Testing your connection to eduroam

Currently testing is done via test accounts between the eduroam-US top-level server and peering institutions.  We are pursuing alternative testing systems and methodologies as we go forward and would love input as to testing tools that would help joining institutions.

The simplest way to test eduroam is to use the 802.1x supplicant which ships with your computer and the eduroam SSID itself.  This requires configuring at least one wireless access-point to both broadcast the SSID and authenticate against your newly configured RADIUS server.  If you plan on doing this, particularly from Windows, you will want the eduroam-US CA certificate installed in your computer's key-store.  Moreover, the more modern the Windows version the more sensitive the supplicant appears to be to the certificate being verified.  In Windows XP (all service packs that we are aware of) if you unchecked the "Validate Server Certificate" checkbox while configuring the supplicant authentications that had previously silently failed suddenly worked.  This does not appear to be the case in Vista, and particularly, Windows 7.  When testing with Windows 7 make sure that the eduroam-US CA Certificate is not only imported into your Certificate SnapIn for MMC but is also in your Trusted Root Certification Authorities list.

Testing from the *NIX command-line can currently be performed by using the eapol_test utility (included in the wpa_supplicant package).  Further documentation on eapol_test, compiling it, and usage is available from Deploying RADIUS, or for complete examples of eapol_test look at the package's example wpa_supplicant.conf.  A handy wrapper for this package is rad_eap_test, the source for which is available here.  To use eapol_test or rad_eap_test make sure that the host on which you are conducting the test is a valid client of the RADIUS server you specify to the programs.  This is one more place where host firewalls can be a nuisance; if the test test never seems to arrive at the RADIUS server check for those.

If you do not have the rap_eap_test wrapper script the following command-line and sample configuration file should suffice for testing

%eapol_test -c<config file> -a<IP of your RADIUS server> -p<Port> -s<SECRET>

Example config file:

network={
   ssid="eduroam"
   key_mgmt=IEEE8021X
   eap=<PEAP or TTLS>
   pairwise=CCMP TKIP
   group=CCMP TKIP WEP104 WEP40
   phase2="auth=MSCHAPV2"
   identity="<username@realm>"
   password="<PASSWORD>"
}

Note: FreeRADIUS includes two tools called radtest and radeaptest.  radtest is for testing plain (no EAP involved) RADIUS configurations and radeaptest is only able to test EAP-MD5 connections.  This limitation means it and cannot be used to test EAP-TLS/TTLS/PEAP connections.