Mathematical Problems of Computer Science 53, 63--66, 2020. 

 
 
UDC 004 
 

Development of Multi-EAP Radius Configuration for 
eduroam Service 

 
Arthur S. Petrosyan, Gurgen S. Petrosyan, Robert N. Tadevosyan and Kevork Kh. Arsalanian 

 
Institute for Informatics and Automation Problems of   NASRA 

e-mail: arthur@sci.am, gurgen@sci.am, robert@sci.am, kevork.arsalanian@sci.am 
 
 

Abstract 
 

 
This paper describes the mechanism of authenticating multiple-realm eduroam users 

via a single multi-EAP radius configuration. The solution is based on the fact that some 
organizations, which are willing to join the eduroam community and use the service, 
especially in small communities, do not have a huge number of users, thus it will be cost-
effective to use a single RADIUS server for them instead of having a separate radius 
server per each realm. The solution is unmatched in terms of practical open 
implementation.  It has been implemented and tested in  ASNET-AM network.  

Keywords: eduroam, WiFi, Wireless, EAP, Authentication, Radius 
 
 

 
1. Introduction 
 
In the original eduroam model [1], Institutions that would like to join eduroam have to install and 
configure their own Institutional RADIUS Server (IRS), which should be registered at 
Federation Level RADIUS Server (FLRS) within the National Roaming Operator (NRO), 
meaning that every organization should follow these steps regardless of their number of users, 
which is not cost-effective for organizations with a few number of users. Therefore, the solution 
of using a single RADIUS server for multiple institutions (Organizations, Universities, etc.) has 
been thought up, developed and successfully implemented. 
 
 

2. Architecture 
Generally, for each realm in eduroam, a separate radius server is being configured, which is 
normal for big organizations with thousands of active users. But for organizations with hundreds 
or tens of users having a separate radius server, it may not be so practical. In addition, some 
NROs provide hosted radius solutions for connecting institutions, and in case of such relatively 

 
63 
 

mailto:arthur@sci.am
mailto:gurgen@sci.am
mailto:robert@sci.am


 Development of Multi-EAP Radius Configuration for eduroam Service 
  

64 

small ones it would be much more cost-effective for NRO to use a single RADIUS server for 
multiple supported realms instead of creating separate radius servers for each supported realm. 

With this configuration, it is now possible to use a central RADIUS Server with multiple 
Extensible Authentication Protocol (EAP) configuration for each supported realm [2]. The 
number of realms supported is unlimited. The authentication itself is performed at the institution 
site, as before, using the authentication method that is applicable to a particular institution 
(IMAP-based email authentication, LDAP-based, etc.). When a user tries to authenticate, the 
request will be directed from the visited institution to the Central RADIUS Server and from there 
to the user organization to get authenticated (Fig. 1). 
 

 
Fig.  1. Authentication process. 

 
Based on our previous boost concept [3], we mainly implemented this solution using the 
IMAP/email authentication method, but since the solution is based on Freeradius [4], there is no 
limit for using any required authentication method. The solution described here has an 
appropriate Ansible playbook [5] to automate setting up the process for multi-EAP radius 
configuration. 
 
3. Advantages 
 
The main advantage of this solution is the creation of an automatically usable Freeradius-based 
multi-EAP radius configuration. The solution described in this paper will influence small 
organizations to use eduroam with minimal administrative overhead and minimal cost. While 



A. Petrosyan, G. Petrosyan, R. Tadevosyan and  K. Arsalanian 65 

carrying out investigations in this area, we found no such configuration described in public, 
except for the official general description [2], which lacks many important details about 
particular EAP types. So, this solution is unmatched in terms of practical open implementation.  
 

4. Disadvantages 
Although this solution of having multiple organizations on a single RADIUS server is cost-
efficient, it is not an ideal solution for large organizations with thousands of users.  
 

