eduroam

eduroam is the primary wireless network at Virginia Tech.

Authentication

Virginia Tech users are authenticated with PEAP/MSCHAPv2. Because this is a thoroughly broken protocol, these credentials are used only for network authentication.

Network

All users, VT affiliates and roaming users on VT's campus, land in vlan-users.

Remediation

We can remove a user or device from the network in two ways.

  1. Disable the credentials
  • VT accounts can have the network entitlement removed, effectively revoking their authorization.
  • By design, VT is unable to see the individual usernames for roaming users (e.g., a Radford user on VT's campus). We can, however, see what institution their account is from. Therefore, to revoke access, we need to access the user's home institution. Since this is a process that can take some time and is not within our control, we can also block ALL authentication for that institution.
  1. Block the MAC address.
  • This must be entered on each controller.
  • The controller then denies all 802.11 authentication requests from that MAC, which prevents the device from even associating.
  • This is becoming less effective as MAC randomization is increasing.