eduroam is a federated authentication service that allows users from participating institutions to gain secure access to wireless network access using their standard username/password credentials as they do at their home institution for wireless access. Following initial mobile device configuration, eduroam can enable access without the user having to enter any details, simply open your laptop or activate mobile device and if its wireless enabled it will connect to eduroam, authenticate and authorise network access.
There are a few 'basics' that should be understood by operators and users of eduroam:
1.The main purpose of eduroam is to provide automatic network access to R&E users when they travel from their 'home' institution to other R&E institutions. This is achieved by all institutions broadcasting a common SSID, "eduroam", which is configured in the institution's wireless infrastructure to trigger remote authentication of visitors and local authentication of the institution's own users (the protocol used is IEEE 802.1x). Users configure their mobile devices for automatic connection to the "eduroam" SSID, and specify their eduroam username as <institutional_username>@<institutional_realm>. The <institutional_realm> component of the username is used by eduroam infrastructure to route the authentication request to the user's home institution.
2. User's credendials remain secret between the user's device (where the eduroam username and home institution password are entered) and the user's home institution, through use of an encrypted tunnel between them to transfer the user's credentials. The encrypted tunnel is created between user device and home institution as the first stage of eduroam remote authentication. The second stage is the actual user authentication via the tunnel.
3. There are two roles that institutions have in participating in eduroam. The 'Service Provider' (SP) role involves providing access to the institution's network by virtue of a visitor's remote authentication via eduroam infrastructure. The 'Identity Provider' (IdP) role involves the institution authenticating their users remotely via the eduroam infrastructure.
4. The eduroam SP role, i.e. providing network access to visitors, relies on the institution's existing network infrastructure. Typically, the 'eduroam' network access is understood to mean wireless network access. Institutions can also use eduroam for providing wired network access to visitors, however this is relatively uncommon. A pre-requisite to eduroam participation is that SP institutions have fully operational wireless network infrastructure.
5. In order for eduroam to provide 'automatic network access', users need to configure their devices for automatic 'connection' to the "eduroam" SSID. There are two parts to this. First, connection across the wireless network to the visited institutions wireless access points. The wireless encyption used is "WPA2-Enterprise" ( IEEE 802.1x + CCMP/AES) - by eduroam global policy this must be supported by institutions. The second part of the 'connection' is remote authentication by the user's home institution. Authentication uses a secure tunnel to protect credentials from being exposed, and the two prevalent protocols are PEAP/MSCHAPv2 or TTLS/PAP. The authentication protocol is specific to the home institution.
6. As authentication configuration is home institution specific, it is strongly recommended that users configure their eduroam connection while on their home institution campus. If issues are encountered, request assistance from local IT support. If you wait until you travel before configuring connection to eduroam, your local support may not be able to assist due to visited institution issues which are of course outside the home institution support staff's scope of visibility.
An up-to-date participants list is available on the eduroam AU website.
- eduroam AU website