eduroam in a nutshell

General overview

Eduroam eduroam stands for EDUcation ROAMing education roaming. It offers users from participating academic institutions secure Internet access at any other eduroam -enabled institutionparticipating location. The eduroam architecture that makes this possible is based on a number of technologies and agreements, which together provide the eduroam user experience: "open your laptop and be online".

...

In order to transport the authentication request of a user from the Service Provider to his Identity Provider and the authentication response back, a world-wide system of RADIUS servers is created. Typically every Identity Provider deploys a RADIUS server, which is connected to a local user database. This RADIUS server is connected to a central national federation level RADIUS server, which is either in turn connected to an the upstream (European/global) RADIUS server infrastructure or can connect to other RADIUS servers dynamically (using the protocol RADIUS/TLS). Because users are using usernames of the format "user@realm", where realm is the IdP's DNS domain name often of the form institution.tld (tld=top-level domain; both country-code TLDs and generic TLDs are supported), the RADIUS servers can use this information to route the request to the appropriate next RADIUS server until the IdP is reached. An example of the RADIUS hierarchy is shown in Figure 2.1.

...

• outer identity: this is the User-Name in the RADIUS packet and visible to all intermediate parties
• inner identity: this is the actual user identificatoridentification. It is only visible to the user himself and the Identity Provider

...