Skip to content

Security

eduroam is a security-sensitive service and should be operated as critical infrastructure.

Security Principles

  • use WPA2-Enterprise or WPA3-Enterprise only
  • do not deploy captive portals on the eduroam SSID
  • validate RADIUS server certificates on all client devices
  • keep authentication, proxying, and logging systems patched and monitored
  • restrict administrative access to trusted networks and operators

Certificate Management

The RADIUS server certificate is central to EAP security. Institutions should:

  • use a publicly trusted server certificate or a private CA distributed through managed profiles
  • include the full certificate chain
  • use a certificate whose subject/SAN matches the name configured in client profiles
  • track expiry and renew well before the renewal deadline
  • protect private keys with strict filesystem permissions

Recommended practice:

  • separate server certificates from any internal CA private key
  • automate renewal where possible
  • test renewed certificates with eduroam CAT profiles before production rollout

RADIUS Hardening

  • allow RADIUS traffic only from known APs, controllers, and federation peers
  • use strong shared secrets generated per client or peer
  • disable unused virtual servers and modules
  • run FreeRADIUS as the packaged service account
  • restrict shell access and use MFA for administrators where possible

Network Controls

  • permit UDP 1812 for authentication and UDP 1813 for accounting as required
  • limit management access with firewalls or ACLs
  • separate management, server, and client traffic
  • send eduroam users to controlled user VLANs or roles, not infrastructure networks

Data Protection and Logging

  • log enough for incident response, abuse handling, and troubleshooting
  • avoid exposing unnecessary personal data in exported logs
  • protect SQL and log storage with backup and retention controls
  • define retention periods in line with institutional and regulatory requirements

High Availability

Security includes resilience. Production deployments should have:

  • at least two RADIUS servers where possible
  • redundant uplinks and power
  • health monitoring for authentication and accounting
  • documented failover and certificate-recovery procedures