IT ServicesStaff

Wireless

Frequently asked questions

Wi-Fi Connection

Why do I have to run the wireless setup tool (https://cloudpath.lboro.ac.uk) every time I want to use the Internet?

You only need to run the setup tool once. If you are presented with the installer page again your device has most likely re-joined the setup-wifi network (instead of eduroam). To stop this from happening remove setup-wifi from the list of configured wireless networks on your device. 

Why don't you provide screenshots or step by step guide for how to configure my device?

In past screenshots were provided but these were found to be problematic. 

Firstly there are many different device / OS combinations which means the process of producing instructions for each variant is very time consuming. Additionally OS are frequently updated and this requires that more screenshots are add (the old ones for users with the old version and the new ones for users with the new version). 

Also configuring enterprise wireless properly is not trivial and can involve as many as 21 steps on some devices. Plus given slight variations in hardware the options presented maybe different for different hardware (with the same OS). This can cause confusion leading to incorrect configuration.

Finally, the primary method for authentication used at Loughborough is EAP-TLS which uses a client certificate. This certificate needs to be generated per device at configuration time and installed on your device. This is not something which is practical to achieve with screenshots. 

Given all these reason we therefore provide the Cloudpath installer (https://cloudpath.lboro.ac.uk) which takes you through the configuration and automates the process.

Why is process for getting on eduroam so complicated, why can't we just use a pre-shared key?

Unfortunately pre-shared keys are designed for the home environment where only a handful of devices are connecting to the network. At the University on any given day there are around 13,000 devices connected to the wireless network. Using a pre-shared key is not a viable method of securing access to the wireless network. Therefore it is required that enterprise network security is employed. This requires each device to securely identify itself and be provided with unique encryption keys. However, it should be remembered that once your device is configured correctly you can use eduroam anywhere in the world (https://www.eduroam.org/?p=where).

Why can't I just use a username and password to access eduroam?

Whilst it is possible to use a username and password to access eduroam the preferred method for connecting is to use a certificate (issued through https://cloudpath.lboro.ac.uk). Certificates are the preferred method for authentication for a number of reasons.

Efficiency. A certificate based authentication is a simpler conversation between your device and the authentication server. This means that the authentication occurs more quickly than with a username and password.

Scalability. Due to the large numbers of devices using eduroam at Loughborough University, username / password authentication presents some scalability issues during busy periods where authentication servers can be handling a high authentication load. Username / password based authentication requires a challenge to occur against the University's active directory using NTLM. This NTLM challenge can be slow to respond during heavy load which can lead to authentications failing. Unfortunately this can then amplify the issue as the devices which failed authentication retry. Certificate based authentication does not require a challenge against the active directory and therefore scales better and performs better under load.

Device behaviour. Occasionally authentication to eduroam may fail. This could be because your device is on the edge of coverage and has an intermittent connection, or you are moving around and roam between WiFi access points during authentication, or there could be load issues on the authentication servers. On devices with username / password based authentication some OS (e.g. Windows) will forget the stored username / password when an authentication failure occurs. The user is then prompted for a username / password the next time they try to connect. With certificates if an authentication failure occurs, the device does not forget settings and will simply try again in future with the same certificate and settings.

Security. It is possible to poorly configure a device with username / password based authentication so that your device is not properly checking the identity of the authentication server. Your device could then inadvertently leak your username / password to a rouge / fake authentication server. Certificate based authentication mitigates this issue as your device never gives the server your username / password. Using the https://cloudpath.lboro.ac.uk installer insures your device is properly configured. 

Why can't I just use my mac address to access eduroam?

MAC Address based authentication is neither secure nor scalable. The only industry recognised method to securely authenticate and connect to a wireless network is through the use of WPA2 Enterprise using EAP authentication.

The configuration process is too confusing, could you not simplify it?

We understand that configuring your device for use with eduroam can be confusing, particularly if you have only used pre-shared keys for wifi in the past. We are constantly trying to improve the process through tools like Cloudpath (https://cloudpath.lboro.ac.uk) and user education. If you have any ideas for how we could make to process less confusing please contact it.services@lboro.ac.uk

I am concerned you require me to install a root certificate?

Some people have concerns about the installation of a root certificate. When authenticating devices on eduroam you need to ensure that you are talking to the correct authentication server (and not a fake / rogue one). To do this the authentication server at Loughborough University presents your device with its certificate (during the authentication process) so your device can check it is talking to the correct server. At Loughborough our authentication servers use a private CA and therefore you need to install this CA on your device. This is why we require you to install a root certificate.

However, we understand some people have concerns about installing root CAs. We assure you that the only purpose we a using this certificate authority for is eduroam authentication. We take the privacy and security of staff and students very seriously and do not use the certificate authority for any other purpose.

To read more about why we use a private certificate authority for eduroam follow this link (https://wiki.geant.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus ) and read the "EAP Server certificate considerations" section.

Why do I have to install software (XpressConnect) to configure my device for eduroam?

The short answer would be you don't have to install software to configure your device for eduroam but there are caveats. You could manually configure your device by hand to connect to eduroam. However, this is not a trivial process and most users find this confusing and difficult. Therefore to make the process easier we make use of tools which do the configuration work for you. On some devices e.g. iOS this is simple. Your device simply downloads an XML configuration file. However, other devices e.g. Windows, require a small program which makes the necessary configuration changes. This XpressConnect application is simply making the required configuration changes so that your device is properly configured for use with eduroam. Once it has finished configuring your device your can delete this software.

Why do I have to give the XpressConnect App admin permissions?

In order to configure your device the application needs permissions to make configuration changes to the wireless configuration of your device. Once your device is configured and connected to eduroam you can remove this App from your device.

Why do I have to set a PIN / lock screen for my phone?

Your device is being configured with either University credentials or a certificate which provides access to University resources. It is important these are protected against theft. Therefore you are required to secure your device to prevent these from being accessed by unauthorised persons. It is also consider best security practice to set a pin / lock screen for your device.

Can I connect in Halls of Residence?

A number of halls on campus already have wireless networking. See the Wireless Coverage page.

Can I use the wireless networks at other Universities and Colleges?

You can use eduroam at any participating eduroam site. When you visit other sites you don't need to change anything. If your device is properly configured to work with eduroam at Loughborough University, it will work at other eduroam sites. See our eduroam web pages.

Can I use my VOIP phone, PSP, Nintendo DS etc.?

Your device can use eduroam if it supports the WPA2 Enterprise wireless networking standard. Devices such as Nintendo DS which don't have WPA2 Enterprise capabilities will not be able to connect. Contact your device manufacturers support to find out if it can connect to a WPA2 Enterprise network.

Is it secure?

When you use eduroam, the communications between your device and the wireless network are protected using industry standard AES encryption. This gives you the highest level of protection we are able to offer.

What can I do if it doesn't work?

Problems are typically due to wireless drivers being out of date, or conflicts with other programs.

Suggestions:

  • Most laptops, and all supported Staff Desktop laptops have a physical switch on the side or front which turns off the wireless antenna. Set this switch to the Onposition to work online.
  • If you have changed your Loughborough University Active Directory password, you will need to update any locally cached copy of your password on your wireless device.
  • Driver updates are normally available from your vendor's web site.

How do I get help?

Please contact the IT Services on IT.Services@lboro.ac.uk or telephone 01509 222333.  

Depending on the description of the fault, you may wish to bring your device to the Service Availability , based on the main floor of the Library. 

Term Time: Monday to Friday - 10:00 a.m. to 6:00 p.m.

Out of Term Times 11:00 a.m. to 3:00 p.m.