Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The following sections provide detailed information for the two roles eduroam IdP and eduroam SP, respectively.

The eduroam IdP SP section explains the administrative obligations for an eduroam IdP, SP and lists what should be taken into account in a wireless LAN deployment, and the set up of several popular RADIUS servers, and means to provision configuration details of supplicants to end usersa RADIUS server for use in eduroam.

The eduroam SP IdP section explains general basics of wireless LAN deployment, the administrative obligations for an eduroam SPIdP, and the set up of several popular vendor WiFi environments for use in eduroamRADIUS servers, and means to provision configuration details of supplicants to end users.

Include Page
eduroam SP
eduroam SP

...

Include Page
radsecproxy-addon
radsecproxy-addon

Include Page
DNS-NAPTR
DNS-NAPTR

Testing and supporting end users

In order to test the eduroam setup from an end user perspective, please check out the Section How to offer support to end users. Also use this for helping end users get on to the newly-established eduroam network on campus.

Wired eduroam

There are use cases for securing access to a wired port in the same way as to a wireless Access Point. This use case is often not primarily intended for roaming though, as it is much more difficult for an incoming guest to locate a physical port in a building than it is to pick up a wireless broadcast signal from an access point. Much rather, an IdP who has already turned his users into eduroam users might want to benefit from the existing configuration in his end-users' devices to secure dormitories and similar locations, where finding the attachment point is less of an issue.

...

The eduroam consortium is media-agnostic and welcomes wired eduroam. Wired eduroam works a lot like wireless - instead of an Access Point with 802.1X support, an eduroam SP needs a wired switch with that same 802.1X support. The SP configures it to authenticate the physical port users to the same RADIUS server that his access points do, too (i.e. the switch becomes a RADIUS client for the eduroam SP RADIUS server) - and that's all, the switch is then part of the eduroam infrastructure proper without further changes needed.

...

When connecting to eduroam, users are usually made aware that the network they are connecting to is an eduroam network - simply by observing the SSID "eduroam" occuring on their computing device. In wired IEEE 802.1X networks, the concept of SSIDs does not exist. The user needs to plug in his device and try to connect in the usual way (using his supplicant, the usual EAP configuration and his eduroam credentials) - which will work on the configured eduroam ports, but not at any other network ports. eduroam Service Providers are advised to give clear indication which ports in a building are eduroam ports and which are not. One means to achieve this is by putting an eduroam logo besides the ports in question, or announcing the existence of eduroam on a building's wired ports on a signpost near the entrance to the building.

...