eduroam SP
Basic deployment considerations for wireless LANs
An eduroam wireless network is a wireless network. This sounds trivial, but it is important to keep in mind that
- a poorly managed Wireless LAN won't magically become better by naming it eduroam. Before diving into eduroam-specific configuration, make sure you understand how to manage
- WiFi coverage
- bandwidth requirements
- enough DHCP addresses to accomodate all clients
- by naming the network eduroam, you are becoming part of a world-wide recognised brand. Arriving users will think of this being an eduroam network, with a set of expectations for such networks. If your wireless network fails to deliver in the points mentioned above, users will consider this an eduroam failure and your installation will hurt the global brand eduroam, not only your own site and users.
This section provides general advice regarding eduroam deployment on a wireless LAN. It does not include information on general WLAN network planning and setup, it only covers topics essential to deploying eduroam on an already setup wireless LAN.
Administrative obligations of eduroam SPs
Set up of WiFi hotspots
All of the solutions presented below support the basic requirements for an eduroam SP: support for IEEE 802.1X authentications, WPA2/AES support. When deploying eduroam, deployers often want to make use of additional features such as multi-SSID support, dynamic VLAN assignment and others. Every section contains a table with a short overview of their support of such additional useful features.
Cisco (controller-based solutions)
Feature | supported? |
---|---|
multi-SSID | yes |
VLANs | yes |
dynamic VLAN assignment | partial; not with IPv6 |
Include Page | ||||
---|---|---|---|---|
|
Cisco (stand-alone APs with IOS)
Feature | supported? |
---|---|
multi-SSID | yes |
VLANs | yes |
dynamic VLAN assignment | yes |
Include Page | ||||
---|---|---|---|---|
|
Aruba
Include Page | ||||
---|---|---|---|---|
|
Trapeze (Juniper)
Include Page | ||||
---|---|---|---|---|
|
Fortinet (Formerly Meru)
Feature | supported? |
---|---|
multi-SSID | yes |
VLANs | yes |
dynamic VLAN assignment | yes |
Include Page | ||||
---|---|---|---|---|
|
Lancom
Feature | supported? |
---|---|
multi-SSID | yes |
VLANs | yes |
dynamic VLAN assignment | yes |
Include Page | ||||
---|---|---|---|---|
|
Apple AirPort Express
Feature | supported? |
---|---|
multi-SSID | no |
VLANs | no |
dynamic VLAN assignment | no |
Set up of networking equipment in the network core
Since an eduroam hotspot always uses the RADIUS protocol to connect to a RADIUS authentication server, your network setup must allow this RADIUS communication. This includes opening firewalls for traffic from the WLAN equipment (AP/Controller) to UDP port 1812 (do not confuse this with TCP!). The RADIUS protocol can easily create UDP fragments, and will not function fully without UDP fragmentation support. Be sure to check your equipment whether forwarding of UDP fragments is supported and allowed.
If you deploy your own RADIUS server for eduroam SP purposes (see below), also make sure that its own uplinks to your National Roaming Operator are open in the same way.
Set up of eduroam SP RADIUS servers
Include Page | ||||
---|---|---|---|---|
|