Zu Hauptinhalt springen
Gewählte Sprache ist Deutsch Select language
Startseite UR

Security in the Wifi network eduroam

Back to german version Dieser Text auf deutsch 


Deactivate password synchronization

The transfer of RZ Account and RZ Password to a third party is prohibited (see Benutzungsrichtlinien für Informations-Verarbeitungs-Systeme der Universität Regensburg, 5.),
therefore the password may not be stored in the cloud.
For Android and Windows 10 some synchronization functions are activated by default. Please deactivate the corresponding functions before configuring eduroam.

Eduroam-CAT Installers

For the secure configuration of your wifi devices, please use the profiles provided by us.

Attention: No software will be installed, only a wifi profile and, if necessary, the certificate T-Telesec Global Root Class 2.

Windows 'SmartScreen' or 'Internet Explorer' warns me that the installation program has not been downloaded often and may be dangerous. Should I be worried?

Contrary to what is claimed in the product name, 'SmartScreen' is not very smart. The warning simply means that the file has not yet been downloaded by enough users to be considered established; Microsoft concludes from the number of downloads that the program is safe, so this message alone is no reason to worry.

Secure Download Locations for Profiles & Installer

Please use the installers and profiles for eduroam CAT only from the following download locations to make sure you do not get fake profiles :

  • https://eduroam.uni-regensburg.de, https://eduroam.uni-r.de, https://eduroam.ur.de
  • https://cat.eduroam.de/?idp=267
  • https://cat.eduroam.org/?idp=5267
All these locations are secure pages that are secured with HTTPS and use valid certificates on their webservers.
How to recognize a secure page is described in the document Digitale Zertifikate (german only).

Suitable devices

Please note that for the use of eduroam on university campus and hospital grounds for our users (anyone with RZ Account) an additional device registration is required (at https://register.uni-regensburg.de), guests do NOT need to register there.

Unfortunately not all devices are suitable for eduroam, partly because no secure configuration is possible.

We strongly advise against using a device that does not allow a secure configuration, otherwise you run the risk of your RZ Account and RZ Password being spied on!

For older Android versions e.g. (before 4.3), Jolla (Sailfish OS) and others there is NO installable wifi profile.
A secure, manual configuration with Android (no matter which version) is also not possible, because the CN (Common Name) of the radius server cannot be configured!
We strongly advise you to upgrade Android to a newer version or to purchase a new device if an upgrade is not possible!

What is a secure configuration?

  1. The wifi encryption of the SSID eduroam must be WPA2.
  2. For secure authentication, the root certificate (here T-TeleSec Global Root Class 2 , see also https://pki.uni-regensburg.de/zertifikate) for the connection must be specified and checked during connection setup.
  3. The name (i.e. the CN in the SSL certificate) of the permitted Radius server must be checked (here radius.uni-regensburg.de).
    In an ideal case, if the radius server name is wrong, no warning will be issued which you can ignore, but the connection will not be established at all!

With a manual configuration of some operating systems, the correct behavior is difficult to achieve (especially Android systems).

What happens with an an insecure configuration?

A "real" wifi network eduroam forwards your login attempt to the responsible servers of your home organization without looking into it.

A "fake" wifi network eduroam does NOT forward your login attempt to the responsible servers of your home organization and thus intercepts your RZ account and your RZ password.

An insecure configuration allows a connection with a "fake" wifi network eduroam.

The secure configuration prevents your RZ account and RZ password from being transmitted to such attackers, as it first verifies whether the responsible server(s) of your home organisation is the one / are the ones actually being communicated with.

Configuration parameters for eduroam (overview)

May vary from operating system to operating system.

  • Radio network name / Wifi network name / SSID:eduroam
  • Security Type 802.1X (Windows):WPA2-Enterprise
  • Encryption Type (Windows): AES
  • Specifying authentication mode (Windows): User Authentication
  • PMK Caching (Windows): Activate
  • Certificate Check: always activate
  • CA Certificate / Trusted Root Certification Authorities: T-Telesec Global Root Class 2 (Get it here: https://pki.uni-regensburg.de)
  • Connect to these servers (Windows only): Activate AND enter server name(s) radius.uni-regensburg.de
  • EAP method / Authentication: PEAP (also called "protected EAP") OR EAP-TTLS
  • External Identity (under Windows: Enable Identity Protection): : anonymous@ur.de
  • Authentication Method / Inner Authentication: MSCHAPv2 (for PEAP) OR PAP (for EAP-TTLS)
  • User name / Inner Identity: [yourRZAccount]@ur.de
  • Password: Your RZ Password
  • Fingerprints of our RADIUS-Server(s) to check:
    • radius.uni-regensburg.de:
      SHA1=D3:20:0B:82:39:D2:20:6B:FF:DB:56:F1:EA:E1:11:BD:F7:36:1F:B8
      SHA256=44:CC:92:03:47:52:ED:91:D6:19:B9:51:BA:2E:6F:CB:0A:DE:5A:C7:AE:
      2B:D1:AC:02:71:6F:84:DD:F4:DD:64
  1. Universität

Rechenzentrum

... &überall auf der Welt
eduroam
Globus

Support für Studierende

Telefon +49 941 943 4444

E-Mail: support@rz.uni-regensburg.de