Skip to main content
Status Page Contact Us
AARNet Home

How do I set up an eduroam network?

  • Updated

There are two levels of requirements for setting up an eduroam network. Which you need to follow depends on the role your institution will take:

  • Service Providers (SP) must be able to send authentication requests on to Identity Providers, and supply a secure network for eduroam users.
  • Identity Providers (IdP) must be able to authenticate users to whom they’ve provided eduroam access. As they’re also Service Providers, they also need to fulfil Service Provider requirements.

Requirements for Service Providers

  • Reliable Internet access for guests.
  • Operational enterprise Wi-Fi infrastructure capable of WPA2 Enterprise or WPA3 Enterprise and IEEE 802.1X network access protocol.
  • Broadcast eduroam SSID. The SSID name must be in lowercase.
  • RADIUS server to handle authentication requests and to have sufficient logging compliance.
  • An eduroam we bpage that provides information on Acceptable Use Policy, Data Collection and Privacy Policy, and information on where to find support.
  • Availability of IT support for eduroam service.

Requirements for Identity Providers

  • Effective identity management. For example, ability to deactivate users and implement a strong password policy.
  • Use a realm string that is, or concludes with, your institution’s primary domain name. For example, both aarnet.edu.au and student.aarnet.edu.au would be acceptable realm strings.
  • Ensure that the realm string is registered in a public Domain Name System (DNS), that your institution administers, either directly or by delegation.
  • RADIUS server to handle authentication requests and to have sufficient logging compliance. A server certificate needs to be installed for the purpose of encrypting the authentication EAP tunnel.
  • Enable local access to an eduroam network to allow your users to configure their eduroam service before visiting other eduroam sites.
  • An eduroam we bpage that provides information on Acceptable Use Policy, Data Collection and Privacy Policy, and information on where to find support.
  • Provide documentation on how to connect to eduroam, including the server certificate information.

Why RADIUS?

A RADIUS server is required to participate in eduroam because:

  • eduroam requires that Service Providers and Identity Providers maintain at least 3 months of authentication request logs. Logs are required to provide support to eduroam users.
  • RADIUS attributes provide important functionality or filtering options. For example, Framed-MTU support to prevent fragmentation of authentication packets, filtering usernames with realms to send for authentication, or filtering non-essential VSA attributes.
  • The RADIUS server can have a public facing IP address. This is required to peer with the National RADIUS Server (NRS).

Related articles