Skip to end of metadata
Go to start of metadata

Best Practice

Make this work BEFORE leaving campus!

Table of Contents

Requirements

Method 1: Using System Preferences dialog

In the "System Preferences" panel click "Network":

Select "AirPort" on the left-hand side, click the "Network Name" selector and choose "eduroam":

You'll be prompted with a dialog to authenticate the certificate of the server "sradius01.jacobs-university.de":

To prevent others from spying on your password, klick on "Show Certificate" and confirm, that "This certificate is valid":

If you would like more protection against server spoofing, klick on "Details" and confirm this data:


After you verified the certificate, click on "Continue". You'll be prompted for your LOCAL COMPUTER PASSWORD to add the above certificate to the key chain for future use. Enter your username and password of your Mac OSX computer. (warning) This is not your JACOBS user account and not your CampusNet account. It was set by you or your Mac administrator. Neither the CampusNet team nor IT Support do know your password or can help you in retrieving it!

After trust and encryption is established to the server, the server needs to check your CampusNet id. You'll be prompted with a password dialog. Enter your campusnet username followed by "@jacobs-university.de". So, if your JACOBS user name is "myusername", enter "myusername@jacobs-university.de" here. (warning) This is NOT your email address! The user name does NOT have a dot in it. Then click "OK".

Now, it seems you are connected, but you aren't. DO NOT STOP HERE, CONTINUE ON! Even if it incidentally already works, CONTINUE ON! REALLY!!!

Click on "Advanced...". While you are at it, in the "AirPort" tab, move the "eduroam" entry to the top to use this as preferred network in the future. This will also automatically log you in at remote locations:

Select the "802.1X" tab, then select the "WPA:eduroam" entry in the list on the left. Make sure that EXACTLY these two options are selected, and ALL OTHERS ARE DESELECTED: PEAP and TTLS. This usually means, to DESELECT EAP-FAST. Also scroll down the list to check, that there are no hidden check marks. (warning) Really! This is important! PEAP and TTLS, nothing else! If you are at another institution and eduroam does not work, make sure PEAP and TTLS are set and nothing else:

Then, select PEAP, and click on the "Configure..." rectangle (not the "Configure Trust..." button). A window opens asking for PEAP authentication information, specifically the "Outer Identity". Despite the box tagging this as "Optional", it is NOT! Enter "anonymous@jacobs-university.de", literally, as written here:

After clicking OK, select TTLS and also click the "Configure..." rectangle. A window pops up and asks for TTLS Inner Authentication: Select "MSCHAPv2" from the drop-down list, and as "Outer Identity" again enter "anonymous@jacobs-university.de". This is NOT optional!

Click "OK" and "Apply" as often as needed to get back to the Network preferences. You are connected to the eduroam network now and will get network access immediately at each other institution world-wide also being member of the eduroam federation. (thumbs up)

Method 2: Using connection profile

Please download the connection profile.

Double-click the file to open it and begin its installation.

A prompt for the per-user authentication fields appears, please fill in the missing information. The user name is your Jacobs username followed by "@jacobs-university.de". The password is your Jacobs password. After continuing the installation you may be asked for an admin password, this is your local password on your device.

You can change or delete the profile later in the System Preferences > Profiles. The associated 802.1X profile is visible in System Preferences > Network > Advanced > 802.1X.

13 Comments

  1. Keeps timing out at the authentication step in RIII. I have 10.6.8 running. Any ideas?

    1. Yes: eduroam WLAN network available

      snip...
      (minus) eduroam is not yet available at Conrad Naber Lecture Hall, Research II and Research III Lecture Hall, Computer Science Teaching Lab, East and West Hall, Student Activity Center, Ocean Lab. Providing eduroam access at these places requires exchange of access points which will be done during the next weeks.
      ...snip

      1. Yep, checked it out. Very low signal strength.

        1. It's again not working since the beginning of this week. The signal is extremely weak in 102a in RIII.

    2. Please check, that all other EAP authentication modes are deselected, including those needing to scroll down to.

      Maybe the signal is too weak at your location. Where exactly are you trying this?

      1. I realized the signal was too weak, even if it showed 4 bars on the airport symbol. I did get it to work eventually, but some things are different from the guide, at least for me. I'm on 10.7 in case they changed something from 10.6.8:

        After logging in, I viewed and accepted the certificate. Then I had internet but went on as the guide suggested to look into 802.1x settings. There were no settings there (this is different on 10.6.8), and no options to add anything either. Also this appears automatically on the window that lists Wifi SSIDs: Authenticated via PEAP (MSCHAPv2) Connect Time: xx:xx:xx. I'm guessing this works out of the box on Lion since I haven't had any problems after connecting. Will update here if something goes wrong (smile)

        This now works on 10.6.8 as well in the office. The access points must've been changed around so that I get enough signal from there. On 10.6.8 the instructions above work 100%, except the log in details are required before getting the certificate and accepting it. Thanks (smile)

  2. Thank you for bringing in the "eduroam" network. This is really a good feature. Also I have a good signal at Research III. I had a slightly different procedure, though (still Mac 10.6.7):

    • First I was asked to authenticate to the eudroam network, and only after I could add a new certificate;
    • There was no "User profiles" in the 802.1X tab. It was easy to add a new one by clicking on "+" button.

    One very positive aspect: I don't need to always log-in on the VPN network when using wireless (smile)

    1. Thank you! (smile)

      I'm surprised you need a different configuration path. Maybe that's due to different access points in use... we'll look into that.

      1. Thank you for the instruction. It works. However, I had also a different procedure. Basically the same points as written above but: There is no "User profiles" in the 802.1X tab AND there is also no "+" button to add a new one.

        Therewith I could not proceed with all the further steps. But anyhow, it works for now.

        1. I also have the situation that I cannot create a new user profile under the 802.11x. After a google search, it seems that this function is no longer available in recent versions of Mac OSX, and to create a new profile, this must be done using the Mac Lion server or by a 'loophole' to create the profile in an iPhone, and then import it back onto your mac. Link: https://discussions.apple.com/thread/3191099?start=0&tstart=0

    1.  Have you had a chance to try the method proposed in the section "Configure eduroam using connection profile"? This definitely works, it is tested with all recent versions of MacOS X.

      Just a side note: the configuration of eduroam on 10.7 and 10.8 works also with the installation instruction provided for 10.6, at least as long as you do not have configured another connection using 802.1x.

      1. Thanks for posting a configuration profile! Helped me out very much!