The following are the activities required of an institution to join eduroam AU:
- Request information on and understand requirements for participation in eduroam AU
(AARNet will provide a standard information package) - Submit eduroam AU application form (following invitation from AARNet)
(AARNet will review the application form, and created an institutional entry in eduroam AU AdminTool) - Update institutional data in eduroam AU AdminTool
(requires SAML authentication, may require admin account created in AAF VHO if required) - Deploy institutional infrastructure (following invitation from AARNet)
(AARNet will provision eduroam AU national eduroam infrastructure & services) - Create institutional eduroam participation webpage
- Establish institutional eduroam support capability
- Update Institutional Data in Configuration Assistant Tool (for IdPs)
- Test institutional CAT-generated end-user device scripts (for IdPs)
- Confirm access to AARNet’s institutional eduroam metrics webpage
- Undertake final auditing (resolve any issues identified)
- Check institutional data to be released to global eduroam (AdminTool generated XML)
- Announce service availability within institution, provide online training to end-users (for IdPs)
(AARNet will enable release of institutional data to global database,
and announcement institutional participation to eduroam AU Institutional Admins.)
Participation Request
An initial request for information, and expression of interest in participating in eduroam AU, should be sent to support@aarnet.edu.au.
An AARNet Service Desk ticket will be created, and a Service Desk staff member will confirm customer status, eligibility of the institution seeking participation in the identified role.
PreRequisites (Audit Items without data in AdminTool)
AARNet will evaluate and confirm the eduroam participation pre-requisites with the institution prior to providing standard information on joining eduroam AU. Those pre-requisites are:
For an IdP:
- Effective Identity Management
- End-user security training/awareness
For an SP:
- Reliable wireless infrastructure with documented coverage
- If hosting eduroam for local as well as visitor access, intent for VLAN-based segregation of traffic
Provision of Standard Information Package
Following AARNet’s investigation and any further clarifications regarding eligibility, AARNet will send the institution the standard information package for institutional on-boarding.
Generic templates of the standard information packages are available for each participation role (IdP+SP, SP-only, IdP-only).
Attachments to those information packs include:
- eduroam AU FAQ
- eduroam Global Policy i.e. “eduroam Compliance Statement’ (which [simple_tooltip content=’National Roaming Operator i.e. AARNet for eduroam AU’]NRO[/simple_tooltip]s must sign up to)
- eduroam AU National Policy (current version)
- institutional eduroam participation webpage template
eduroam AU Application Form
The institution will be invited to submit the eduroam AU application form appropriate to the role sought (IdP+SP, IdP-only, SP-only).
The standard information package provides a link to the appropriate eduroam AU Application Form.
The eduroam AU Application Form ensures the required information is conveyed and made available to eduroam AU administrators.
Application Form Preparation
Preparation of the Application Form will required gaining an understanding of implications of authentication protocol (for IdPs) and network service (for SPs) choices.
The institution will be invited to discuss items required in the application form with AARNet eduroam specialists.
Application Form Submission
The Application Form should be exported as an MS Word document, and required fields completed, and returned to AARNet via email to support@aarnet.edu.au. A separate ticket will be created which will be used for information exchange during operational deployment.
eduroam AU AdminTool Update
Based on information provided in the application form, AARNet will add basic institutional data to the eduroam AU AdminTool. The institutional eduroam admin will be invited to commence maintaining institutional data in the AdminTool.
Institutional eduroam Operability Deployment
Following the review of the institution’s application form, an invitation will be extended to the institution to commence deployment and undertake all activities required in readiness for eduroam operability.
Network Service Deployment
For SP’s establish the required network infrastructure and configuration of the IEEE 802.1X “eduroam” network.
Radius Server Deployment
Deploy RADIUS Server(s) to perform proxying of visitor authentication requests (SP role) to, and receive authentication requests for local users from, the eduroam AU National RADIUS Servers. AARNet will configure National RADIUS Servers accordingly, and perform collaborative testing to ensure institutional networking and RADIUS infrastructure is operating correctly.
Institutional eduroam Participation Webpage
During on-boarding, prior to the final audit stage, institutions should create an initial draft of the institution’s eduroam participation webpage, with operability status clearly indicated as “staging”.
Establish Support Capability
Deploy institutional infrastructure, create website, and build support capability, as described in the eduroam AU Technical Specification.
Final Audit
The final audit will be undertaken collaboratively by AARNet and the institution.
AARNet will provide an audit report, and advise success or otherwise.
If not successful, the institution will be provided with a list of issues to be resolved prior to the audit being undertaken again.
Access to Configuration Assistant Tool
At the appropriate stage of Final Audit, the institutional status will be changed to “Pre-Production”, which will trigger readiness to upload institutional data to the Global Database for the purpose of populating the eduroam Configuration Assistant Tool (CAT).
For IdP participants, following invitation from AARNet, institutional admins are required to access and complete data entry into the CAT, and access and test scripts generated for end-user device configuration.
Moving to Full Production
Following passing the final audit, AARNet will update the AdminTool status for the institution to “Production”.
The deployment data for the institution will be uploaded to the Global Database, and the institution will appear on maps generated both by the eduroam AU AdminTool, and Global Maps.
Institutional information will be available to NRO’s globally via the Global Database web interface.
Announcement to eduroam AU
AARNet will make an announcement to the eduroam AU institutional community regarding a new participant via the eduroam AU administrator mail-list.
Institutional User Education
When an institution has moved to full-production participation, it is appropriate to advise students and staff accordingly.
Any restrictions on the use of eduroam should be conveyed.
The realm(s) to be used should be described, with an explanation that the eduroam username contains the realm part to enable global roaming via remote authentication, with AARNet providing national and global infrastructure to route authentication requests.
Recommended Advisory to Users
It is recommended that an invitation to use eduroam, with a link to the institution’s eduroam service webpage, be sent to all users at the institution.
- There is no need to provide specific training to end-users, however their attention should be drawn to the security aspects of eduroam:
- eduroam Username (appropriate realm if there are several) and Password
- Reinforce need for protection of credentials
- Reinforce need to configure authentication via eduroam while on the home campus
- Use of CAT scripts for configuring devices (if available), or links to automated configuration tool, or to instructions for manual configuration.
- Advice regarding logging of user activity
- Reminder of end-user responsibility when using eduroam to comply with their home institution’s AUP, and recommendation to read the visited institution AUP (available on the visited institution AUP website, or via AdminTool).
This information should be marked with appropriate priority in an email sent from institutional IT management.
