Eduroam campus setup in a nutshell
Intended audience of this howto: IT department managers and system administrators of institutions interested in deploying eduroam on their campus.
Provided you already have a working wifi environment, setting up eduroam on a campus is a fairly easy task. The following three requirements need to be met:
- eduroam SSID/VLAN
- Configure an SSID exactly called "eduroam" with an according VLAN. This VLAN should provide unfiltered Internet access.
- Make sure, the wifi network supports WPA2-AES (Enterprise).
- Configure a management VLAN. On this VLAN, the access points must be able to reach the RADIUS proxy server.
- Local authentication
- Configure a RADIUS server to authenticate your local realm (e.g. @localuni.ch) against your user backend. We recommend using FreeRADIUS 2.1 on Debian Linux. You should configure at least one of EAP-TTLS/PAP, PEAP or EAP-TLS. Typically, EAP-TTLS is the easiest from a server perspective but needs an additional supplicant on Windows. PEAP works best with Windows, but needs NTML authentication (using Samba) on the RADIUS server. Please contact mobile@switch.ch for advice and configuration examples.
- RADIUS proxy server
- On your RADIUS server, configure a proxy rule that sends all non-local authentication and accounting requests to the Swiss TLD RADIUS servers at SWITCH. For technical details, please contact mobile@switch.ch.
- Configure the two Swiss TLD RADIUS servers as clients.
If you already run a wifi network and a RADIUS server (or you can easily deploy a new Linux server/VM), setting up eduroam properly takes approximately two working days.
Please find information about how to setup and deploy eduroam on your campus on the official eduroam website:
If you intend to deploy eduroam on your campus, please contact us at mobile@switch.ch in order to discuss the technical details.