What is eduroam?

eduroam (education roaming) is a secure, world-wide roaming network access service developed for the international research and education community.

A student or staff member of an eduroam participating institution may use the network on all other sites where eduroam is available

The map on this website provides information on where to find eduroam in Norway.

Via https://www.eduroam.org or using the eduroam companion app, for iOS and Android, you will find eduroam locations world-wide

Technical background

Access to an eduroam network can be offered through an ethernet connection or wireless. All sites in Norway use IEEE 802.1X authentication and wireless networks are AES encrypted. IEEE 802.1X authentication with AES encryption conforms to the IEEE 802.11i standard (and WPA2).

IEEE 802.1X is able to use various authentication protocols through the Extensible Authentication Protocol (EAP). The protocols in use in our networks provide mutual authentication, checking the identity of both the authentication server and user. These protocols are TLS, TTLS or PEAP.

All of these methods require the public certificate of the Certificate Authority (CA) that has issued the certificate of the authentication server. The client will use the CA public certificate to check if the authentication server's certificate is valid.

TLS requires the user to have a personal digital certificate issued. The authentication server will check if the user's certificate is valid.

TTLS and PEAP are similar methods that both utilize the authentication server's certificates to create an encrypted tunnel using TLS. This makes it possible for the user to safely transmit a username and password. The username and password is transmitted using MS-CHAPv2.

Illustration of an encrypted tunnel using TLS between client and authentication server

At your home institution your local RADIUS server checks if you have the correct authentication. When you connect to another eduroam site, that RADIUS server will forward your authentication request to the next level RADIUS server in a hierarchy of servers. Every national top-level RADIUS knows where to forward authentication requests from users within its nation. Requests from users from other countries are forwarded to an international top-level RADIUS server which in turn forwards it to the correct country. To have all this forwarding work each user must be uniquely identified. The user name must be followed by '@', organization and country. I.e. if your user name is "brukernavn" and you work at Sikt in Norway, your full identity/user name should be "brukernavn@sikt.no". If you neglect to use your full identity/username you might still be able to log on at your home institution but other institutions will not be able to check your identity and you will be denied access.

Diagram showing eduroam hierarchy from institution level to international top-level

You must have installed a client on your computer that is able to authenticate using IEEE 802.1X, the correct EAP protocol and employ the required encryption method. There are many such clients available with support for Linux, Windows and OS X. For Linux there is wpa_supplicant, or Xsupplicant for a wired connection. Windows and OS X have built in support for a while now.