eduroam AU Implementation Plan Overview

Participating in eduroam as an IdP+SP requires an institution to:

Pre-Deployment stage:

- Confirm institution satisfies pre-requisites for
  - identity mgnt (IdP)
  - wireless infrastructure & internet connectivity
  - network access 'acceptable use policy' (AUP)
  - technical support capability

- Agree to comply with the eduroam AU policy (i.e. also to global policies)

Deployment stage:

- Deploy a RADIUS server to handle auth requests from wireless infrastructure
  (i.e. be the local 802.1x 'authentication server') (SP)
  Configuration items: proxying, attribute release ( especially Framed-MTU),
  accounting request handling (local termination),
  test and monitoring, invalid username&realm handling (termination)

  and authenticate users where RADIUS access request comes from the National RADIUS Servers (IdP)
  (& support local authentication for their local users connecting to eduroam on campus)
  and configure monitorin
  and capture and retain logs according to policy

- Configure institution's wireless infrastructure to broadcast "eduroam",
  with the eduroam network using 802.1x auth,
  with institution's locally deployed RADIUS server as the local 802.1x 'authentication server'
  proxying visitor requests to national RADIUS infrastructure

  Assigning users to eduroam VLAN (separate visitors from corporate LAN)
  determining network access via that VLAN (protocols)

- Create & publish a public eduroam webpage linking to the institution's network AUP,
  describing eduroam configuration for your own users and network access available to visitors via eduroam

Audit Step:

RADIUS operability
Logs (user traceability)

On-campus connectivity/coverage?

Invite to AdminTool
Provide access to Configuration Assistant Tool

Operational Stage:

- Capture and retain RADIUS logs

- Provide eduroam Administrative & Security contact to respond to technical and security requests

- Provide 1st line eduroam support for local users and 1st/2nd line support for visitors
  (visitors should contact their own institution for 1st line support if practicable)

- Maintain their eduroam deployment info using the eduroam AdminTool