eduroam / RADIUS Proxy overview
A RADIUS proxy receives authentication and accounting requests from the network and forwards them to another RADIUS server for verification. It is how an organization joins a federated network such as eduroam, where users roam across institutions but authenticate against their home institution’s credentials. EntryPoint relays that traffic and adds RadSec, attribute handling, and monitoring on top.
At a glance
- Credential
- Forwarded to a remote RADIUS server for verification
- Identity source
- A remote RADIUS federation (for example a national eduroam proxy)
- Best for
- Higher education and roaming federation
- Transport
- RADIUS, with RadSec available for secure forwarding
- Self-service
- None — identities live in the remote federation
- Status
- Available
How it works
Section titled “How it works”The network points at the EntryPoint context as its RADIUS server. EntryPoint forwards each request to the configured upstream RADIUS server — for example a national eduroam proxy — and relays the response back. An Attribute Profile can be applied to the response so the local network assigns the right VLAN or policy to roaming users. RadSec can secure the forwarded traffic over TLS.
A proxy context provisions a single default device group, and all incoming requests are handled by it; per-device matching by access-point name or address is not used in proxy contexts, which keeps the behaviour simple and predictable.
Who it is for
Section titled “Who it is for”Use the proxy variant to participate in a federation such as eduroam, where authentication is delegated to a remote RADIUS service and your role is to relay it securely and apply local network policy.
What it is not
Section titled “What it is not”A proxy context forwards to a remote federation; it does not hold local identities or offer self-service. For locally authenticated 802.1X use the EAP variants; for per-group keys use iPSK.
Prerequisites
Section titled “Prerequisites”- A reachable upstream RADIUS server (the federation’s proxy), with its hostname, ports, and shared secret.
- The local network equipment pointed at the context — see RADIUS clients & RadSec.
Where to go next
Section titled “Where to go next”- Configuration & monitoring: the remote server, RadSec, attribute profiles, and usage statistics.