...
For eduroam, you need to add information about the RADIUS server(s) that you will be using into your WLAN controller (or stand-alone access point).
- As a pure eduroam SP, the RADIUS server(s) in question will probably be one of more of your national federation servers, but you ideally should use your own for logging and filtering reasons. Logging is often a regulatory requirement (i.e. should a user cause trouble, you would need to be able to identify them as a visitor, and who their home organisation is). Additionally, eduroam uses usernames in the email-style format (also known as Network Access Identifier), i.e. [username]@[realm.tld]. Usernames without an @-sign are not allowed on the eduroam infrastructure (because eduroam won't know where to send the authentication request for them), and you should filter these out before sending any other requests to the national federation servers. There is guidance on how to do this in this filtering non-realm usernames from eduroam topic.
- If you are both an eduroam IdP and an eduroam SP, the RADIUS is your own RADIUS server. You will need to add the IP address of the RADIUS server as well as the shared secret, which is basically a string of characters that has been agreed by you and the operator of the RADIUS server. You may also have to add information about the ports to use, which are 1812 for authentication and 1813 for accounting. As with the eduroam SP, you must implement a form of filtering and logging on your RADIUS server.
Once you have added the RADIUS server you need to create the eduroam SSID. This must be a network with 802.1X and WPA2/AES enabled and the SSID must be eduroam and this SSID needs to be broadcast. For this eduroam network, you still need to define that the RADIUS server defined previously needs to be used.
...