eduroam Nuts and Bolts - learn more and get started
Download as PDFLast updated - 26/03/2021
Nuts and Bolts
eduroam is a federated authentication system and member organisations adapt their own network services to enable authentication requests from user devices to be passed to the users’ home organisation. In this way a user can connect to an eduroam service both when at the home institution and wherever the eduroam service is available (roaming). It uses 802.1X technology and requires members to deploy a RADIUS server (there are quite a few you can choose from). RADIUS works with all network access user databases (e.g. AD, LDAP). eduroam works alongside other Wi-Fi and network access services, so to participate you simply have to install a RADIUS server and configure your network to support it. How the service works is described in more detail in the ‘General overview’ section of: https://wiki.geant.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus#Howtodeployeduroamon-siteoroncampus-Generaloverview
Key terms:
| Home service (IdP) | you configure your RADIUS system to work with your user directory service to authenticate your own eduroam users both on your own campus service (if applicable) and to eduroam services at whatever other member organisation your users roam to. |
| Visited service (SP) | you configure your Wi-Fi service (eduroam SSID), working with your RADIUS system, to connect authenticated users (visitors and own users) to your local eduroam network service(s) which provides internet access. |
802.1X - the good stuff
It is worth highlighting that 802.1X technology enables a range of connectivity solutions to be implemented for users when at the home campus. The technology allows you to tailor your network to connect groupings of users onto a range of network services that you define and configure, for instance restricted access, content-filtered, guest-only or open internet access. This can be done using security groups, ‘realm’ (username) or even personal certificates. Typically institutions might create network services tailored for eduroam visitors; staff/managed devices; general students (BYOD); vulnerable students; (and ‘on-boarding’/remediation) and non-eduroam visitors. How eduroam can enhance and work with your security policy is considered here: eduroam and Safeguarding
Internet requirement
The internet service required to support eduroam is any robust internet service, you don’t need to have a Janet connection. Also, there are no eduroam membership fees.
Costs
However the costs you might incur in setting it up your service are quantified here: https://community.jisc.ac.uk/library/network-and-technology-service-docs/how-much-does-it-cost-implement-eduroam
Technical Specification - Requirements in Detail
An overview of the technicalities of implementation are described here: https://community.jisc.ac.uk/library/network-and-technology-service-docs/eduroam-nuts-and-bolts-%E2%80%93-basic-technical-requirements
And the full details on how to implement the service are at: https://community.jisc.ac.uk/library/janet-services-documentation/implementing-eduroam-roadmap
The tech spec that your service must comply with is here: https://community.jisc.ac.uk/library/janet-services-documentation/eduroamuk-technical-specification
Application Details
The application the organisation would need to complete can be found via a link on: https://community.jisc.ac.uk/library/janet-services-documentation/how-does-organisation-join-service
Support
Once you are on the deployment path, free of charge technical support of available by e-mail as detailed on: https://community.jisc.ac.uk/library/janet-services-documentation/what-tech-support-available but members should be aware that they themselves are responsible for their own networks and deployment of the service and should be comfortable that they have the expertise to implement it before embarking on the project.
Please feel free to contact us for further information help@jisc.ac.uk