5. Conclusion 
This solution may be interesting in cases, where NROs implement hosted radius solutions for 
relatively small connecting institutions (with hundreds or tens of users) to have a cost-effective 
single RADIUS server for multiple supported realms instead of creating separate radius servers 
for each supported realm. 
 
 
References 
 

[1] [Online]. Available: https://www.eduroam.org/ 
[2] [Online]. Available: 

https://wiki.freeradius.org/modules/Rlm_eap#I_want_to_enable_multiple_EAPTypes_ho
w_can_I_configure 

[3]  A. Petrosyan, G. Petrosyan, R. Tadevosyan and K. Arsalanian, “Identity Infrastructure 
Boost Concept for eduroam Service”, Transactions of IIAP NAS RA, Mathematical 
Problems of Computer Science,  vol. 52, pp. 61-65, Yerevan 2019. 

[4] [Online]. Available: https://freeradius.org/ 
[5] [Online]. Available: https://github.com/asnet-am/eduroam-imap-playbook 

 

 
 
 
 
Submitted  10.02.2020, accepted 26.05.2020. 

 
 
 
 
 
 
 
 
 
 
 
 



 Development of Multi-EAP Radius Configuration for eduroam Service 
  

66 

Բազմակի EAP radius կարգավորումների մշակում eduroam 
ծառայության համար 

 
Արթուր Ս.  Պետրոսյան, Գուրգեն Ս.  Պետրոսյան,  Ռոբերտ Ն․ Թադևոսյան և  

Գէորգ Խ. Արսալանյան 
 

ՀՀ ԳԱԱ Ինֆորմատիկայի և ավտոմատացման պրոբլեմների ինստիտուտ 
e-mail: arthur@sci.am, gurgen@sci.am, robert@sci.am,  kevork.arsalanian@sci.am 

 
Ամփոփում 

 
Հոդվածում նկարագրվում է eduroam-ի օգտագործողների վավերացման 

մեխանիզմ՝ բազմակի EAP radius կարգավորումների միջոցով։ Լուծումը հիմնված է 
այն փաստի վրա, որ որոշ կազմակերպություններ, որոնք ցանկանում  են միանալ 
eduroam համայնքին և օգտվել ծառայությունից, չունեն հսկայական քանակությամբ 
օգտվողներ, ուստի ծախսարդյունավետ կլինի նմանատիպ կազմակերպություններից 
յուրաքանչյուրի համար առանձին RADIUS սերվեր ունենալու փոխարեն, օգտագործել 
մեկ RADIUS սերվեր մի քանի կազմակերպության համար: Լուծումը եզակի է՝ 
գործնական բաց իրականացման առումով: Այն իրականացվել և փորձարկվել է 
ASNET-AM ցանցում:  

Բանալի բառեր` eduroam, WiFi, անլար, EAP, նույնականացում, Radius. 
 

 

Разработка конфигурации multi-EAP radius  
для сервиса eduroam 

 
Артур С. Петросян, Гурген С. Петросян, Роберт Н. Тадевосян и Кеворк Х. Арсаланян 

 
Институт проблем информатики и автоматизации НАН РА 

e-mail: arthur@sci.am, gurgen@sci.am, robert@sci.am, kevork.arsalanian@sci.am 
 

Аннотация 
 

В статье представлен механизм аутентификации пользователей eduroam с 
помощью конфигурации multi-EAP radius для сервиса eduroam. Решение основано на том 
факте, что некоторые, не имеющие большого количества пользователей,   организации, 
желающие присоединиться к сообществу eduroam, могут использовать  один общий 
RADIUS сервер. Данное решение не имеет аналогов с точки зрения практической 
открытой реализации. Решение реализовано и опробовано в сети ASNET-AM. 

Ключевые слова: eduroam, WiFi, беспроводная связь, EAP, аутентификация, 
Radius. 

 
  

mailto:arthur@sci.am
mailto:gurgen@sci.am
mailto:robert@sci.am
mailto:arthur@sci.am
mailto:gurgen@sci.am
mailto:robert@sci.am