Devices that are compatible with eduroam

The following list is sorted alphabetically by vendors. The table notes which EAP methods are supported. Legend:

CAT - this device/EAP type combination is supported by eduroam CAT; can probably also be configured securely manually

Yes - the device can be configured securely manually for this EAP type

Deficient - the device lacks important security features, but workarounds exist which can make its use safe

Insecure - the device can be configured manually for this EAP type, but not all security parameters can be set up

No - device is known not to support IEEE 802.1X/EAP

? - Unknown

TPS - supported with Third-Party Software (possibly commercial)


Compatibility Matrix

Device/OS Vendor

Device/OS

Version

TTLS-PAP

PEAPTTLS-MSCHAPv2TLSPWDTTLS-GTC

FAST

Android

tested on:

Samsung Galaxy S2

Huawei Sonic u8650

2.3Deficient[1]Deficient[1]Deficient[1]Deficient[1]?Deficient[1]?
Android

tested on:

Motorola Xoom2

4.0+Deficient[1]Deficient[1]Deficient[1]Deficient[1]?Deficient[1]?

Apple

iPhone

iOS 4.0+

CAT

CATCATYesNoYes

Yes

Apple

iPad

iOS 4.0+

CAT

CATCAT YesNoYes

Yes

Apple

iPod touch

iOS 4.0+

CAT

CATCATYesNoYes

Yes

AppleMac OS X10.7+CATCATCATYesNo?Yes
AppleMac OS X10.4-10.6Yes[4]Yes[4]Yes[4]Yes[4]No?Yes[4]
BlackberryPlaybook OS2Yes?????

?

LinuxNetworkManager
CATCATCATCATNo??
Linuxwpa_supplicant
CATCATCATCATYes[2]YesYes

Microsoft

Windows

XP SP3

TPSYesTPSYesNoTPS

TPS

Microsoft

Windows

Vista

TPSCATTPSCATCATTPS

TPS

Microsoft

Windows

7

TPSCATTPSCATCATTPS

TPS

MicrosoftWindows8 / 8.1CATCATCATCATCAT?

?

MicrosoftWindows10CATCATCATCATCAT??
MicrosoftWindows Phone7.xNoInsecure[3]?No???
MicrosoftWindows Phone8.xNoDeficient[1]?????
MicrosoftXboxallNoNoNoNoNoNoNo
MicrosoftXBoxONEallNoNoNoNoNoNoNo

Nokia

Symbian OS

Series 6

No

Yes?Yes?Yes

No

NokiaSymbian OS9.xYesYes?Yes?YesNo
SonyPlaystation3 (PS3)allNoNoNoNoNoNo

No

SonyPlaystation4 (PS4)allNoNoNoNoNoNo

No

JollaSailfish OS2YesYes Yes Yes???

[1] Installation and pinpointing of CA possible; verification of expected server name (CN) not possible. A secure configuration is only possible if the Identity Provider deploys a private CA which issues exclusively server certificates for his own eduroam EAP servers. All other Identity Provider deployments are INSECURE.

[2] Version 1.0 or higher required

[3] Verifying that the server is signed by the proper CA is not possible; this means users will not be able to detect fake hotspots and might send their username/password to an unauthorised third party.

[4] Only with 10.6.x (Snow Leopard) and later does OSX allow the configuration of of CA/server trust settings (Pinning 802.1X to specific CA and RADIUS server CommonName)

Reporting a new device

Please let us know in the "Comments" field what device you have, and what EAP method(s) you have found working. We will update the list periodically.

  • No labels

20 Comments

  1. Anonymous

    Asus TF101 - Android 4.0 ISC
    1. Unknown User (swinter)

      Which EAP types does the device support?

    2. Anonymous

      Can I connect to duroam wifi using my kindle?

       

      1. Unknown User (swinter)

        Hi,

        that depends on the version of Kindle you are using; earlier versions had no support for Enterprise-level encryption at all and thus cannot be used with eduroam.

        Newer versions have the required support; according to what I hear it is still somewhat incomplete though in that the server's certificate is not checked for validity and the correct name. If that's true on your device, this would be an amount of support we'd classify as "Insecure". You would be subject to Man-in-the-Middle attacks, where someone could set up an access point that looks like eduroam, but actually is not, and could harvest your login credentials when you log into it.

        We do not recommend the use of such insecure devices.

  2. Anonymous

    Add Windows Phone 7 please. Wich doesen't support TTLS-PAP.

    I really dont understand why Eduroam doesent use PEAP always... Is the only method that works out of the box in almost every device...

