Technical design

The design of eduroam is based on port-based access control and Radius.

Eduroam gives users access to the internet. The user must be known at her home institution. When the user's device associates with the Wi-Fi network, a request is sent to the home institution. Only if the institution acknowledges the user access is granted.

This is accomplished by using port-based network access control (IEEE 802.1X).

Authentication of the user is carried out at the home institution and communicated over the Extensible Authentication Protocol (EAP) between the visited site and the home institution.

In the stage where the authentication takes place, a Radius infrastructure is utilized. Each institution has a Radius server, the national operator has a Radius server, and each continent has an overall Radius server.

As an identity provider the institution chooses which EAP methods to support. The most widely used are EAP-TTLS and EAP-PEAP with MS-CHAP v2.

In these methods the home institution server autenticates itself by presenting its server certificate to the user's device. The certificate is used to secure the communication channel, wherein the user's credentials are sent. The certificate is effectively validated by matching it towards the issuer CA root certificate. Presence of the CA root certificate in the user's device is essential to security. The certificate is installed by using the installation packages from eduroam CAT.