Joining eduroam in South Africa



Who can join?


The eduroam service is loosely divided into service providers (organisations that provide Internet access to users) and identity providers (organisations that do authentication for users). The eligibility criteria for service- and identity providers are different, and you may be able to join the eduroam federation as either a service provider or an identity provider or both.


Any South African organisation, including commercial entities, can become an eduroam service provider. The only requirement is that you agree to provide the service as described (see below) and without variation.


Only bona fide South African tertiary education and research organisations may become identity providers within the South African federation. Full details are provided in the policy. Whilst most identity providers are also service providers, there are sometimes good reasons why this is not the case.


Can we run an eduroam hotspot/be a service provider?


Any South African organisation, including commercial entities, can become an eduroam service provider if they agree to abide by the eduroam National Policy for South Africa and provide the service as described in the eduroam service definition. In essence, what you agree to is to provide (possibly restricted) wireless Internet access to eligible users at no cost to the end user.


The main benefits of providing the service are reduced administrative overhead (guest user management) and consequently better service to visitors. The main intention is to facilitate inter-organisation collaboration and access to research and learning materials. However, organisations that service the higher educational sector may also see the benefit of providing easy, hassle-free Internet access to their customers/clients.


Whilst you cannot directly advertise using eduroam, the potential benefits of advertising that you provide eduroam support are significant: there are roughly a million eligible users in South Africa alone (although rest assured that most sites only see a small fraction of these.)


At a technical level, eduroam is a standards-based WPA2-Enterprise wireless network or an 802.1X wired network. (If your wireless infrastructure claims WiFi Alliance compliance, you should be able to support eduroam.) The only additional requirement is that service providers need to be able to route generic EAP requests unaltered to the roaming operator's RADIUS servers, and act on the resulting access accept/reject.


If you're based in South Africa and interested in joining as a service provider, please contact us.


How do we become an identity provider?


Eligibility to become an identity provider is limited to bona fide tertiary education and research institutions, as described in the eduroam policy.


The obvious benefit of being an identity provider is that your users gain access to thousands of service providers around the world. This makes inter-institutional collaboration easier and reduces the amount of time your staff and students take to gain Internet access when away from your campus. Moreover, it has become the de facto standard — your users will expect to be able to roam using eduroam because their colleagues at other participating institutions can.


The most basic requirement for becoming an identity provider is that you need some form of central identity management for your users.


For institutions with fewer than 150 users, there is now an option of a managed IdP service. This is a cloud service that requires no additional infrastructure — all that is required is someone willing to create & manage user accounts in a web portal and to assist users with connecting.


For larger institutions, this is typically Active Directory or other another directory service. You'll also need to be able to expose this using RADIUS — popular ways to do this are with Microsoft's  Network Policy Services (included with Windows Server) or FreeRADIUS.


eduroam does have one constraint. Your RADIUS server must support realms, and you must use a realm that is a valid South African DNS name that you own (e.g. @yourinstitution.ac.za). This is because the RADIUS realm is used to route authentication requests to the right organisation.


You might also want to see our information for institutions/administrators page.


If you're an eligible organisation that is not already an eduroam identity provider, please feel free make contact with us.


What about organisations outside of South Africa?


If you're based outside South Africa, similar services may be available from the roaming operator in your country.


Can anyone help us deploy eduroam?


There are a handful of network consulting companies in South Africa that have gained experience deploying and supporting eduroam at local institutions.