spaces.at.internet2.edu has been upgraded to Confluence 6.15.10. If you have any questions and/or concerns, please contact us at techsupport@internet2.edu
Child pages
  • 7. eduroam_US End-User Configuration Guide
Skip to end of metadata
Go to start of metadata

This document assumes the Gnome desktop shipped with many common Linux distributions.  To join eduroam with the Gnome windowing system you must configure the NetworkManager with an eduroam profile.  When asked for your credentials provide credentials based on the following.  If you are from example.edu (your "realm") and your username (sometimes called NetID) is traveler then your login name is traveler@example.edu.  Your password is your normal password at your home institution.

Creating an eduroam Profile

Open the NetworkManager as seen below, select the Wireless tab and click "Add".

New Network Connection

In the dialog that appears change the "Connection Name" to eduroam.  You may opt to check the "Connect automatically" check box.  Then fill the Wireless configuration tab as seen in the image below.  The SSID should be "eduroam" (without quotes) and the Mode should be set to "Infrastructure".  Next select the "Wireless Security" tab.


Generic SSID Configuration


Table of Contents



This document assumes the Gnome desktop shipped with many common Linux distributions.  To join eduroam with the Gnome windowing system you must configure the NetworkManager with an eduroam profile.  When asked for your credentials provide credentials based on the following.  If you are from example.edu (your "realm") and your username (sometimes called NetID) is traveler then your login name is traveler@example.edu.  Your password is your normal password at your home institution.

Creating an eduroam Profile

Open the NetworkManager as seen below, select the Wireless tab and click "Add".

New Network Connection

In the dialog that appears (see below) change the "Connection Name" to eduroam.  You may opt to check the "Connect automatically" check box.  Then fill the Wireless configuration tab as seen in the image below.  The SSID should be "eduroam" (without quotes) and the Mode should be set to "Infrastructure".  Next select the "Wireless Security" tab.

Generic SSID Configuration


In the Wireless Security tab there are many settings to configure.


  • In the "Security" drop-down box select "WPA & WPA2 Enterprise". 
  • In the Authentication drop-down menu select the PEAP or TTLS authentication method, whichever is used by your home institution. 
  • In the "Anonymous identity" box enter anonymous@<your realm> (i.e. anonymous@example.edu in the case described at the top of this document). 
  • Unless your home institution provides a CA certificate leave that drop-down empty. If the institution provides a certificate, select it by clicking the file icon on the right side of the widget. If you are using PEAP leave the "PEAP version" drop-down set to "Automatic".  TTLS users have no analogous setting. 
  • In the "Inner authentication" drop-down select the appropriate option for your home institution (often MSCHAPv2). 
  • Finally provide your username and password from your home institution.  See below for completed forms.  Once the forms look correct (something like shown below) press "Apply."


PEAP Configuration


TTLS Configuration


Finally, if you have not selected a CA Certificate in the previous step you will be warned (as seen below). Simply select "Don't warn me again" and press "Ignore" unless you have a certificate, at which point please select it.


no CA Cert warning


After these settings are configured, you should be able to connect by pressing "Connect" in the following dialog. In the future you may connect via the NetworkManager icon in the task-bar.



Configuring Mac OSX

This section was  written for OSX Snow Leopard (10.6).

To join eduroam on OSX simply select the eduroam SSID from the Airport menubar icon.  When asked for your credentials provide credentials based on the following.  If you are from example.edu (your "realm") and your username (sometimes called NetID) is traveler then your login name is traveler@example.edu. Your password is your normal password at your home institution. 

Security Information

If you have not already added the SSL/TLS certificate from your home institution to your keyring you will be asked to do so now. You should then be connected to eduroam and be able to surf as normal.

Hint:  To view your home institution's RADIUS certificate and allow the Keychain to verify the certificate of your home institution before providing your username and password you can use a two-step verification process:

  • First provide the username anonymous@example.edu (where example.edu is your home institution as above), and an empty password.  If you have not stored the certificate in your keyring you will be presented your home institution's RADIUS server certificate. If it is correct you can store then it to your Keychain (you will be asked for the computer's administrator password if you are not running as administrator). It is recommended you do this the first time while at your home institution, and if possible verify the certificate's fingerprint with your IT staff. This simple check is the foundation of all security within the eduroam network.
  • If you have previously verified and stored the certificate for your home institution this step allows the Keychain to verify the certificate before you provide your real credentials mitigating the damage from a rogue man-in-the-middle attack.  Once the certificate has been verified (and possibly stored) you will be asked for your credentials a second time.  This time provide your real credentials as above and you will be connected to the network.

