Fast track guide to Visited-only service

Download as PDFDownload as PDF

Created 4/06/2021

Fast Track Guide to implementing an eduroam Visited-only (Wi-Fi for guest visitors) service. This document was originally produced in response to the initative to encourage deployment of eduroam services alongside existing govroam services by local authorities. It can nevertheless be used as guide for any organisation wishing to participate in eduroam as a 'Service Provider' and deliver a visitor-only Wi-Fi service, for instance NHS Hospital Trusts, conference venues or organisations wishing to take a first visitor-only step towards a full Home and Visited service.

Reference should be made to the Implementation Roadmap for guidance on each stage  The sections relating to setting up a Home (IdP for you own users) are skipped. There are links below for each step of the prococess, but please ensure that at each step your deployment complies with the Technical Specification

  1. If you are planning a joint eduroam and govroam service, decide on the model for your implementation section 1 (Nb switch references eduroam <-> govroam!) - if you are only going to provide eduroam, decide where on your network/cloud to host your RADIUS service
  1. Join the eduroam(UK) federation (free of charge) – provides access to the eduroam(UK) Support portal for system config/diagnostics
  1. Install RADIUS servers/adapt existing deployment, provision fixed public IP address, FQDN and DNS A record and peer the server with the eduroam(UK) national RADIUS proxy servers (NRPSs) section 6 and section 9
  1. Configure your firewall to permit your RADIUS servers to interoperate with the eduroam(UK) national proxy RADIUS servers section 8 and section 13
  1. Create an eduroam network service/VLAN providing access to the internet that your visitors will be connected to once authenticated section 12
  1. Configure your APs to broadcast the eduroam SSID, supporting WPA2 Enterprise – wherever you wish to provide the services over your estate section 12 
  1. Set up the APs/WLC to peer with your RADIUS servers to forward authentication requests from devices associating with the eduroam SSID section 12         
  1. Configure your RADIUS servers to forward requests to the NRPS (for onwards forwarding and authentication) section 10
  1. Configure your APs/WLC to connect authenticated eduroam users to your eduroam network service/VLAN section 12   
  1. Ensure your RADIUS and DHCP logging meets specified requirements section 17
  1. Test and validate your service section 16 and section 20 and
  1. Assert service compliance on eduroam(UK) Support server and advertise your eduroam service (including a link to on your web site