July 27, 2014

Roaming Access to Campuses Worldwide

eduroam logo

Log on to eduroam Wi-Fi networks worldwide with your home campus credentials

Professor Heisenberg arrives at the University of Milan, the first stop on his worldwide speaking tour that includes visits to Hof University in Germany, Instituto Politécnico de Santarém in Portugal, the Russian Academy of Sciences in Moscow, and two universities in Japan, before returning to the US to present at University of Kentucky and his home campus in Albuquerque. As he opens his laptop he realizes he has forgotten to arrange for a local guest Wi-Fi account which he needs to show his demonstration running in the cloud. Yet, when Heisenberg, on a whim, enters his home username and password, the system logs him in! Although he had not been aware of it, UNIMI and in fact all the schools on his itinerary are part of eduroam and he will be able to log onto Wi-Fi at each campus simply by using his home credentials.

Back in 2003, five European institutional members of the National Research and Education Network (NREN) got together to provide a common roaming access throughout their networks. They were soon joined by universities across Europe, later extending to Australia, Canada and, with the help of the National Science Foundation (NSF), the US. The name given to this initiative was eduroam, short for education roaming.

What is eduroam?

Eduroam enables any student or faculty member to log onto Wi-Fi and access the Internet at any participating eduroam site. You simply open your laptop or turn on your mobile device and you are automatically authenticated and securely connected. Depending on local policies at the visited institutions, eduroam participants may also have access to additional resources like printers. Without eduroam, this process can often require local IT to set up a temporary account, give you the login and password, and then delete the temporary account when you leave.

The eduroam technology is based on the 802.1X standard and a hierarchy of Remote Authentication Dial-In User Service (RADIUS) proxy servers. The Extensible Authentication Protocol (EAP) framework protects the user credentials. RADIUS proxying routes the authentication requests to the user’s home institution. End users can then be provided with unfiltered Internet access.

Through eduroam, universities worldwide enable Bring-Your-Own-Device (BYOD) across their campuses, while providing secure network access for both their own domain users and visiting eduroam users by means of a single service set identifier (SSID).

Where is eduroam available?

Universities in over 60 countries participate in eduroam. Here is an interactive map showing all the locations.

Map of eduroam members

Interactive map of eduroam members – click to expand.

How can you bring eduroam to your campus?

IdentiFi™ and Eduroam Roaming Wireless Service Integration CONFIGURATION GUIDE

IdentiFi™ and Eduroam Roaming Wireless Service Integration CONFIGURATION GUIDE

Implementation requires a special configuration of RADIUS servers and integration with local network management software. You can get started with eduroam at your site by visiting the How to deploy, promote and support eduroam wiki. The Security Assertion Markup Language (SAML) and the Shibboleth SAML extension are often used to securely integrate with eduroam. Setting up eduroam access can take from several hours to several weeks depending on your level of expertise, especially in regard to RADIUS. For help with RADIUS and Extreme Networks gear, you will find discussions at THE HUB, the Extreme Networks’ online community.

We provide an eduroam configuration guide to help integrate Extreme Networks Mobile IAM (NAC) software into an eduroam solution.

Excerpt from the eduroam configuration guide

Excerpt from the eduroam configuration guide with simplified schematic showing Netsight server, NAC and Wireless controller as a single “IdentiFi” module.



About The Contributor:
Bob NilssonDirector of Vertical Solutions Marketing

Bob Nilsson is the director of vertical solutions marketing at Extreme Networks. In this role, Mr. Nilsson leads the Extreme Networks strategy and programs for vertical markets including Healthcare, Higher Education, K-12 Education, Federal Government, and Hospitality. He has over 30 years of experience in marketing IT systems to Global 1000 companies worldwide. Before joining Extreme Networks Bob was VP Marketing at Clear Methods. Prior to that Bob held senior marketing positions at Digital Equipment and HP. Bob holds an SB degree in EE from MIT and MBA from Columbia Business School.

See My Other Posts

  • Scott Armitage

    A good general overview however there are some minor errors in this article:

    The original test bed was formed with 5 institutions from different NRENs (not the NREN). An NREN is a National Research and Education Network. There isn’t one, each country in Europe has its own NREN.

    An eduroam with a capital E crept in. eduroam is always lowercase (it is actually a trademark). Pedantic, but it is always lowercase. Using an eduroam SSID (like in the diagram) which has a captial E doesn’t comply with the eduroam service policy (https://www.eduroam.org/downloads/docs/GN3-12-192_eduroam-policy-service-definition_ver28_26072012.pdf). It does seem pedantic but some sites do incorrectly configure with a capital E, which means clients don’t automatically connect. If the user is using a locked down laptop, they may not have the admin rights to join another SSID.

    WPA2 Enterprise uses 802.1X (EAP Authentication) but it isn’t also known as 802.1X. 802.1X is an authentication mechanism which can be used on both 802.11 and 802.3 networks.

    SAML has nothing to do with eduroam. eduroam uses EAP and RADIUS technology.

    For more information on how eduroam works read: http://www.ietf.org/id/draft-wierenga-ietf-eduroam-03.txt

  • Pingback: Wi-Fi Tops List of Concerns for EDUCAUSE 2014 Attendees | Extreme Networks()