eduroam – Secure, Automatic Roaming Between WLAN’s

eduroam (education roaming) is the secure worldwide federated network access service developed for the international research and education community.

I’ve been really intrigued by the WLAN phenomenon eduroam which has swept across much of Europe and is being deployed in many US universities this academic year. This is a secure WLAN roaming technology, but it doesn’t require Hotspot 2.0/Passpoint/802.11u/Rev 1/Rev 2 (whatever you want to call that).

Participating institutions put up an ‘eduroam’ SSID with 802.1X authentication, and on the back-end authentication is handled by the authenticating user’s home institution’s RADIUS server, rather than the local server of the WLAN. That allows users to establish secure connections to any participating institution’s WLAN.

To get a user on the WLAN, RADIUS requests are proxied by the local RADIUS server to the eduroam regional or top-level RADIUS routing servers. The eduroam server inspects the username in the request for the domain, e.g. user@example.edu, matches the realm ‘example.edu,’ and then proxies the request to the users home institution’s RADIUS for authentication. The home institution’s server then responds through the same proxying scheme.

eduroam RADIUS routing example
eduroam RADIUS routing example

For users, it ‘just works.’ They connect to the SSID once and add it to their preferred SSID list just like any other network, then their device automatically connects securely wherever they see the eduroam SSID. Could be another university, could be a coffee shop, or even an airport.

For participating institutions, they just need to configure a few RADIUS proxying rules for users outside of their institution, and then users from hundreds of institutions around the world can securely connect to the WLAN.

If my understanding of Hotspot 2.0 is correct, the future for eduroam may be very bright. In a HS2 WLAN, a separate eduroam SSID isn’t needed. eduroam could register to become a HS2 roaming hub, then WLAN operators advertise eduroam through ANQP as a supported roaming hub on their existing 802.1X SSID, and then eduroam users will automatically connect to it. Fewer SSID’s is always better.

While all the talk about HS2 is about offloading cellular data onto Wi-Fi networks, there is real potential here for more useful federated authentication for everyone-not just cellular subscribers. eduroam is the model for that.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s