Authentication for eduroam

eduroam is an internationally federated, wireless access service for those in the academic community. The intent is for users from any one federation member to receive free wireless network access at the physical location of any other federation member.

Functionally, each federation member presents the eduroam SSID, backed by some 802.1x authentication. Users authenticate to that network with a username of the form userId@realm, where the userId is some identifier assigned to that user, and the realm is some identifier unique to the federation member itself. Typically a member's internet domain is used, so the realm for Virginia Tech's users is vt.edu; e.g. player1@vt.edu.

Since the realm for any federation member is commonly its internet domain, eduroam usernames appear to be email addresses. This isn't necessarily true!

Once a user attempts to connect to the eduroam network, a local authentication server analyzes the realm in the provided username. If the user is on their home campus then the realm is also local, and the server authenticates the user itself. If the realm represents some other federation member, the user is considered to be roaming, and their authentication must be proxied to their own home server.

The request is proxied to the eduroam federation which determines which of the federated members the realm is associated with, and again proxies the request to them. That remote server performs the actual user authentication, returns the result to the eduroam server, which finally returns it to the server where the user originated the network access request.