Devices that are compatible with eduroam
The following list is sorted alphabetically by vendors. The table notes which EAP methods are supported. Legend:
CAT - this device/EAP type combination is supported by eduroam CAT; can probably also be configured securely manually
Yes - the device can be configured securely manually for this EAP type
Deficient - the device lacks important security features, but workarounds exist which can make its use safe
Insecure - the device can be configured manually for this EAP type, but not all security parameters can be set up
No - device is known not to support IEEE 802.1X/EAP
? - Unknown
TPS - supported with Third-Party Software (possibly commercial)
Compatibility Matrix
Device/OS Vendor | Device/OS | Version | TTLS-PAP | PEAP | TTLS-MSCHAPv2 | TLS | PWD | TTLS-GTC | FAST |
|---|---|---|---|---|---|---|---|---|---|
| Android | tested on: Samsung Galaxy S2 Huawei Sonic u8650 | 2.3 | Deficient[1] | Deficient[1] | Deficient[1] | Deficient[1] | ? | Deficient[1] | ? |
| Android | tested on: Motorola Xoom2 | 4.0+ | Deficient[1] | Deficient[1] | Deficient[1] | Deficient[1] | ? | Deficient[1] | ? |
Apple | iPhone | iOS 4.0+ | CAT | CAT | CAT | Yes | No | Yes | Yes |
Apple | iPad | iOS 4.0+ | CAT | CAT | CAT | Yes | No | Yes | Yes |
Apple | iPod touch | iOS 4.0+ | CAT | CAT | CAT | Yes | No | Yes | Yes |
| Apple | Mac OS X | 10.7+ | CAT | CAT | CAT | Yes | No | ? | Yes |
| Apple | Mac OS X | 10.4-10.6 | Yes[4] | Yes[4] | Yes[4] | Yes[4] | No | ? | Yes[4] |
| Blackberry | Playbook OS | 2 | Yes | ? | ? | ? | ? | ? | ? |
| Linux | NetworkManager | CAT | CAT | CAT | CAT | No | ? | ? | |
| Linux | wpa_supplicant | CAT | CAT | CAT | CAT | Yes[2] | Yes | Yes | |
Microsoft | Windows | XP SP3 | TPS | Yes | TPS | Yes | No | TPS | TPS |
Microsoft | Windows | Vista | TPS | CAT | TPS | CAT | CAT | TPS | TPS |
Microsoft | Windows | 7 | TPS | CAT | TPS | CAT | CAT | TPS | TPS |
| Microsoft | Windows | 8 / 8.1 | CAT | CAT | CAT | CAT | CAT | ? | ? |
| Microsoft | Windows | 10 | CAT | CAT | CAT | CAT | CAT | ? | ? |
| Microsoft | Windows Phone | 7.x | No | Insecure[3] | ? | No | ? | ? | ? |
| Microsoft | Windows Phone | 8.x | No | Deficient[1] | ? | ? | ? | ? | ? |
| Microsoft | Xbox | all | No | No | No | No | No | No | No |
| Microsoft | XBoxONE | all | No | No | No | No | No | No | No |
Nokia | Symbian OS | Series 6 | No | Yes | ? | Yes | ? | Yes | No |
| Nokia | Symbian OS | 9.x | Yes | Yes | ? | Yes | ? | Yes | No |
| Sony | Playstation3 (PS3) | all | No | No | No | No | No | No | No |
| Sony | Playstation4 (PS4) | all | No | No | No | No | No | No | No |
| Jolla | Sailfish OS | 2 | Yes | Yes | Yes | Yes | ? | ? | ? |
[1] Installation and pinpointing of CA possible; verification of expected server name (CN) not possible. A secure configuration is only possible if the Identity Provider deploys a private CA which issues exclusively server certificates for his own eduroam EAP servers. All other Identity Provider deployments are INSECURE.
[2] Version 1.0 or higher required
[3] Verifying that the server is signed by the proper CA is not possible; this means users will not be able to detect fake hotspots and might send their username/password to an unauthorised third party.
[4] Only with 10.6.x (Snow Leopard) and later does OSX allow the configuration of of CA/server trust settings (Pinning 802.1X to specific CA and RADIUS server CommonName)
Reporting a new device
Please let us know in the "Comments" field what device you have, and what EAP method(s) you have found working. We will update the list periodically.
20 Comments
Anonymous
Unknown User (swinter)
Which EAP types does the device support?
Anonymous
Can I connect to duroam wifi using my kindle?
Unknown User (swinter)
Hi,
that depends on the version of Kindle you are using; earlier versions had no support for Enterprise-level encryption at all and thus cannot be used with eduroam.
