Skip to content

Administrator Overview

For administrators, eduroam is a federated AAA service rather than a simple wireless SSID. A production deployment combines wireless infrastructure, identity services, certificate management, and RADIUS proxying.

eduroam Architecture

The core components are:

  • Supplicant: the user device
  • Authenticator: the access point, wireless controller, or switch running 802.1X
  • RADIUS server: usually FreeRADIUS
  • Identity source: LDAP, Active Directory, SQL, Google Workspace bridge, or another institutional identity backend
  • Federation path: national and international RADIUS proxies used for roaming

The three 802.1X actors

Actor In eduroam Role
Supplicant User's device Initiates authentication; provides credentials via EAP
Authenticator Wireless Access Point Controls port access; relays EAP messages to RADIUS server
Authentication Server RADIUS server (FreeRADIUS) Verifies credentials; issues Access-Accept or Access-Reject

Federation tiers

Tier Component Responsibility
Tier 1 GÉANT (International) Routes auth between countries; maintains top-level RADIUS servers
Tier 2 NRO (National) — KENET for Kenya Routes auth within country
Tier 3 Institution Authenticates home users; provides Wi-Fi to visitors

Authentication Flow

  1. A device connects to the SSID eduroam.
  2. The AP or controller encapsulates the 802.1X/EAP exchange into RADIUS.
  3. The visited institution inspects the user's realm, for example user@institution.ac.ke.
  4. If the realm is local, the IdP authenticates the user locally.
  5. If the realm is foreign, the SP proxies the request to the federation.
  6. The home institution returns Access-Accept or Access-Reject.
  7. The visited institution applies local authorization policy such as VLAN or ACL assignment.

User passwords are not exposed to the visited institution when tunneled EAP methods are used correctly.

EAP Methods

For modern eduroam deployments:

  • PEAP-MSCHAPv2 is widely supported and common in Microsoft-heavy environments
  • EAP-TTLS/PAP is widely supported and often simpler for LDAP-backed deployments
  • EAP-TLS provides strong certificate-based client authentication and is preferred where device certificate lifecycle can be managed

Recommended guidance:

  • support at least one widely compatible tunneled method such as PEAP or TTLS
  • prefer EAP-TLS for managed devices when institutional PKI and MDM are available
  • avoid legacy or weak methods such as EAP-MD5

Choosing the right EAP method

Scenario Recommended Avoid Reason
Standard university deployment PEAP+MSCHAPv2 EAP-MD5 Widest client support; good security with cert pinning
High-security / research EAP-TLS PEAP Mutual authentication; no password exposure
Legacy RADIUS integration EAP-TTLS/PAP EAP-TLS PAP inner method needed for some legacy RADIUS
BYOD environments PEAP with CAT Manual config CAT ensures cert pinning on unmanaged devices

Key RADIUS attributes

Attribute Code Description
User-Name 1 Identity with realm (user@institution.ac.ke)
NAS-IP-Address 4 IP of the access point or switch
Called-Station-Id 30 AP MAC address + SSID (AA:BB:CC:DD:EE:FF:eduroam)
Calling-Station-Id 31 Device MAC address
EAP-Message 79 Carries the EAP payload between AP and RADIUS
Message-Authenticator 80 HMAC-MD5 integrity check — required in eduroam
Tunnel-Type 64 In Access-Accept: specifies VLAN assignment
Tunnel-Medium-Type 65 IEEE 802 (value: 6)
Tunnel-Private-Group-Id 81 VLAN ID or name to assign to authenticated user

Authorization

Authorization determines what an authenticated user can access. Common policies include:

  • dynamic VLAN assignment
  • downloadable or controller-based roles
  • realm-based policy
  • directory-group-based policy
  • rate limits or firewall restrictions

Example logic:

  • staff accounts to a staff VLAN
  • student accounts to a student VLAN
  • visiting users to an Internet-only visitor VLAN

Accounting

Accounting records session start, stop, and interim updates. It is useful for:

  • incident investigation
  • abuse handling
  • capacity planning
  • service reporting

At minimum, record:

  • User-Name
  • Calling-Station-Id
  • Called-Station-Id
  • NAS-IP-Address or NAS-Identifier
  • session timestamps
  • session octets
  • assigned IP address where available

Operational Expectations

A production eduroam service should include:

  • documented change control
  • certificate lifecycle management
  • log monitoring and alerting
  • test procedures before rollout
  • redundancy for critical RADIUS services