Skip to content
eduroam / RADIUS Proxy

eduroam / RADIUS Proxy overview

A RADIUS proxy receives authentication and accounting requests from the network and forwards them to another RADIUS server for verification. It is how an organization joins a federated network such as eduroam, where users roam across institutions but authenticate against their home institution’s credentials. EntryPoint relays that traffic and adds RadSec, attribute handling, and monitoring on top.

At a glance

Credential
Forwarded to a remote RADIUS server for verification
Identity source
A remote RADIUS federation (for example a national eduroam proxy)
Best for
Higher education and roaming federation
Transport
RADIUS, with RadSec available for secure forwarding
Self-service
None — identities live in the remote federation
Status
Available

The network points at the EntryPoint context as its RADIUS server. EntryPoint forwards each request to the configured upstream RADIUS server — for example a national eduroam proxy — and relays the response back. An Attribute Profile can be applied to the response so the local network assigns the right VLAN or policy to roaming users. RadSec can secure the forwarded traffic over TLS.

A proxy context provisions a single default device group, and all incoming requests are handled by it; per-device matching by access-point name or address is not used in proxy contexts, which keeps the behaviour simple and predictable.

Use the proxy variant to participate in a federation such as eduroam, where authentication is delegated to a remote RADIUS service and your role is to relay it securely and apply local network policy.

A proxy context forwards to a remote federation; it does not hold local identities or offer self-service. For locally authenticated 802.1X use the EAP variants; for per-group keys use iPSK.

  • A reachable upstream RADIUS server (the federation’s proxy), with its hostname, ports, and shared secret.
  • The local network equipment pointed at the context — see RADIUS clients & RadSec.

Next