The purpose of eduroam confuses people due to its dual meaning.
Fundamentally, eduroam is a network access infrastructure enabling travelling R&E users to automatically connect to the network of visited institutions. Prior to eduroam, arranging for "guest" accounts was often a tedious process for users and institutional IT administrators alike. Valid R&E users also might be given certain network access capabilities beyond that provided to other R&E institution guests.
The eduroam roles are:
Network access by virtue of remote authentication. This role is called an eduroam 'service provider' (SP).
Remote authentication of users (by the 'home' institution). This role is called an eduroam 'identity provider' (IdP).
eduroam is an implementation of an identity federation, and is a 'trust' federation in that SPs trust IdPs to conduct their identity management according to R&E industry 'best practices' and hence only authenticate users who are bonafide members of an R&E institution. SPs also trust that IdPs will take appropriate action in the case of network abuse via eduroam. IdPs trust that SPs will provide their published network access service to users and will properly deploy infrastructure in order to ensure secure access.
Each R&E institution will have a network acceptable use policy (AUP) which is a legal agreement with their users to conduct their use of network access according to requirements of the institution, national legal system, and internet service provider (AARNet).
Users are required by eduroam AU Policy to comply with their institutional AUP.
There is an underlying assumption of equivalence of AUPs across R&E institions, and that a user satisfying the requirements of their home institution AUP will also satisfy the requirements of the visited institution.
The following diagram depicts how eduroam works:
eduroam employs a secure authentication protocol, in that user credentials (password) remains secret between the user device and the user's home institution. User credentials are not visible to the visited institution or any intermediate infrastructure. This is achieved by use of a 'tunneled' authentication protocol, whereby the actual user authentication is performed via an encrypted tunnel.
The following depicts the protocols involved:
