eduroam Nuts and Bolts – basic technical requirements
Document created - 16/08/2016
Last updated - 14/08/2020
Essentially the key steps involved in adopting eduroam are as below. We suggest you read through these and once you are confident that your organisation can implement the service and you wish to proceed, complete the application form via https://community.jisc.ac.uk/library/janet-services-documentation/how-does-organisation-join-service - this also sets out the rules of membership.
For Home (IdP) service deployments - Authentication Policy [if implementing Visited-only skip to 'Join eduroam(UK)']
- Relevant to Home (IdP) service deployments - Decide the username model you want to adopt (i.e. your implementation of userID@realm) and how credentials will be supported by your user database (AD/LDAP)
- Decide the EAP method you will be using and how user device Wi-Fi configurations will be set up (i.e. the on-boarding method/tools/use of eduroam CAT)
Join eduroam(UK) - all service deployments (Home and/or Visited)
- Join the eduroam(UK) federation https://community.jisc.ac.uk/library/janet-services-documentation/how-do.... This gives you access to the eduroam(UK) support server for RADIUS server registration, service assertions, status views, diagnostics, access to national proxy logs and technical information.
RADIUS infrastructure and Secure Networking
- Install RADIUS servers if you do not already have one (e.g. Microsoft NPS, FreeRADIUS etc). Can be physical, virtual, cloud or a managed service. Peer this with the eduroam(UK) national RADIUS proxy servers (NRPSs) – you’ll need FQDNs and public facing IP addresses (check that your firewall permits inbound and outbound UDP on port 1812 and that there are no NAT issues). You’ll also need a server certificate (from a commercial or your own certificate authority (CA)); if using own certificate, decide how your users will acquire the CA root certificate (hint - use CAT as below)
- Create an eduroam network service/VLAN that your visitors (and your own eduroam users if you wish) will be connected to once authenticated – this will need DHCP IP provision (with logging) and internet access
- Configure your APs to broadcast the eduroam SSID, supporting WPA2 Enterprise – wherever you wish to provide the services over your estate for both your own users and for eduroam user visitors
- Set the APs/WLC to hook in to your RADIUS server to authenticate devices associating with the eduroam SSID
Network Service for Authenticated Users
- For a Visited service with a basic Home service - configure your APs/WLC to connect all authenticated eduroam users to the eduroam network service/VLAN
- [For a more advanced Home service - configure your APs/WLC to connect your authenticated own users to your preferred in-house networks (using RADIUS attributes such as Tunnel-Private-Group-ID, Trapeze-VLAN-Name, Aruba-User-Vlan), i.e. implement dynamic VLAN assignment]
Authentication
- If implementing a ‘Home’ service, i.e. you want to provide eduroam for your own users, configure your RADIUS server to recognise your organisation's users and to authenticate their access requests, arising from your APs/WLC, against your user database (with logging)
- Visited service: configure your RADIUS server to forward requests from other users (visitors) to the NRPS (for onwards forwarding and authentication) (with logging)
- Home service (roaming users): Configure your RADIUS server to authenticate access requests sent to it from the NRPSs (from your users who roam to other eduroam service providers) against your user database (with logging)
Finishing Off and Roll Out
- Test your deployment – using the tools available on eduroam(UK) Support; verify compliance with the eduroam(UK) Technical Specification
- Using eduroam(UK) Support, complete service assertions and provide details about the service at your site for publication through www.eduroam.org and eduroam Companion App
- Create web content to provide information about your eduroam service and post this into your organisation’s web site
- Facilitate the roll out of device configuration to your users (Microsoft Group Policy, eduroam CAT, on-boarding walled garden network, commercial automated configuration tools, web site instructions.
- Support your users (Home service user authentication) and (Wi-Fi service for) visitors
Further reading
A step by step guide on implementing eduroam is published at:
https://community.jisc.ac.uk/library/janet-services-documentation/implementing-eduroam-roadmap
If you use Microsoft NPS, we have a detailed guide available on setting this up for eduroam at:
https://community.jisc.ac.uk/library/janet-services-documentation/microsoft-nps-configuration-guide
*Recommended viewing* - video of James Hooper's presentation overview of the eduroam deployment at Bristol, 'Challenges for wide scale 802.1X deployment'. For slideset, see 'Resources' at bottom of this section. Although showing it's age now, this is a comprehensive overview of eduroam deployment and can be viewed in parallel with the notes below. eduroam CAT is not covered and references to 'Janet' and 'JRS' should now be understood as 'Jisc' and 'eduroam(UK)'.
eduroam CAT: https://community.jisc.ac.uk/library/janet-services-documentation/eduroam-cat-configuration-assistance-tool
The eduroam(UK) Technical Specification: https://community.jisc.ac.uk/library/janet-services-documentation/eduroamuk-technical-specification