OWL and Eduroam

There seems to be a little confusion out there about how OWL relates to Eduroam so this is a overview to help clarify the situation.

We have deployed Eduroam using WPA enterprise. Briefly from the users perspective this means that instead of the domestic use of WPA whereby a single password would be used for the whole wireless network, a username and password are used and authenticated to the home university (to a RADIUS server). Each person has a different username and password and, thanks to the Eduroam network between institutions, these credentials will work at remote sites at other universities and similar that have deployed Eduroam. Eduroam is a better user experience than OWL once configured on the users device for reasons I’ll explain below.

OWL is an unencrypted network that provides a captive portal system for visitors and access to a VPN system for university members. Why didn’t we deploy WPA Enterprise for this? The answer is to do with time – OWL was deployed in (I believe) 2003 (with OWL visitor added on in 2005) when WEP was  just about becoming widely supported on users devices and WPA was sadly not. Captive portal for university members was not a good idea since the traffic would be unencrypted. WEP campus wide would have meant a single password for the entire campus and plus the WEP protocol was fundamentally broken (it was/is trivial to crack). We couldn’t deploy WPA as there were barely any devices supporting the standard. Hence we used a unencrypted network with clients making a (encrypted) VPN tunnel back to a dedicated VPN server (a concentrator). This supports any client that can run the Cisco VPN software (or if the user is technically self-supportive – any VPN software that supports xauth). OWL-Visitor and OWL-VPN were originally separate SSID’s but are combined into one SSID of just ‘OWL’ on recent deployments alongaside Eduroam and where possible are combined at suitable maintenance windows on exiting dual SSID installations.

Yes ,there are limitations to the Cisco VPN client, especially prior to the recent Anyconnect client. ICT (another support team in Oxford) handle the support of the clients and took the decision to support one common client. We do provide information for 3rd party clients but ICT can’t claim to have knowledge of all these. They’ve drawn a line as to what they can support based on their workload, budget and available staff.

We were one of the very early adopters of Eduroam using WPA Enterprise (in the beginning using WPA1 as the majority of devices lacked support for WPA2 at the time) and we were able to deploy this starting in approximately May 2006. In that period there were client issues that meant OWL was kept. WPA enterprise supplicant for Mac was initially downloadable software, Windows XP support was bearable and GUIs to handle WPA Enterprise in Linux were somewhat sparce compared to today. Add to this a minor army of mobile devices that usually supported WEP at best.  Occasionally we still get someone with a new mobile device that can’t handle WPA Enterprise. This includes the iPhone when it first came out and certain Android devices. The later actually do support it underneath the user interface but the manufacturer only provided a user interface for WPA personal at launch time (on some devices).

So which is better? Eduroam is the better modern service because it’s based on WPA. The user can walk between (correctly overlapping) access points without noticing a transition and without loss of open connections. In OWL-VPN the VPN connection over the unencrypted network is much more sensitive to the disruption and will disconnect. It’s of course possible to run the VPN when connected to Eduroam in which case the VPN will survive roaming between access points.

So in summary – why wasn’t the original install of OWL in 2003 based on WPA? Because at the time we would have had a wall of complaints due to barely any devices supporting it. OWL-VPN immediately supported a wide range of clients and there wasn’t another good alternative at the time. It still exists at present but isn’t meant to be a competitor to Eduroam, it simply adds utility for those with older devices and some units aren’t yet prepared (due to local lack of time/staff) to migrate from OWL to OWL/Eduroam.

Posted in Services, Wireless | Comments Off on OWL and Eduroam

Comments are closed.