Page tree
Skip to end of metadata
Go to start of metadata

Joining eduroam AU

  • 1. Build your Infrastructure
    • 802.1X WPA Authentication
  • 2. Choose an Authentication Type
  • 3. Certificates
  • 4. Determine your IP address allocation
  • 5. Traffic Policy
  • 6. Apply to join eduroam
  • 7. Configure a RADIUS Proxy and get QA'd
  • 8. Build your local eduroam Webpage
  • 9. eduroam @ Home
  • 10. Inform the community

1. Build your Infrastructure

If you don't have 802.11b and better infrastructure (802.11g, 802.11a or 802.11n) then this is your first task.

802.1X WPA Authentication

You also need to support 802.1X authentication. For this you need a RADIUS server to provide authentication services. Popular choices are:

2. Choose an Authentication Type

EAP-TypeSupported on eduroamInner PasswordNotes
PEAPMSCHAPv2MSCHAPv2 can only be implemented with a reversible or cleartext password store such as NTLM or a database.
MSCHAPv2 cannot be implemented via Kerberos or LDAP Authentication.
It has the added advantage that it can be implemented on Microsoft Windows clients without a 3rd party supplicant.
TTLSPAP, CHAP, MSCHAPv2Works with MacOS X and Linux natively. MS Windows users can use the SecureW2 Supplicant.
TLSCertificate Only 

If doesn't matter what authentication type your organisation chooses they are all compatible with eduroam. You are not necessarily limited to only one authenticate type if your RADIUS service can support multiple types simultaneously. EAP-TTLS is certainly the most widely deployed method - and as such some organisations have historically not supported EAP-PEAP proxing via their own infrastructure back to your home organisation. The efforts of this document and the QA procedure is to remove this interoperability barrier.

3. Certificates

The purpose of certificates is to overt a man-in-the-middle attack that could capture password from eduroam users.
Whether you use Self-Signed or Genuine certificates comes down to a user education issue. By ensuring that your users are able to understand the chain of trust in a certificate and that they can verify whether a certificate is legitimate or not.

4. Determine your IP address allocation

Private IP addressing can be problematic with VPN services as NAT needs to be utilised. Even with NAT some VPN services only allow one concurrent user on a particular NAT range.

Private addressing (10.x.y.z, 192.168.x.y) vs Public IP addressing

Public addressing can consume valuable IPv4 address space and sites need to determine what address block size is appropriate for their projected number of eduroam visitors.

Currently deployment of IPv6 isn't popular and isn't mandated. It is a area of future expansion and for sites developing or renewing their wireless infrastructure it would be wise to include IPv6 as a topic of discussion with vendors.

5. Traffic Policy

The eduroam Policy doesn't allow back charging of bandwidth costs to the home institution of eduroam visitors.

This is dependent on your institutions own traffic accounting and charging policy as some organisations don't have a such a system and others do.

The eduroam Usability guide is useful in determining what type of access is suggested. The 08 Information for end-users document details the ease of use and coverage of eduroam networking within Australian organisations and could be useful to determine access provision that partners and competitors offer.

For eduroam organisations that have a local traffic accounting policy it is popular to allocate a fixed amount of bandwidth to visiting eduroam connections and adjust the available bandwidth of the connection to ensure that the costs are maintained.

It is permissible under the Policy to negotiate local peering agreements or implement bandwidth restrictions for neighbouring organisations or visiting users.

6. Apply to join eduroam

Fill in the application form: PDF or Microsoft Office Word Document.

Send this document to Once your application is processed AARNet will provide you with:

  • a shared secret to use in the configuration of your radius proxy
  • the password to the AARNet Test Account so that you can test eduroam connectivity

If you haven't completed the necessary requirements for joining eduroam you'll have the opportunity to rectify your application and resubmit.

7. Configure a RADIUS Proxy and get QA'd

You'll need to either setup a radius proxy (or configure your RADIUS Authentication Server) to talk to the AARNet National RADIUS Proxy Servers.

You'll be able to authenticate with the AARNet test account. Follow the QA'd procedure.

QA TestResultDescription
Can authenticate with AARNet Test Account Proves that EAP-TTLS works
Can authenticate with __________ Test Account Proves that EAP-PEAP works
Can authenticate with __________ Test Account Proves that EAP-TLS works
Can authenticate to a PPTP VPN  
Can authenticate to a IPSec VPN  
Can authenticate to a L2TP VPN  

8. Build your local eduroam Webpage

Now that you have eduroam working it is worth revising your:

  • eduroam website
  • documentation for clients

You can always see the different websites of other eduroam members.

9. eduroam @ Home

With dynamic VLAN assignment there is increasing adoption within Australian institutions to offer eduroam @ Home.
From a support point of view - eduroam is often only utilised by staff and students when they visit an eduroam participating site. This can be problem because the support and documentation available may be difficult to obtain and diagnosing the problem can be difficult. Currently helpdesks don't always offer support to visiting eduroam users.

10. Inform the community

Write-up your eduroam deployment experience - revise and update this document and tell the community via the mailing list.
You can also join the AARNet eduroam Project Group. From time to time the membership of this group is reviewed - you can express your interest in joining by mailing

Child Pages (1)

  Hide Child Pages  |  Reorder Pages  |  Add Child Page

Page: Application to join eduroam



  • No labels