With research teams increasingly collaborative, cross-institutional and global, and students increasingly mobile, the need to provide more visitors with temporary secure access to wi-fi is a resourcing challenge faced by many institutions.
eduroam provides a single solution that accommodates all the mobile connectivity requirements of an institution – supporting local users connecting to the local network, visitors connecting to the local network and local users connecting to other participating networks.
eduroam is a federated authentication service that allows participating institutions to provide access to their wireless networks to users from other eduroam participating institutions using the institutional username/password credentials they use at their home institution for wireless network access, email access etc. eduroam is based on a federated authentication model where your username and password are validated by your home institution (your identity provider) and access to authorised network services is controlled by the institution you are visiting (the service provider).
The eduroam AU national policy requires that eligibility for eduroam identity provider participation is restricted to AARNet customers. The reason for this is that the AARNet access agreement is part of the policy hierarchy. Hence only institutions under an AARNet access agreement can operate as an eduroam identity provider.
As eduroam is a global identity federation, eligible institutions must also satisfy several pre-requisites to connect to eduroam. These are:
Participation in eduroam may be as both an identity provider and service provider or as a service provider only.
Service providers need to configure their wireless infrastructure to broadcast the “eduroam” SSID, and to authenticate users associating with the “eduroam” network using a standard called “IEEE 802.1x”, which involves wireless infrastructure passing an authentication request to a local “authentication server”. The authentication server (technically speaking, a RADIUS server), looks at the ‘institutionalRealm’ part of the user’s eduroam username, and if the realm is a local realm for the institution, that means the institution authenticates the user. If not, the RADIUS server forwards the authentication request to national infrastructure which is responsible for forwarding onto the user’s home institution.
Identity providers handle local realms, and perform the authentication of its users locally (if connecting to eduroam on the home campus), or remotely (the main use-case) if their user is travelling to an eduroam service provider.
Any institution with a business case for participating in eduroam may operate as an eduroam service provider, i.e. provide access to their local network to users from eduroam identity providers.
To connect your institution or find out more, please contact us