Skip to content

Service Provider (SP)

An eduroam Service Provider offers the wireless network and forwards authentication traffic for local and visiting users. The SP does not validate visiting-user passwords; it proxies requests based on realm and applies local network-access policy after a successful response.

SP Responsibilities

An SP should:

  • broadcast the SSID eduroam
  • support WPA2-Enterprise and preferably WPA3-Enterprise
  • forward RADIUS traffic to the correct upstream destination
  • enforce local access policy after authentication
  • generate accounting records
  • operate reliable AP, controller, switching, DHCP, and DNS services

RADIUS Proxying

The SP identifies the realm in the username and decides whether the request is:

  • for a local realm, to be processed locally
  • for a foreign realm, to be proxied to the federation

The SP must never replace eduroam with a captive portal workflow.

Access for Visiting Users

A typical SP allows:

  • Internet access for visiting users
  • local policy enforcement such as ACLs, firewall rules, or visitor VLANs

Access to sensitive internal services should be granted only if there is a clear institutional policy and technical control for doing so.