A plus in security: new eduroam identifiers
Protection of your personal TU-ID access data for WiFi access
2022/08/16
From now on, it is possible to create and use device-specific identifiers and passwords for WiFi access (eduroam). This means that each of your devices that needs to connect to the eduroam network can use its own identifier and password. With these access data, the device can dial into the eduroam network worldwide. This not only contributes significantly to the protection of your personal TU-ID access data, it also brings many advantages in handling. Change your WiFi access as soon as possible. After a transition period until 01.12.2022, the TU-ID can no longer be used for the WiFi login to the eduroam network.
Transition period until 01.12.2022 – after that no more login with TU-ID possible!
The previous access with your personal TU-ID is still possible during the transition period until 01 December 2022. From this date, the new identifiers will become mandatory. From then on, you will no longer be able to log in to the eduroam WiFi with your TU-ID or use it for the open network sockets.
What to do:
1. Create a WiFi account
Create up to 3 independent WiFi accounts (one for each end device used) in the IDM portal of the TU Darmstadt, under “Persönliche Accountverwaltung > WLAN-Accounts > Persönlich”. You can find detailed instructions here. (opens in new tab)
The device-specific identifier gives you advantages in later handling (see info box below). If you have more than 3 devices that need to connect to the eduroam network, you can also use an identifier more than once (only recommended in exceptional cases, please then group cleverly).
2. Set up identifiers on end devices
Set up the new identifiers on your end devices. We recommend using the Configuration Assistant Tool (CAT) with the new access data. If you set up the network manually, you must first delete eduroam from the known networks and then set it up again.
You can find instructions for setting up on the various end devices here.
When setting up, you should be within range of the eduroam WiFi to ensure that the changeover was successful.
Rules and tips for a secure password
On 9 December 2021, the binding password policy of the Technical University of Darmstadt came into force.
You do not yet use a TU-ID password that meets the requirements of this guideline? Then save yourself extra work later and tackle the necessary password update for your TU-ID and the configuration of your WiFi accounts together.
Information and assistance on changing the TU-ID password can be found here.
What are the advantages of the change for you?
Protection of your TU-ID access data and the systems you access
End devices initially store the access data to known networks locally on the device and synchronise these (especially in the case of mobile devices) with the cloud storage of the respective manufacturer – this means that your TU-ID access data are potentially not sufficiently protected in plain text in different locations. Since your TU-ID simultaneously provides access to a whole range of important TU Darmstadt systems and applications, this poses a permanent threat to all of these systems.
Protection against fraudulent networks accessing your data and systems
The eduroam network is available worldwide. This makes it extremely difficult for users (and their end devices) to distinguish genuine eduroam networks from fraudulent ones that falsely identify themselves as members of the eduroam network. If you automatically connect your device (or mobile device) to such a fraudulent network, the TU ID access data is directly revealed to the attacker, who then gains far-reaching access to TU Darmstadt systems. Technically, this cannot be reliably ruled out.
Risk minimisation through separate identifiers
The new separate identifiers reduce the risks to WLAN access. If something does go wrong here, the access data for a specific device account can be blocked and set up again without affecting access to all other services. In short: your TU-ID remains protected.
Remaining able to act despite the failure of an end device
The fact that you can assign individual identifiers for each device means that access can be blocked for individual devices (e.g. the lost smartwatch) without blocking access to other devices (e.g. the work laptop).
