
The operation of the eduroam service is based on the standard of network security in public places 802.1X and the associated hierarchy of RADIUS servers accessing the authentication server containing user data (logins and passwords). Organizations participating in the project must have a valid RADIUS infrastructure and agree to the terms of use of the service.
eduroam can be deployed by following three relatively simple steps:
- Configuring a local RADIUS server with connecting it to an organization identification server (LDAP).
- Connecting Wi-Fi access points to a local RADIUS server.
- Connecting a local RADIUS server to a national level RADIUS server (NLRS).
The hierarchy of distributed RADIUS servers safely transfers user credentials to the RADIUS server of the “home” organization, which checks their correctness and passes back information about the possibility of user authentication in the service. To ensure the confidentiality of traffic from a user’s device over a wireless network, modern data encryption standards are applied.
The user’s home organization is responsible for maintaining and monitoring user information, including situations when the user is on guest campuses. Thus, credentials are not transferred to other organizations participating in the project.The full username (login) in accordance with eduroam rules is <username> @ <domain>. Request routing in the hierarchy of RADIUS servers is based on the part of the full user name following the @ symbol (in terms of service, this part is called realm and usually matches the organization’s FQDN).
At the top of the eduroam national hierarchy is a national-level RADIUS server (NLRS) that contains information about all connected organizations and their roles. The Russian NLRS is managed by JSCC RAS (Joint Supercomputer Center of the Russian Academy of Sciences).