All, We have been informing eduroam connected schools in the US that were vulnerable to heartbleed (about 10 schools were vulnerable out of 180 connected to eduroam-US, less than 5%). The eduroam federation did testing for all eduroam-connected campuses to evaluate the level of vulnerability and we have informed each RADIUS administrator independently.
This said, ANY campus that operates a 802.1X network and uses a RADIUS server using OpenSSL could be potentially at risk since an attacker can access the RADIUS server via the local WPA/WAP2-enterprise network. It does require for the attacker to be physically on campus and join the SSID, but the risk still exists! Please analyze your systems for the vulnerability (look into the version of OpenSSL that you are running) and take the appropriate measures. Here are a few links about Heartbleed and RADIUS http://freeradius.org/security.html http://www.open.com.au/pipermail/radiator-announce/2014-April/000024.html https://confluence.terena.org/display/H2eduroam/heartbleed-note Thank you, Philippe Philippe Hanset www.eduroam.us ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
