Skip to content

Wireless LAN Configuration

The wireless configuration for eduroam must be simple, standard, and interoperable.

SSID Requirements

  • SSID must be exactly eduroam
  • use a hidden SSID only if the platform requires it for operational reasons; broadcasting is preferred
  • do not append institution names or location suffixes to the eduroam SSID

Security Settings

Configure:

  • WPA2-Enterprise or WPA3-Enterprise
  • IEEE 802.1X
  • AES-CCMP
  • RADIUS authentication and accounting

Do not configure:

  • open authentication
  • WPA-PSK
  • captive portal for the eduroam SSID

VLAN and Role Assignment

The WLAN should accept standard RADIUS authorization attributes such as:

Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = "30"

Common assignments:

  • local staff to a staff VLAN
  • local students to a student VLAN
  • visiting users to an Internet-only roaming VLAN

DHCP, DNS, and Firewalling

Provide:

  • reliable DHCP on all eduroam user VLANs
  • reachable recursive DNS
  • egress firewalling appropriate to institutional policy

Avoid routing eduroam clients into infrastructure or management networks.

Roaming and RF Considerations

  • use consistent SSID and security policy across all APs
  • tune AP power and channel plans for campus roaming
  • validate fast roaming behavior where supported by the client ecosystem
  • monitor authentication timeout rates during peak movement periods