What is eduroam

Basic information

Mobility and roaming of eduroam system is based on passing your access information (name password and certificate) from user to the organization in which the user account is located (so called home - organization). The process is realized by authentication and authorization infrastructure or AAI This organization thereby decides if network access will be authorized. Thanks to this technology it is plausible to identify every connection attempt.

Most common networks included in eduroam are based of WiFi standards 802.11b up to 802.11ac. User authentication is based on multiple technologies. Most common technology is 802.1x (network login). Sometimes this is accompanied by VPN or web-based login.

Wireless WiFi networks based on eduroam technology use standardized serial state identification SSID: eduroam. 

For user to be  entitled to use roaming services, his account must be based in organization connected to AAI.

 

User access to eduroam

This simple example will demonstrate how simple it is to use eduroam to connect to WiFi networks supporting eduroam technology.User register an eduroam account in his/her home organization. Username consists of login and realm, which identifies the institution, for example This e-mail address is being protected from spambots. You need JavaScript enabled to view it. By entering this information to supplicant(program handling the WiFi connection), from this moment on user can connect to any network supporting eduroam, most of them contain eduroam in their name.

 

What makes Eduroam Eduroam

Eduroam infrastructure is based on Radius servers and authorization protocol 802.1x. Radius servers placed in its home organization handle their own users. Connection request from user from any locality covered by eduroam means creating a secured tunnel through eduroam infrastructure all the way up to user's home radius server, which handles authentication.

 

Radius infrastructure

Radius server (Remote Authentication Dial In User Service) je určený k overovaniu identity užívateľov, ďalej prevádza autorizáciu užívateľov a accounting na základe informácií z prístupového bodu. S radius serverom nekomunikuje priamo užívateľ, ale iba prístupové body. Radius server môže tiež fungovať ako proxy - v tom prípade neoveruje identitu užívateľov, ale iba preposiela požiadavky na iné radius servery.

Radius servery sú v Eduroame hierarchicky zoskupené. Top-level radius servery sú umiestnené v Holandsku, ďalej každý štát má vlastné národné radius servery a samozrejme ich má aj každá pripojená inštitúcia. Radius servery v cieľových organizácíach zaisťujú overenie identity vlastných užívateľov. Národné a top-level radius servery sa starajú o predávanie autentizačných požiadaviek. Pokiaľ na akýkoľvek radius server príde požiadavka o overenie identity užívateľa, je z jeho užívateľského mena vyextrahovaný realm, ktorý určuje, ku ktorej inštitúcií prísluší. Pokiaľ nieje schopný požiadavku overiť tento radius server, tak je preposlaná na nadriadený radius server.

 

Network access control

There are many plausibility's to control network access, most of them utilizes IP based connection, or MAC address based authentication. Eduroam uses 802.1x protocol that enables access points port based filtering (it a link layer protocol). The protocol suite is further boosted by EAP (Extensible Authentication Protocol), which enables secure data exchange between clients and radius server network.

Main function of EAP in radius structure is establishing secure communication channel between client and his home radius server. Therefore it is plausible to prevent AP, or forwarding radius server to see users password.

EAP serves mostly as envelope for authorization protocols being used. Most common eduroam authentication protocols are PEAP/MSCHAPv2 or TLS

 

Secure data transfer

All networks enabling eduroam - based access guarantee, that data between computer and access point are ciphered. Eduroam does not define cipher protocol to use. Most common protocols are WPA or WEP104

Copyright © 2016 | Ynet
design by musho