How Eduroam works?
Eduroam is built with IEEE 802.1X (A standard for port based Network Access Control) and RADIUS (Remote Authentication Dial-In User Service). The hierarchy consists of RADIUS servers at the Eduroam enabled institutions, RADIUS servers run by the National Roaming Operators and RADIUS servers for individual world regions.
Prefered wireless Network Authentication type is WPA2 (Wi-Fi Protected Access version 2) Enterprise. and Data Encryption method to use is AES (Advanced Encryption Standard). These protocols provide high security to Wi-Fi connection.
IEEE 802.1X standard is used to establish communication in eduroam. For user authentication EAP (Extensible Authentication Protocol) Authentication Type is PEAP (Protected Extensible Authentication Protocol) and The Authentication Method or the Phase 2 authentication method is MS-CHAP (MicroSoft Challenge-Handshake Authentication Protocol). These protocols are used to establish a secure tunnel between radius servers. Authentication information is carried through these tunnels
For an end user
- Eduroam use open standards to enable cross platform uniform access. Therefore eduroam works on Windows, Linux or MAC OS.
- You can connect to the Wi-Fi SSID named eduroam. You may use the Wi-Fi access username and password given to you by your institution with the respecting domain. (e.g. username@domain)
- Most secure encryption and authentication standards are used in eduroam. Hence security of eduroam significantly exceeds most public hotspots.
- Visited institute may have different Internet access limits than your home institute and as a guest you may have access to fewer services on the Internet than you have at home.
For an Institute
- Configure a radius server (realm based) Local domain users should be authenticated locally authentication of remote users should be transferred to LEARN FLR. (flr.learn.ac.lk)
- Integrate your radius sever with your existing identity management system so that you could make the system SSO. (Single Sign On)
- Configure your wireless controllers to have a SSID "eduroam" with 802.1x WPA2 enterprise authentication (EAP) through your radius server. (You may now check whether local users could authenticate)
- Add flr.learn.ac.lk as a client and then share the secrets with LEARN.
- Let us know your radius server fully qualified domain name with the secrete to be added to the LEARN FLR.