Storing your credentials in an eduroam profile

To create a permanent eduroam profile for connecting to the network with the correct settings, including "inner" and "outer" identities follow the following instructions:

In Network Preferences (the bottom menu item in the Airport menu), with the Airport card selected, click "Advanced..." in the lower right-hand corner.  In the advanced settings select the 802.1X tab.

As seen below please create a new 802.1x "User Profile" and fill in your username and password as shown in the second image.  If you would prefer to be prompted for your password each time you connect to eduroam leave the password field blank.  Select the appropriate authentication methods (TTLS or PEAP generally), and select the eduroam network in the "Wireless Network" drop-down list. 

New 802.1x Profile

To configure your "outer-identity," which is what the institution you are visiting and the other eduroam servers between the visited institution and your home institution, do the following.

  • Select the PEAP or TTLS authentication method, whichever is used by your home institution (both may be allowed so follow the instructions for both in that case). Click on "Configure..." just below the Authentication methods list. 
  • In the dialog box that pops up entire anonymous@<your realm> (i.e. anonymous@example.edu in the case described at the top of this document).  If you are using TTLS then make sure to configure your "TTLS Inner Authentication" as appropriate for your home institution as well.  When you are done you should have filled out the appropriate forms similarly to the images below.

PEAP Configuration


TTLS Configuration


The next step is to configure your home institution's RADIUS server certificate. For help with this please contact your home-institution helpdesk as they will have the information on your certificate. If you have previously joined the eduroam network, preferably from home the first time, and accepted the certificate provided then it should be in your Keychain. If not you may need to add it from a file per the instructions from your home institution.

Assuming the certificate is in your Keychain we will allow that certificate to be used by default for eduroam.

  • Click the "Configure Trust" button (bellow the Authentication Methods list).
  • Click the "+" in the lower-left corner of the dialog and select either "Select Certificate File" (if you have downloaded the certificate file to your hard drive previously) or "Select Certificate from Keychain" if you've previously accepted it (see the first image below). In the prior case, navigate your hard drive to find the file, select it, and click "Ok". In the latter case (the second image below) find your home institution's certificate in the list, select it, and click "Ok".
  • Your home RADIUS server should now be listed in the "Certificates" tab of the dialog (the third image below). You may optionally list RADIUS servers to trust (the fourth image below).
  • If you wish to do so select the "Servers" tab, click the "+" and provide the DNS name or IP address of the RADIUS servers you wish to trust. Please consult your home institution for help with this step.
  • Once you have selected certificates and/or servers click "Ok" to return to the 802.1X configuration tab.


Configure Trust - Certificates

Select CA Certificate (from Keychain)


CA Certificate Selected

Configure Trusted Server


After completing all of the steps above your preferences screen should look similar to the image below. If so please click "Ok" to return to the Network Preferences pane.


Completed 802.1x Profile


Upon returning to the main Network Preferences pane click "Apply" in the lower-right corner of the dialog.  Then select the eduroam network from the "Network Name" drop-down list.  After connecting you should see your 802.1X authentication status below the network name.  If all went well in your configuration you should now be connected to the eduroam SSID and able to surf as usual.



For further information please see the Apple Knowledge Base article on configuring 802.1x networks in OSX 10.5.

Configuring Windows 7

Setting up the Network and Sharing Center for Windows 7

Right click the network icon on the lower right side of the screen and then click Open Network and Sharing Center.

Click Manage wireless networks.

Click "add" then click "Manually connect to a wireless network."

Click "Manually create a network profile" and populate the information as shown below.


Click Next and you should see a Successfully added eduroam window.



Click "Change connection settings" and select the Security tab and then click "Settings" after verifying that "Microsoft: Protected EAP (PEAP)" is selected in the drop-down menu labeled "Choose a network authentication method:"


Click the configure button next to the Select authentication method drop down box.

Uncheck "Automatically use my windows username and password" and click Ok.



Click the advanced settings button.



Check the Specify authentication mode box and select User authentication from the drop down box.

Click Ok then click Ok again on the eduroam Wireless Network Properties window.

Close the Manage Wireless Networks window.

Click the network icon on the lower right hand side of the screen.

Click eduroam and click connect.

When you see the "additional information is needed to connect to eduroam" balloon click on it.



When you see the Network Authentication box, provide your credentials in the form of username@<your institution>.  If you are from example.edu (your "realm") and your username (sometimes called NetID) is traveler then your login name is traveler@example.edu.  Your password is your normal password at your home institution.



Congratulations. You should now be connected to eduroam.

Thank you to Lindsey Chesnutt at UTK for gathering these directions



  • No labels