Glossary of terms

The following are descriptions of some of the terms used in this website.

802.1X

802.1X is an IEEE standard for port-based access control. It operates at layer 2 and restricts access to a wireless/wired switch port to authenticated users only. 802.1X uses EAP to facilitate the exchange of user credentials between an eduroam wireless client/supplicant and a back-end authentication server.

The use of 802.1X is central to eduroam as it allows user credentials to be passed securely between the eduroam user's device and their home IdP server.


AES (Advanced Encryption Standard)

AES is a block cipher which can be used to encrypt wireless data. It is believed by many to provide stronger security than TKIP but is only available on modern hardware and therefore is not as widely deployed.


EAP (Extensible Authentication Protocol)

EAP is an authentication framework that supports a number of authentication mechanisms (or EAP methods). It facilitates the exchange of authentication data betwween a client and an authentication server. There are many EAP methods, including EAP-TLS (authentication via client certificate over a TLS tunnel), EAP-TTLS (authentication via something other than a client certificate, over a TLS tunnel), PEAP (similar to EAP-TTLS), EAP-SIM (authentication via a SIM card), etc.

The use of 802.1X and EAP within eduroam means that eduroam member sites are not constrained in the authentication mechanism that they choose to use for their own roaming users.


FLR (Federation Level Radius server)

Within Ireland, HEAnet operates the national level Radius servers which gateway authentication and accounting requests between Irish eduroam member sites and the larger eduroam infrastructure. The Irish academic and research community served by these national servers is a form of federation and the national servers are known as Federation Level Radius Servers (FLR's).


IdP (Identity Provider)

In the context of eduroam, an IdP is a site which processes authentication requests for its own users and returns a response to indicate whether the user has supplied the correct credentials. Whenever an eduroam user roams to an eduroam SP site and associates with the eduroam wireless LAN at that site, they are authenticating against their home IdP server via the eduroam infrastructure.


Realm

Within eduroam the realm is used to identify the home site of a roaming user. The username of an eduroam user must incorporate the realm so that the authentication request for that user may be routed to the appropriate home/IdP site via the eduroam infrastructure.

Obviously, the realm of each site must be unique and so the convention within eduroam is that each site uses their primary domain name, which must already be unique, as their realm. For example, the realm for HEAnet staff is heanet.ie.


SP (Service Provider)

In the context of eduroam, a SP is a site which provides wireless LAN access to visiting eduroam users. The visiting eduroam users are authenticated by their home IdP server via the eduroam infrastructure.


TKIP (Temporal Key Integrity Protocol)

TKIP is an enhancement to WEP which significantly reduces the risks associated with the use of WEP to encrypt data transmitted wirelessly. TKIP is a wrapper around WEP, allowing existing hardware to continue to be used (TKIP is available via a software upgrade on many devices) but with stronger protection than that provided by WEP. TKIP uses the RC4 stream cipher with 128-bit keys.

TKIP is the minimum levevel of encryption required to be supported by eduroam SP sites.


WEP (Wired Equivalent Privacy)

WEP is the in-built encryption algorithm of the 802.11 standard, intended to securely encrypt data transmitted wirelessly. However, WEP provides very poor security and therefore is considered inadequate in most circumstances and its use in eduroam is prohibited. WEP uses the RC4 stream cipher with 40 or 104-bit keys. TKIP is a stronger alternative to WEP.


WPA (Wi-Fi Protected Access)

WPA is a standard from Wi-Fi Alliance that specifies the use of 802.1X for user authentication and TKIP for encryption of data on the wireless network. Devices may be found that state WPA compliance but also claim AES for encryption but the use of AES with such an appliance is not certified.

WPA features two different modes of operation:

  • WPA PSK (Pre-Shared Key) Mode, also sometimes referred to as WPA Personal, whereby a common shared secret is used for authetication of all users.
  • WPA Enterprise Mode, whereby a Radius server is used to authenticate users against a database.

Within eduroam, only WPA Enterprise Mode may be used at a SP site i.e. WPA PSK/Personal may not be used for eduroam.


WPA2

WPA2 is the same as WPA except that WPA2 uses AES for encryption while WPA uses TKIP. WPA2 devices may also support TKIP, but they are required to support AES. As such, WPA2 is considered to provide greater protection of wireless traffic than WPA.

WPA2 features two modes of operation, WPA2 PSK/WPA2 Personal and WPA2 Enterprise, and the description of these is the same as for the equivalent WPA modes. And, as with WPA, only WPA2 Enterprise Mode may be used within eduroam, WPA2 PSK/Personal may not be used.