The following diagram depicts entities involved in delivering the global eduroam service.
At the top are the global governance, global policy, and globally shared resources. Global governance interacts with the next layer, “roaming operators”, which may be either regional (e.g. APAN) or national (e.g. eduroam AU). National Roaming Operators (NROs) are associated with one regional roaming operator.
In the middle to the right-hand side the European eduroam Confederation is identified separately as it has an established role in global operations, having developed resources & tools that are globally shared (e.g. global eduroam website, global database, configuration assistant tool (CAT), and value added services such as the “Managed IdP” service).
At the bottom institutional participants are depicted, and the two roles a participant may fulfil are identified: “Service Provider” (SP) and “Identity Provider” (IdP)
From a technical perspective, the eduroam service may be considered as having two distinct functions, corresponding to those institutional roles:
The “eduroam” network service is provided by institutions performing the eduroam SP role.
The IdP role is fundamentally the authentication of end-users. The remote authentication infrastructure is provided jointly by institutions (both IdPs and SPs), and national and regional roaming operators, being a hierarchy of institutional, national and regional RADIUS Servers.
The eduroam service is a ‘global trust federation’, where SPs and IdPs trust each other and the national and regional roaming operators in performing their roles in full compliance with technical and administrative policies. Global governance, which includes representatives of each eduroam region, is responsible for establishing the global policy, and NROs for establishing national eduroam policies aligned to the global policy.
The roles and responsibilities of an eduroam Identity Provider and Service Provider are detailed below.
As stated in the eduroam Compliance Statement (the global policy that NROs are required to sign), the eduroam service is provided for end-users engaged in research and/or education. eduroam enables end-users to travel globally and connect to visited participating institutions’ eduroam networks easily and securely, and enjoy a reasonably consistent quality of service delivered by the visited institution eduroam network. Use of a common network name “eduroam” enables end-user devices to be configured to automatically connect to the eduroam network when it is available.
The technical solution for eduroam (IEEE 802.1X, RADIUS) enables remote authentication to be performed, routed from visited institution (SP) via national and regional infrastructure to the user’s home institution (IdP), based on the institutional realm part of the eduroam username, the eduroam username being of the form <institutional_username>@<institutional_realm>.
Use of tunnelled protocols to convey username/password credentials (e.g. EAP-PEAP/MSCHAVP2, EAP-TTLS/PAP) delivers end-user and IdP security, as institutional credentials remain secret between the end-user device and the user’s home institution RADIUS server.
The eduroam “Configuration Assistant Tool” is available for institutions globally to ensure end-user devices are configured for eduroam authentication securely and consistently. An important security requirement is that the user’s ‘home institution’ RADIUS server is authenticated by their device during the authentication process.
The eduroam Compliance Statement states that IdPs are responsible for the actions of their users in accessing a visited institution’s “eduroam” network.
Both IdPs and SPs are required to have and publish their institutional network “Acceptable Use Policy” (AUP). Given the closed community of end-users of eduroam being engaged in research and/or education, and eligibility requirements of IdPs and SPs, there an implicit assumption of reasonable equivalence of IdP and SP AUPs.
A pre-requisite for IdP participation is that end-users have a contractual requirement to comply with their home institution’s network AUP while using the home institution’s network with consequences for non-compliance made clear to end-users. eduroam IdPs must extend this requirement for their end-user AUP compliance, and consequences of non-compliance, to use of eduroam networks at SPs.
In order to enable traceability from a network access event at an SP to an authentication event and the individual user at an IdP, IdPs are required by global policy to capture and retain RADIUS server logs. RADIUS logs’ timestamps must be in UTC to avoid confusion, and the “Calling-Station-Id” attribute must contain the end-user device MAC address. SPs are recommended to capture and retain RADIUS server logs to enable traceability, however it is recognised that SPs may have local policy meaning they choose not to have such end-user traceability.
Institutions may participate in eduroam AU as one of 3 types: IdP+SP, SP-Only, IdP-Only.
Most institutions participating in eduroam are directly engaged in education and/or research, and have an institutional network and are willing and able to perform both IdP and SP roles, i.e. be IdP+SP participants.
If an institution is not directly engaged in R&E, i.e. its users are not engaged in education and/or research hence not eligible to be eduroam end-users, yet there is a business case for providing an “eduroam” network for visiting R&E users, it can operate as an SP-Only participant. Institutions which typically participate in eduroam AU as SP-only operators are health institution, libraries, cultural spaces (museums, art-galleries), public spaces (e.g. local government Wi-Fi locations), public-transport (air-ports, buses, ferries).
