Introduction to eduroam for end users
Getting an eduroam account
In order to check if you have the possibility to use eduroam, please contact your home institution.
eduroam is based on IT industry standards and there are too many devices which support eduroam for them to be exhaustively listed here. As a general rule, you can verify whether your device can do eduroam by looking into your device's manual. Check for the following points
- Does the device support wireless encryption with WPA2/AES?
- Does the device support "Enterprise" authentication (this is sometimes also called "IEEE 802.1X support")?
If both are a "Yes", then your device is good to go in principle. There is one further question which is depending on your institution's eduroam setup though: Enterprise authentication happens via so-called "EAP Methods". Your institution has selected one or more of these EAP methods for eduroam; and their list must match your device's capabilities. Your institution will be able to tell you which EAP methods they support. To give you an idea what to look for, here is a list of popular EAP methods:
- EAP TTLS-PAP
- EAP TLS
Further to these generic instructions, we have an ongoing community effort to document known-working devices on the following page: Compatible Devices.
Configuring your compatible device for eduroam
As a golden rule, you need to configure your device only exactly once, as instructed to by your home institution. From then on, you can use all eduroam hotspots world-wide without reconfiguring anything.
Exactly how to configure your laptop or other handheld device for eduroam will depend on
- which device(s) you are using and
- your institution's local identity management configuration
If you know that your school / university / college does provide eduroam, please ask the IT staff for support with setting it up on your laptop or other devices. If your institution participates in our support tool "eduroam Configuration Assistant Tool" (eduroam CAT) then you can immediately download custom-made installers for your institution for many devices. To find out if that is the case, just hop over to https://cat.eduroam.org and try to find your institution in the list of providers.
Important: all configuration instructions are specific for the issuing institution. It is not helpful to follow configuration instructions of other institutions; the settings are different from institution to institution and you will very likely misconfigure your device if trying third-party configurations.
If you are not sure whether or not your institution provides eduroam at all, the National Roaming Operator for your country may be able to help with your enquiry. To find out more, follow the linked maps from http://www.eduroam.org/
eduroam network characteristics
eduroam networks are provided by participating institutions locally and is their own responsibility. As a roaming consortium, eduroam defines minimal compliance rules on how hotspot deployments need to act like; you can think of this as a "franchise" system.
As a result, not all eduroam hotspots are identical. You can expect the following baseline configuration at eduroam hotspots:
- Use is free of charge.
- The wireless network is encrypted with WPA2/AES.
- Your username and password is exclusively validated with IEEE 802.1X as described above.
- The network gives you access to the general internet.
In Europe, a minimum number of services ("ports") must be made available at the hotspot. The list includes sending and receiving email (encrpytedly and unencryptedly), browsing web pages (encrpytedly and unencryptedly), and access to a wide variety of Virtual Private Networking (VPN) solutions which can connect you back to your home institution in privacy. The full list of ports is available in section 6.3.3 "Specifications and Operational Requirements: Service Providers" (p.31+) of the European eduroam Service Definition.
Apart from that, you should consider every eduroam network as a "normal ISP" network. In particular, the WPA2/AES encryption only protects your traffic while it is in the air; as soon as it travels onwards onto the internet, your traffic is not encrypted any more unless you chose to use encrypted transfer protocols (e.g. browse with https:// instead of http:// ; or if you started a VPN connection).
If you do not choose to encrypt your traffic on your device, everybody on the internet may be able to see the content of your communication in clear-text; record it or create profiles from it. This is not eduroam-specific; it's the way the internet works.
eduroam Service Providers are discouraged from inspecting traffic of their users; they should rather act as a "mere conduit" provider. It is however possible that some eduroam Service Providers choose to inspect or filter traffic (by using transparent web proxies).
eduroam hotspots world-wide
eduroam is a world-wide effort. Currently, eduroam Points of Presence are located on five continents. eduroam Operations has prepared a world-wide map with all positions on all continents, please check out https://monitor.eduroam.org/map_service_loc.php.