Skip to content

Administrator Overview

For administrators, eduroam is a federated AAA service rather than a simple wireless SSID. A production deployment combines wireless infrastructure, identity services, certificate management, and RADIUS proxying.

eduroam Architecture

The core components are:

  • Supplicant: the user device
  • Authenticator: the access point, wireless controller, or switch running 802.1X
  • RADIUS server: usually FreeRADIUS
  • Identity source: LDAP, Active Directory, SQL, Google Workspace bridge, or another institutional identity backend
  • Federation path: national and international RADIUS proxies used for roaming

Authentication Flow

  1. A device connects to the SSID eduroam.
  2. The AP or controller encapsulates the 802.1X/EAP exchange into RADIUS.
  3. The visited institution inspects the user's realm, for example user@institution.ac.ke.
  4. If the realm is local, the IdP authenticates the user locally.
  5. If the realm is foreign, the SP proxies the request to the federation.
  6. The home institution returns Access-Accept or Access-Reject.
  7. The visited institution applies local authorization policy such as VLAN or ACL assignment.

User passwords are not exposed to the visited institution when tunneled EAP methods are used correctly.

EAP Methods

For modern eduroam deployments:

  • PEAP-MSCHAPv2 is widely supported and common in Microsoft-heavy environments
  • EAP-TTLS/PAP is widely supported and often simpler for LDAP-backed deployments
  • EAP-TLS provides strong certificate-based client authentication and is preferred where device certificate lifecycle can be managed

Recommended guidance:

  • support at least one widely compatible tunneled method such as PEAP or TTLS
  • prefer EAP-TLS for managed devices when institutional PKI and MDM are available
  • avoid legacy or weak methods such as EAP-MD5

Authorization

Authorization determines what an authenticated user can access. Common policies include:

  • dynamic VLAN assignment
  • downloadable or controller-based roles
  • realm-based policy
  • directory-group-based policy
  • rate limits or firewall restrictions

Example logic:

  • staff accounts to a staff VLAN
  • student accounts to a student VLAN
  • visiting users to an Internet-only visitor VLAN

Accounting

Accounting records session start, stop, and interim updates. It is useful for:

  • incident investigation
  • abuse handling
  • capacity planning
  • service reporting

At minimum, record:

  • User-Name
  • Calling-Station-Id
  • Called-Station-Id
  • NAS-IP-Address or NAS-Identifier
  • session timestamps
  • session octets
  • assigned IP address where available

Operational Expectations

A production eduroam service should include:

  • documented change control
  • certificate lifecycle management
  • log monitoring and alerting
  • test procedures before rollout
  • redundancy for critical RADIUS services