An institution will only be accepted as an IdP-only participant in eduroam AU if it is agreed by AARNet that it is infeasible or there is substantially no benefit to R&E visitors in providing an eduroam network on the IdP-only institution site. If an institution operates as an IdP, it should also operate as an SP to respect the ‘give-and-take’ nature of the eduroam service based on eduroam network access costs being born by the SP. the rationale being if an institution wishes its users to be able to roam and access networks at visited institutions, that institutions should also be willing to provide an eduroam network for access by R&E visitors.
As a global service, eduroam is governed by a global policy which states that eduroam is for users from “organisations engaged in research and/or education”. Clearly this constitutes a closed but very large global user community. This requirement defines the fundamental eligibility requirement for institutions participating as IdPs.
The global policy also states that the NRO can determine eligibility of IdPs and SPs to participate in the national eduroam service.
The eduroam AU national policy requires that eligibility for eduroam AU IdP participation is restricted to AARNet customers. Institutions under an AARNet Access Agreement and satisfying IdP prerequisites described below may operate as an eduroam AU IdP.
Any institution with an identified valid (based on AARNet’s judgement) business case for participating in eduroam AU and satisfying SP pre-requisites described below may operate as an eduroam AU SP.
Institutional roles and responsibilities are described below in detail, categorised as general (common to IdP and SP), IdP, or SP.
Both eduroam AU IdPs and SPs are required to satisfy the following:
Institutions joining eduroam will often already be using IEEE 802.1x internally, and will have a RADIUS Server deployed already for other purposes.
Configuration of the RADIUS Server for both IdP and SP operability is described in the eduroam AU Technical Specification.
For institutions requiring deployment of a RADIUS server, factors in choosing a RADIUS Server implementation are documented in JISC’s “RADIUS Server Choice Guide for eduroam”.
IdPs authenticate users based on access requests for their designated ‘realms’. eduroam end-users have credentials managed by their ‘home institution’ operating as an eduroam IdP. The home institution’s RADIUS servers perform authentication for their own end-user’s authentication requests via its institutional authentication service. Home institution’s end-user authentication requests arrive either from local wireless infrastructure (their users accessing their home institution “eduroam” network on their home campus), or remotely via national RADIUS infrastructure (their users accessing the “eduroam” network of a visited institution).
The following schematic illustrates the IdP participant role:
The following are pre-requisites for IdP participation:
It is also highly recommended that IdPs operate an “eduroam” network at least for local users, enabling local users to undertake and confirm their eduroam authentication configuration while on their home campus.
In addition to the general requirements above, an eduroam AU IdP is required to:
Realms should have a country coded top level domain name part in order to avoid need for exception configuration in regional RADIUS servers.
The two pairs of authentication protocols used most commonly are
It is preferable to user PEAP/MSCHAPV2 if possible, as a challenge-response protocol will remove the possibility of leakage of credentials.
Factors in deciding which authentication protocol to implement are described in GEANT’s How to deploy eduroam on-site or on campus (ADVANCED).
The IdP RADIUS server certificate is the basis for mutual authentication. The factors in the choice of RADIUS Server Certificate is documented in Server Certificate Practices in eduroam.
SPs provide the “eduroam” network which eduroam end-users can access as they travel. That is, they provide the network infrastructure and internet connectivity for an “eduroam” network, configured to use IEEE 802.1x authentication, and provide a local “authentication server” (RADIUS server) which proxies requests for visitors (authentication requests with non-local realms) to the national RADIUS server.
The following schematic illustrates the SP participant role:
The following are pre-requisites for SP participation:
In addition to the general institutional requirements, an eduroam AU SP is required to:
Wireless infrastructure must be configured to broadcast the “eduroam” SSID. If there is an eduroam hotspot area of substantial overlap with another institution’s eduroam network, the institution must decide whether or not to broadcast eduroam in that zone. Any risk of degraded eduroam performance should be avoided, or at least described on the institution’s eduroam AU participation webpage.
The eduroam network service recommended to provide a consistent quality of service is described in the Technical Specification.
SP institutions may have local policies or infrastructure requirements that result in network access restrictions. Any differences to the recommended service or restrictions must be described on the institution’s eduroam AU participation webpage.
eduroam is primarily used for Wi-Fi access at institutions, however it is readily available for wired connections too. (In fact the RADIUS protocol was originally devised prior to prolific wireless availability, and is referred to as “port based” authenticated access via switches with RADIUS capability. The institution should describe any availability of wired eduroam network access on its eduroam AU participation webpage.
In presenting a case for joining eduroam AU to institutional management, beside the work required to satisfy the role requirements described above, the following are proposed as useful considerations.
The benefits to an institution in participation in eduroam include:
For an IdP:
For an SP:
Cost of access to the eduroam network at a visited institution is borne by the visited institution, the user community being the closed but very large global community of research and education users.
For an IdP, the risks of participation in eduroam include:
For an SP, the risks of participation in eduroam include: