inter-NREN wireless LAN roaming
"Open your laptop and be online!"
eduroam (education roaming) is secure access
to the Wi-Fi network developed for the international science and
education community and available worldwide. Technically this is a federated authentication service
that allows users from participating institutions
to gain secure access to wireless network access using their standard username/password credentials
as they do at their home institution for wireless access. Following initial mobile device configuration,
eduroam can enable access without the user having to enter any details, simply open your laptop or activate
mobile device and if its wireless enabled it will connect to eduroam, authenticate and authorise network access.
eduroam hotspots can be found all around the world. Please see the
coverage map of eduroam
for the exact locations.
eduroam is an example of an identity federation between National
Research and Education Networks (NRENs) and their connected institutions
(universities, schools, libraries, research centres etc.). This means that all
involved institutions mutually trust each other: if a user has a valid account
at one of the institutions, he will be allowed to access the network at all
eduroam in Europe is managed in each country by its respective national
research and education network (NRENs); in Ukraine, this is URAN.
Benefits your campus and improves productivity of IT Support staff
With eduroam, your campus becomes more attractive as a venue for meetings
and conferences, as it allows participants to access the network without
assistance, and without tying up your facilities.
The cost of implementing and maintaining eduroam is modest. The service results in significant
cost savings through reduced IT department workload:
- eduroam provides a single solution that accommodates all the mobile connectivity requirements
of an institution, supporting
- local users connecting to the local network,
- visitors connecting to the local network and
- local users connecting to other participating networks.
- eduroam removes the need to supply temporary accounts to visiting users, so
reducing the administrative and support burden imposed by the ever-growing
movement of students and researchers between institutions and countries.
There are a few 'basics' that should be understood by operators and users of eduroam::
- The main purpose of eduroam is to provide automatic network access to R&E users when they travel
from their 'home' institution to other R&E institutions. This is achieved by all institutions broadcasting
a common SSID, "eduroam", which is configured in the institution's wireless infrastructure to trigger
remote authentication of visitors and local authentication of the institution's own users (the protocol
used is IEEE 802.1x). Users configure their mobile devices for automatic connection to the "eduroam" SSID,
and specify their eduroam username as <institutional_username>@<institutional_realm>.
The <institutional_realm> component of the username is used by eduroam infrastructure to route
the authentication request to the user's home institution.
- User's credendials remain secret between the user's device (where the eduroam username and home
institution password are entered) and the user's home institution, through use of an encrypted tunnel
between them to transfer the user's credentials. The encrypted tunnel is created between user device and
home institution as the first stage of eduroam remote authentication. The second stage is the actual
user authentication via the tunnel.
- There are two roles that institutions have in participating in eduroam. The 'Service Provider'
(SP) role involves providing access to the institution's network by virtue of a visitor's remote
authentication via eduroam infrastructure. The 'Identity Provider' (IdP) role involves the institution
authenticating their users remotely via the eduroam infrastructure.
- The eduroam SP role, i.e. providing network access to visitors, relies on the institution's existing
network infrastructure. Typically, the 'eduroam' network access is understood to mean wireless network access.
Institutions can also use eduroam for providing wired network access to visitors, however this is relatively
uncommon. A pre-requisite to eduroam participation is that SP institutions have fully operational wireless
- In order for eduroam to provide 'automatic network access', users need to configure their devices
for automatic 'connection' to the "eduroam" SSID. There are two parts to this. First, connection across
the wireless network to the visited institutions wireless access points. The wireless encyption used is
"WPA2-Enterprise" ( IEEE 802.1x + CCMP/AES) - by eduroam global policy this must be supported by
institutions. The second part of the 'connection' is remote authentication by the user's home institution.
Authentication uses a secure tunnel to protect credentials from being exposed, and the two prevalent
protocols are PEAP/MSCHAPv2 or TTLS/PAP. The authentication protocol is specific to the home
- As authentication configuration is home institution specific, it is strongly recommended that users
configure their eduroam connection while on their home institution campus. If issues are encountered, request
assistance from local IT support. If you wait until you travel before configuring connection to eduroam, your
local support may not be able to assist due to visited institution issues which are of course outside the home
institution support staff's scope of visibility.
eduroam managed IdP - technical solution for small institutions
The deployment of a full-service eduroam requires several technical and organizational measures that mean
additional financial, human and time resources:
- to implement a set of hardware and software, in particular, to deploy RADIUS-server authorizing users.
The purchase of the server and configuration of the software requires additional funds and training of technical staff
to ensure its special knowledge and skills;
- in the future, to keep a database of users specifying their credentials. It requires additional
worktime of IT staff.
For small science and education institutions whith several dozen users, this is an obstacle, often
To facilitate the connection of small organizations to eduroam GÉANT has developed the
eduroam managed IdP service. This is a web portal that contains an access page for a small institution. On this page,
the representative of the institution itself enters data about its organization and begins to create a database of its users,
and those already themselves are authorized in the eduroam system. The only restriction is no more than 200 users per institution.
There is no need to buy and configure the RADIUS server.
The eduroam access point will not be in this facility, but its staff will be able to use eduroam wherever such
access points already exist.
If, however, the institution will eventually decide to set up its own access point then the URAN Association can
connect it to its own RADIUS server, and this institution will be able to authorize eduroam users.
For consultations please contact the URAN technical department at the e-mail
See more at eduroam.uran.ua