but hopefully it will be added anyway.

You might also try double clicking the downloaded file to import it into your system.

Step 11: Connect to eduroam via 802.1X
Click OK to the two previous windows, and you should be back at the network settings dialogue. Click the "Connect" button to attempt a connection to the eduroam network. You'll obviously need to be in range of an eduroam hotspot.

Step 12: Complete
If you see a message containing the text "Authenticated via TTLS" you're done. If nothing happens it's likely due to the certificate missing. Review step 9, and try double clicking the certificate file to import it. If that doesn't work, try clicking the "Select Certificate From Keychain" and selecting the "Equifax Secure Certificate Authority" from the Keychain certificate store.

For advanced users, you can use the "Console" application to view debugging info. Click cmd-spacebar to open Spotlight and type "Console". Select the log "Database Searches" > "All messages" and search for "eapolclient". If you see the message "eapttls_verify_server: server certificate not trusted, status 6 0" the certificate is not imported correctly. Recheck steps 9 and 10.

I hope this guide will be helpful to the few users with general 802.1X + Snow Leopard problems, for eduroam users, or CBS students.

If you have any questions, or suggestions please hit me in the comments.

5 comments:

  1. Selvom jeg aldrig har været på CBS finder jeg denne guide helt fantastisk...

    ReplyDelete
  2. Hmm, those certificates insist being saved as .html from Safari, refuse to be imported after I remove the .html, and after importing them to my keychain still dont appear in the list of keychain certificates one can explicitly trust. Hmm!

    ReplyDelete
  3. Hey.. tusind tak fordi du har lavet guiden. Er pt i Sydney, og kan ikke logge paa.. ved du om det er fordi man skal have vaeret online paa CBS foer man kan bruge det andre steder?

    ReplyDelete
  4. Tak for denne lille guide. Det kan undre, at systemet skal være så kompliceret.

    Jeg har dog en tilføjelse eller to. I mit tilfælde skulle jeg manuelt vælge 'WEP X', som krypteringsformat til WiFi forbindelsen. Desuden skulle jeg speceficeret, at jeg for eduroam netværket ville bruge brugerprofilen 'CBS'. Den brugerprofil som bliver oprettet i guiden.

    Jeg brugte desuden .cer filen fra CBS egen server. Den hente og integreres i systemet automatisk, hvis man forsøger at forbinde til eduroam på normal vis.

    ReplyDelete