Skip to content

Home

eduroam (education roaming) is a global, federated network-access service for the research and education community. It allows users to connect to the SSID eduroam at participating institutions using credentials issued by their home institution.

eduroam is based on:

  • IEEE 802.1X for port-based network access control
  • WPA2-Enterprise and WPA3-Enterprise for secure wireless access
  • EAP for protected user authentication
  • RADIUS proxying between institutions and national/international federation servers

How eduroam works

An eduroam deployment usually involves two roles:

  • Identity Provider (IdP): the institution that authenticates its own users
  • Service Provider (SP): the institution that offers the wireless network and forwards authentication requests

When a user connects to eduroam, the visited institution forwards the authentication request based on the user's realm, for example user@institution.ac.ke. The home institution validates the credentials and returns an accept or reject decision. The visited institution then grants network access according to local policy.

Core principles

  • The SSID must be exactly eduroam
  • Captive portals must not be used for eduroam access
  • Users should authenticate with a full realm-based identity such as user@institution.ac.ke
  • Server certificate validation is mandatory on client devices
  • Authentication remains under the control of the home institution

Who should use this guide

  • Institutional IT teams planning or operating eduroam
  • Network and systems engineers responsible for wireless, RADIUS, or identity services
  • Security teams supporting authentication, certificates, and incident response
  • End users who need device setup and troubleshooting guidance