Last updated: 
2 months 2 weeks ago
Blog Manager
eduroam Service News Follow us on Twitter @eduroamuk - for news, interest, information, photos and fun. Contents - click on item and scroll to bottom of box to read item 15/04/19 - Advisory: EAP-PWD Vulnerability 12/10/18 - Advisory: Injection of Operator-Name attribute by the NRPSs 23/02/18 - eduroam Seminar pre-Networkshop 2018 - FreeRADIUS 4 etc 24/10/17 - Advisory: WPA2 Key Reinstallation Attacks vulnerability, KRACK 14/07/16 - Release of Technical Specification v1.4 10/05/16 - Advisory: Ending of RADIUS Accounting within eduroam(UK) 22/01/15 - eduroam Support Clinic Tues March 1st 14:15-15:30 18/09/15 - Advisory: Impact of change of Certificate Service CA for eduroam Home (IdP) service providers 27/01/15 - eduroam now available at seven hospitals in Cardiff 22/01/15 - eduroam Support Clinic Tues January 27th 10:45-12:00am 23/12/14 - Calling Station Identity 01/12/14 - New DNS Name for eduroam(UK) Support Server 19/12/14 - eduroam Support Clinic Tues January 6th 10:45am 28/11/14 - eduroam Support Clinic Tues December 2nd 10:45am 19/11/14 - Advisory: Microsoft Security Bulletin Affecting NPS and IAS 27/05/14 - eduroam training course June 11-12 Birmingham; Aug 6-7 Aug Bristol 08/04/14 - Advisory: OpenSSL TLS Heartbleed Vulnerability rev 1.1 21/02/14 - Auth Timestamp Feature on eduroam(UK) Support Server 30/10/13 - Release of FreeRADIUS 2.2.2 07/10/13 - Release of FreeRADIUS 3.0.0 17/09/13 - Release of FreeRADIUS 2.2.1 13/06/13 - Release of Technical Specification v1.3 13/06/13 - eduroam training course June 27 Glasgow 23/04/13 - eduroam training courses July 24-25 London 23/04/13 - Chargeable User Identity how-to guide now available in Library 25/03/13 - eduroam training courses May 2-3 Manchester 24/02/13 - Time for a review of your eduroam deployment - Technical Specification v 1.2 Main Changes from v 1.1 30/01/13 - Configuration Assistant Tool (CAT) now available - builds eduroam client installers for user devices 23/01/13 - Advice regarding keeping eduroam credentials secure 09/01/13 - eduroam(UK) Announcement of Change of Name of the Janet Roaming Service to eduroam(UK) 19/11/12 - Uptake of NAPTR record definition in DNS (to enable RadSec DD) is increasing 31/10/12 - eduroam(UK) Support Server Update: Nagios LG and check for NAPTR records 30/10/12 - Cisco ACS 5.4 released: now support Operator-Name 29/10/12 - Unscheduled service outage Friday 26/10/2012 1:02 AM - 9:48 AM 03/10/12 - Advisory: Improving Efficiency of International Authentication through utilisation of RadSec at National Level 11/09/12 - Advisory: FreeRADIUS 2.1.10,11,12 Security

Group administrators:

eduroam(UK) Advisory: EAP-PWD Vulnerability

Released: 15th April 2019

This advisory is relevant only to  eduroam(UK) Home (IdP) (and Home and Visited) service organisations that are supporting the EAP-PWD authentication method – hence will be potentially applicable only to organisations running the FreeRADIUS, Radiator, Aruba ClearPass RADIUS servers or any other servers supporting EAP-PWD (ie not Microsoft NPS). It’s aim is to bring to the attention of our community the vulnerability in the EAP-PWD method and describes the position of the Wi-Fi Appliance together with recommend actions to be taken.

Background and scope:

The EAP-PWD vulnerability was discovered by the Belgian researcher Mathy Vanhoef of the University of Leuven and first publicised on 10th April and has received considerable attention, see Whilst we believe very few member organisations will be affected, this advisory serves to alert any that support EAP-PWD and are not already aware. The FreeRADIUS, Radiator, Aruba ClearPass RADIUS servers and possibly some other servers are capable of supporting EAP-PWD, but Microsoft NPS does not (it primarily supports PEAP/MSCHAPv2). For users to be utilising the EAP method, your ORPS would need to be configured to support it as would the user clients (Android, Windows and wpa_supplicant at least support EAP-PWD).

The Wi-Fi Alliance position is described in the Security Considerations arising from the vulnerability:


Vanhoef’s paper about the Dragonfly algorithm used by WPA3 and EAP-PWD can be found here:

FreeRADIUS (3.0.19) and OSC (Radiator (4.23)) have released patches for their RADIUS servers already. ClearPass users should check their support vendor’s or Aruba’s sites.

On the client side, wpa_supplicant is already mostly patched and the following document provides more detailed information about the vulnerability:

The Wi-Fi Alliance has issued its own response to this vulnerability on the day of disclosure.  

Less technical overview:

Technical overview:

Security Considerations arising from the vulnerability:

Note the Wi-Fi Alliance does not include EAP-PWD in any of its certification programmes, so the content of the above is centred on the WPA3-Personal (SAE) aspect of the vulnerabilities.

Nonetheless, the Security Considerations document contains some amount of advice for EAP-PWD since it is based on the same underlying algorithm and thus shares significant amount of pertinent security properties.

Action advised:

It is recommended that all affected organisation update their EAP-PWD EAP peers (RADIUS servers and clients).