About EduRoam in a box
EduRoam is an Authentication and Authorization Infrastructure system for seamless user roaming in computer networks for research and education community. The system is composed of the tree-like hierarchy of Radius servers who use statically configured routing to redirect access requests from the roaming users to their home institution server.
Picture 1: Diagram of remote authentication: hierarhy of Radius servers is used for secure transport of credentials between roaming user and his home organisation. Authorisation is performed by the server in visited organisation.
Usually for each country there is an NREN (or NREN like organization) that operates the top level national radius server and describes what the requirements of the end participating organizations in his "domain" are. For example in Slovenia organizations are among other things required to:
- Broadcast SSID "EduRoam"
- Use WPA/WPA2 wireless encryption
- User anonymous@orgX.si for outer username (the one outside the TTLS Tunnel)
- Send the real User-Name after successful authentication (so the accounting information can be linked to a correct username).
- All users must be in LDAP directory
On the other hand in Netherlands they:
- Use Dynamic-WEP (802.1x authentication)
- Used whichever SSID they liked
There are some standardized settings common to all the EduRoam members but mostly the NRENs have enforced their own view of the EduRoam in their respecitve country. |