Peering Overview

Once an institution has made the decision to join eduroam, the next step is to review the requirements and technical process. In many cases, the necessary infrastructure to begin the process is already in place and can sometimes be completed in as little as a few hours. eduroam offers two distinct services: Identity Provider (“IDP”) and Service Provider (“SP”).
 

1) Identity Provider (“IDP”)

When an institution is connected to eduroam as an IDP, its students, faculty, and staff can use their personal credentials from their institution to join eduroam anywhere around the world.
An academic institution begins the process of connecting to eduroam by peering its RADIUS servers to the eduroam federation RADIUS servers. Next, the institution’s RADIUS servers are connected to its directory-services such as LDAP, AD, SQL DB, and others. This allows users of the institution to connect to eduroam anywhere, simply by providing their username and a password.
eduroam uses the Extensible Authentication Protocol “(EAP”) to transfer information between parties. EAP methods required by eduroam encrypt information between the user’s device and the RADIUS servers of the user’s institution. EAP-TTLS and PEAP are the two most common EAP methods used by institutions. With eduroam, the forwarding RADIUS server(s) cannot intercept user’s credentials. Institutions can elect to provide authentication with certificates by using EAP-TLS, rather than username and password.
As an eduroam IPD, an institution’s community is able to enjoy eduroam when traveling. However, being an IDP does not allow eduroam visitors access to your institution’s Wi-Fi or wired network. To have this capability, an institution must also be an SP.
Guidelines to configure institution’s RADIUS servers to become an IDP can be found at https://www.eduroam.us/node/11(make sure to read Best Practices), and also additional tips at https://www.eduroam.us/node/81 for Directory Services and Firewall rules.
* It is important to note, when deploying eduroam as an IDP (or as Service provider) the configuration of firewalls can lead to delays, especially when different groups control RADIUS servers and Firewalls.
 

2) Service Provider (“SP”)

Unlike an IDP, which is restricted to academic institutions, any organization can become an eduroam SP. In practice, most IDPs are also SPs; however, the contrary is not always true.
When an organization is connected to eduroam as an SP, students, faculty, and staff from around the world can join the eduroam network as visitors of that organization. An organization becomes an SP when
  1. the service provider broadcasts the eduroam1 network name, also known as the service set identification (“SSID”) on one if its locations, such as a campus;
  2. an IP network is configured and routed to the internet and assigned to the eduroam SSID with DHCP and DNS functions and,
  3. the RADIUS server(s) of the institution are configured to forward authentication requests up the eduroam chain for users that are not part of the institution.

 

Broadcast the eduroam SSID

With today’s managed Wi-Fi systems, pushing an additional SSID to wireless access-points can be done in a few clicks. This functionality is not universal or standard and is device and manufacturer2 dependent. Be aware, that most manufacturers advise against having more than five SSIDs per wireless access-point. In the case of WiFi, less is better when it comes to the number of SSIDs.
802.1X, the main protocol upon which eduroam is built, provides a great deal of convenience when it comes to role based networking. For instance, in a managed Wi-Fi system, roles can be created based on the outer-identity of the 802.1X authentication request. A user with an outer identity that matches the realm (i.e. domain) of the organization can be assigned to VLANs with access to sensitive resources, while all other users’ with realms that do not match the organization will be assigned to VLANs with less privileged access. Using this technique, it is possible to use eduroam as the sole secure SSID for a campus and still provide managed  access levels previously provided with multiple SSIDs. Many schools, for example UCLA, LSU, Clemson, and Uiowa have elected to use eduroam as their sole secure SSID and differentiate levels of access between local users or visitors authentication based on their assigned roles. Roles can also be created based on directory services attributes, for example date of birth, affiliation, clearance level, that can be returned to RADIUS and create even more granular role based networking.
Look for role based access or identity based access in your vendor documentation for details on how to implement it.
 