Newer versions have the required support; according to what I hear it is still somewhat incomplete though in that the server's certificate is not checked for validity and the correct name. If that's true on your device, this would be an amount of support we'd classify as "Insecure". You would be subject to Man-in-the-Middle attacks, where someone could set up an access point that looks like eduroam, but actually is not, and could harvest your login credentials when you log into it.
We do not recommend the use of such insecure devices.
Anonymous
Add Windows Phone 7 please. Wich doesen't support TTLS-PAP.
I really dont understand why Eduroam doesent use PEAP always... Is the only method that works out of the box in almost every device...
Unknown User (swinter)
Hi,
thanks, I've added the Windows Phone 7 information. Regarding your question about PEAP:
PEAP has significant technical limitations which hinder its implementation: the identity provider must have stored your user password in either cleartext or in the Microsoft-proprietary NT-Hash format, which has known security problems. For institutions which have concerns with storing their users' passwords int these weak formats, they can use much more secure ones like salted SHA or PBKDF2 - but are then locked out of using PEAP.
That's what you get with proprietary EAP methods and proprietary hashes.
Anonymous
Android IceCream Sandwich (Motorola Xoom2): TTLS-PAP
Android Gingerbread (Huawei Sonic u8650): TTLS-PAP
Blackberry Playbook OS v2 (Playbook Tablet): TTLS-PAP
Tested and worked well.
Unknown User (swinter)
Thanks, updated the table. I just wonder: did you test server-side certificate validation? If that's off, your connection can be hijacked - and we know that Android is particularly weak regarding installation of new certification authorities, and enabling them for the login validation.
Anonymous
Windows Phone 8 doesn't seem to work with TTLS-PAP. Can anyone confirm this?
Anonymous
Hi,
I have a Windows Phone 8, but even if there is an option to verify the server certificate using the proper CA certificate I installed before, PEAP-MSCHAPv2 doesn't seem to work. It works in "insecure" mode though.
Unknown User (swinter)
Hello,
we have recently investigated why that is. Your comment sounds like you've been hit by a Windows Phone 8 "speciality" in verifying the server certificate.
In Windows Phone 8, the server's certificate (NOT the CA certificate) needs to have a so-called "Certificate Extension" of type "CRL Distribution Point" (CDP). If that extension is not present in the server certificate, Windows will fail to validate, even if the certificate is otherwise perfectly fine and other operating systems do validate it.
Interestingly enough, the actual CDP URL in the server certificate is never actually checked or used for anything; it just needs to be present in the certificate. Unfortunately, other Operating Systems actually do something with the CDP URL after connecting, so the value in CDP still should better be a valid URL which actually points to the CRL.
Now, if you are an end user this probably sounds rather esoteric to you. That is understandable
. You should probably copy&paste my comment into an email to your IT support and see to it that they issue a new server certificate which contains a valid CDP. This will make your Windows Phone 8 happy.
Greetings,
Stefan Winter
Anonymous
Windows Phone 8 does NOT support TTLS+PAP. Can anyone confirm this or tell me which Windows Phone 8 product(s) that works?
Unknown User (swinter)
Hi,
AFAIK, that's correct - only PEAP (and possibly EAP-TLS?) on Windows Phone 8. And for PEAP, the server name is not validated, which would qualify the device as "Deficient" as per our definitions above.
I'll update the matrix; it doesn't contain WP8 yet at all.
Stefan
Anonymous
Android 4.3+ can verify the CN name, but only if the configuration is set via the API provided in the SDK. Although this tests a substring of the certificate subject, i.e. subject_match, instead of altsubject_match.
Additionally EAP-TLS does not need to verify the CN to be a secure configuration, as such no device should be listed as deficient in this column.
Anonymous
Does a device secured manually (i.e. an old Macbook running OS 10.6) work at a non-home institution? And is it possible to configure a more modern device that works w/ CAT from a non-home institution (i.e. already abroad)?
Unknown User (swinter)
When the user "gets it right" i.e. sets all the configuration parameters as required, eduroam will work on any hotspot, whether it is the home institution's own or a roaming hotspot, and regardless whether CAT was used for the setup or not.
eduroam CAT makes the configuration easier and eliminates sources of human error during the configuration; so chances are way higher to get to a working setup. It does not matter where you execute the CAT installer; it will do its job location-independently.
The reason why we usually suggest to do the configuration at home first is that if something went wrong during the intitial setup, your own helpdesk is near and can help you.
Christian Rank
The table entry for "Microsoft Windows 7" and "EAP-TTLS" should be changed from "CAT" to "TPS", since CAT does no longer distribute the required SecureW2 software.
Salix HGW
The Blackberrry OS 10 of the BB Q10 and Blackberry passport is no longer supported since the last update!first_name Dzaka
J. R. Chaponnière, L'Economie politique, numéro 77, 2018
Martin Božič
Shouldn't this site be deleted since a bit newer compatibility matrix already exists in How to support to end users?