    1. Unknown User (swinter)

      Hi,

       

      thanks, I've added the Windows Phone 7 information. Regarding your question about PEAP:

      PEAP has significant technical limitations which hinder its implementation: the identity provider must have stored your user password in either cleartext or in the Microsoft-proprietary NT-Hash format, which has known security problems. For institutions which have concerns with storing their users' passwords int these weak formats, they can use much more secure ones like salted SHA or PBKDF2 - but are then locked out of using PEAP.

      That's what you get with proprietary EAP methods and proprietary hashes.

  3. Anonymous

    Android IceCream Sandwich (Motorola Xoom2): TTLS-PAP

    Android Gingerbread (Huawei Sonic u8650): TTLS-PAP

    Blackberry Playbook OS v2 (Playbook Tablet): TTLS-PAP

    Tested and worked well.

    1. Unknown User (swinter)

      Thanks, updated the table. I just wonder: did you test server-side certificate validation? If that's off, your connection can be hijacked - and we know that Android is particularly weak regarding installation of new certification authorities, and enabling them for the login validation.

  4. Anonymous

    Windows Phone 8 doesn't seem to work with TTLS-PAP. Can anyone confirm this?

  5. Anonymous

    Hi,

    I have a Windows Phone 8, but even if there is an option to verify the server certificate using the proper CA certificate I installed before, PEAP-MSCHAPv2 doesn't seem to work. It works in "insecure" mode though.

    1. Unknown User (swinter)

      Hello,

       

      we have recently investigated why that is. Your comment sounds like you've been hit by a Windows Phone 8 "speciality" in verifying the server certificate.

      In Windows Phone 8, the server's certificate (NOT the CA certificate) needs to have a so-called "Certificate Extension" of type "CRL Distribution Point" (CDP). If that extension is not present in the server certificate, Windows will fail to validate, even if the certificate is otherwise perfectly fine and other operating systems do validate it.

      Interestingly enough, the actual CDP URL in the server certificate is never actually checked or used for anything; it just needs to be present in the certificate. Unfortunately, other Operating Systems actually do something with the CDP URL after connecting, so the value in CDP still should better be a valid URL which actually points to the CRL.

       

      Now, if you are an end user this probably sounds rather esoteric to you. That is understandable (smile) . You should probably copy&paste my comment into an email to your IT support and see to it that they issue a new server certificate which contains a valid CDP. This will make your Windows Phone 8 happy.

       

      Greetings,

      Stefan Winter

  6. Anonymous

    Windows Phone 8 does NOT support TTLS+PAP. Can anyone confirm this or tell me which Windows Phone 8 product(s) that works?

    1. Unknown User (swinter)

      Hi,

       

      AFAIK, that's correct - only PEAP (and possibly EAP-TLS?) on Windows Phone 8. And for PEAP, the server name is not validated, which would qualify the device as "Deficient" as per our definitions above.

      I'll update the matrix; it doesn't contain WP8 yet at all.

       

      Stefan

  7. Anonymous

    Android 4.3+ can verify the CN name, but only if the configuration is set via the API provided in the SDK. Although this tests a substring of the certificate subject, i.e. subject_match, instead of altsubject_match.

    Additionally EAP-TLS does not need to verify the CN to be a secure configuration, as such no device should be listed as deficient in this column.

  8. Anonymous

    Does a device secured manually (i.e. an old Macbook running OS 10.6) work at a non-home institution?  And is it possible to configure a more modern device that works w/ CAT from a non-home institution (i.e. already abroad)?

    1. Unknown User (swinter)

      When the user "gets it right" i.e. sets all the configuration parameters as required, eduroam will work on any hotspot, whether it is the home institution's own or a roaming hotspot, and regardless whether CAT was used for the setup or not.

      eduroam CAT makes the configuration easier and eliminates sources of human error during the configuration; so chances are way higher to get to a working setup. It does not matter where you execute the CAT installer; it will do its job location-independently.

      The reason why we usually suggest to do the configuration at home first is that if something went wrong during the intitial setup, your own helpdesk is near and can help you.

  9. The table entry for "Microsoft Windows 7" and "EAP-TTLS" should be changed from "CAT" to "TPS", since CAT does no longer distribute the required SecureW2 software.

  10. The Blackberrry OS 10 of the BB Q10 and Blackberry passport is no longer supported since the last update!
  11. J. R. Chaponnière, L'Economie politique, numéro 77, 2018

  12. Shouldn't this site be deleted since a bit newer compatibility matrix already exists in How to support to end users?