 

Enable Internet connectivity

Enabling Internet connectivity can be the most time consuming step of the peering process. The process requires the selection of subnets to assign to the eduroam network and the configuration of those subnets on routers. In addition, decisions for firewall rules for subnets selected. The following link is a guideline on the minimum set of ports eduroam requires: https://www.eduroam.us/node/96.
Fortunately, a shortcut to this lengthy process, used by many eduroam members, can help accelerate the process. Because eduroam is a complement to a visitor access system and not a replacement, if a school already has a visitor network (e.g. web based access, or open) and its VLAN(S) comply with the minimum set of ports required, the eduroam SSID can be assigned to the same VLAN(s) as the existing visitor network. Without the need to create additional subnets.
VLAN assignment is done directly in the Wireless Systems (Controllers, Access-Points). By assigning those visitor network VLANs directly to the eduroam SSID, one bypasses web gateways that could be in the way of eduroam and prevent the instant connectivity aspect of the service. eduroam requires that no interruption of traffic (Web gateway, …) be placed between a successful authentication and access to the Internet. Even if a location provides open Wi-Fi access, it is worth configuring eduroam to provide the benefit of encryption over the air (WPA2-enterprise), the instant connectivity, and the avoidance of rogue Wi-Fi for phishing/Man-in-the-Middle-Attacks.
Indeed, when connecting and authenticating to eduroam, a user also verifies the validity of the network since that network has to be connected to the eduroam federation to be operational and challenge the user for the infrastructure certificate (provided by the user’s institutional RADIUS server). If the certificate is incorrect, the connectivity will either fail or the user will receive a certificate warning depending on the operating system.
 

Configure RADIUS for SPs and SP+IDPs

An organization that is SP only has very little to configure in RADIUS. Just forward requests to the IP address of eduroam-US top level servers and use a shared secret. The RADIUS configuration for organizations that are both SP and IDP is slightly more complicated. Local authentications must be sent to directory services and visitors will be sent up the RADIUS chain (IP address and Shared Secret).
For help with these configurations: https://www.eduroam.us/node/11
Be sure to read paragraph 5 and annexes of the following document for SP and IDP requirements: https://www.eduroam.org/downloads/docs/eduroam_Compliance_Statement_v1_0.pdf
 
 

Advice for supporting users

 

Advertisement

It is not uncommon for an institution to enable eduroam and not spend much time informing the community about the availability of the service. eduroam visitors will discover your network very quickly, but your own users will not. Plan a target communication campaign about the eduroam service. Including students and faculty in the rollout is a key contributor to success.

Configuration

Automate the configuration of user’s devices through installers.
Free:
Commercial:
  • Cloudpath Networks - XpressConnect
  • Aruba Networks - Quick Connect
  • SecureW2 - SafeConnect
Properly configuring user’s credentials (username@institution) and installing the RADIUS infrastructure certificate will greatly reduce help desk support requests.

Help Desk

The number one rule of eduroam: always contact your home institution’s help desk first. In case of DMCA complaints or complex troubleshooting contact support [at] anyroam.net or submit a request at www.eduroam.us (send us a message)
 
Example of an acceptable use policy (“AUP”) for eduroam
(to be included to the IDP, not to SP … remember, no web portal)
  1. When using the eduroam service, you shall always comply with local laws that regulate the use of the service.
  2. You shall not use the eduroam service for any unlawful purpose and not (attempt to) breach or circumvent any administrative or security controls.
  3. You shall respect intellectual property and confidentiality agreements.
  4. You shall protect your access credentials (e.g. private keys or passwords).
  5. Use of the eduroam service is at your own risk. There is no guarantee that the service will be available at any time or that it will suit any purpose.
  6. Logged information is used for administrative, operational, accounting, monitoring and security purposes only.  The logged information may be disclosed under lawful order to law enforcement or other entities.
  7. The access-granting bodies and Resource Providers are entitled to regulate, suspend or terminate your access, within their domain of authority, and you shall immediately comply with their instructions.
  8. You are liable for the consequences of you violating any of these conditions of use.
 
[1] eduroam SSID is always lowercase

[2] For tips on how to configure particular equipment the following link can be useful: https://wiki.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus - Howtodeployeduroamon-siteoroncampus-eduroamsetuponCampus:IdPandSP