Sitio web de eduroam España con toda la información importante para ti.

eduroam is an initiative at international level that aims to create a unique space for mobility within the academic field. eduroam focuses on user safety, while maintaining ease of use.

eduroam ES, is the name given to the initiative in Spain, and is operated by RedIRIS, where the organizations participating in said initiative in our country are also coordinated. This unique mobility space brings together a wide group of organizations that, based on a policy of use and a series of technological and functional requirements, allow their users to move between them, having mobile services that they may need at all times.

The ultimate goal is for users to have, in the most transparent way possible, a secure connection to the Internet, access to services and resources of their home organization, as well as access to services and resources of the organization that at that time welcomes you.

You will need to know if the organization you belong to is already in eduroam. You can find a list of all institutions in Spain on this website . Besides, you will need a device that supports WPA / WPA2 Enterprise and that allows you to configure the type of authentication supported by your organization.

If your organization is not in eduroam, but it is a institution belonging to the academic network, we advise you to apply to the IT service of your organization that they join.

You can find maps showing you the locations where to find eduroam both in Spain and in the rest of the countries where it is available.

You should consult your institution. It is very possible that your institution makes use of the eduroam CAT tool, which allows a secure configuration that the administrators of your organization have prepared for you.

In general, you must follow the instructions provided by your institution . We recommend in particular that any questions you may have, both when you are on your own campus or building, as if you are outside in another organization, you always direct it to the technical staff of your own institution. It is possible that if you are outside your organization you can receive support, but it is preferable to always be attended by your own institution.

It will depend on the device, operating system and the type of authentication that your organization supports.

A device that supports PEAP, but not EAP-TTLS will not allow you to connect if your institution does not support PEAP (or vice versa). Devices generally only support a subset of EAP modes, so it is essential that a technician check compatibility.

You better check with the technical staff of your own institution. Incorrect settings, apart from poor performance, can put your account data at risk.

Each organization has chosen its authentication modes based on how they adapt to the infrastructure they already had to support the authentication of their users in general (mail, web applications, virtual campuses, e-learning platforms, ... ).

There are several factors that will have played a role, such as security or cost, but in any case, you should rather ask the inverse question, why does my device not support the authentication method that my organization offers me?

In a vast majority of cases, especially in the case of laptops, mobiles and tablets, there should be compatibility. It is always preferable to follow the procedure indicated by your organization, as well as to use official installers, if they are provided to you.

Certain devices may be able to connect only if they are compatible with the authentication methods supported by your institution, although on certain occasions an automatic configuration will not be possible (it must be done manually), and sometimes a reliable configuration will not be possible. or completely safe, due to device limitations.

It is also possible, although unlikely, that there is some kind of incompatibility between the device and the network.

In all these cases, it is always preferable to consult technical support for advice, before making a configuration that could put your account at risk.

Yes. eduroam provides mechanisms so that the user can provide their credentials at all times wherever they connect, and these are transmitted safely through the Internet. This, however, does not exclude that attacks can be carried out on clients that are badly configured.

On the other hand, it must be taken into account that the Internet connection, once the user has identified himself to have access to it, offers a level of security equivalent to any Internet connection, therefore the usual protection measures must be taken recommended by the manufacturer or developer of the operating system used by the user.

The eduroam security model is well thought out and has been extensively studied (you can see for example the section on security in the RFC 7593 ). Your credentials are well protected as long as your device is correctly configured; this correct configuration is therefore crucial. As long as the necessary configuration parameters are correctly configured, any of the authentication methods commonly used in eduroam (PEAP, TTLS-PAP, EAP-TLS) are secure.

Your eduroam identity provider provides you with at least some installation instructions that allow a correct and secure configuration - the most critical part of these is the one that allows you to configure your device to trust a Certification Authority (CA) and the name of the server from the identity provider-.

Many eduroam identity providers go one step further and provide you with installation programs or configuration files containing the relevant security information, through a simple installation process. One of these programs is "eduroam CAT" - check if your institution is listed.

Make use of the installation programs or configuration instructions provided by your eduroam identity provider to be safe from possible attacks.

If you do not follow the configuration instructions, or in the unlikely event that the identity provider does not provide them, then the account details you use to access eduroam will be at risk of so-called Man-in-the-middle attacks. For identity providers, not providing enough configuration instructions is against participation policy. From eduroam ES we would appreciate if you notify us in these cases.

PS, this type of problem is not specific to eduroam, any deployment of Enterprise-type wireless networks is in the same situation.

They could be summarized in just three points

Never provide your eduroam credentials through a web portal. eduroam uses 802.1x technology, and its users should not provide their credentials on web portals (unless you are in your own institution, and this has indicated it to you).
Never trust a certificate for which you have no guarantees of its validity. Generally, the software used to connect you (known as supplicant) will notify you when your organization's certificate presents a problem. If this happens, we recommend that you contact those responsible for eduroam in your organization and comment on these types of incidents.
In general, follow the usual rules for protecting your computer in order to connect to the network (keep your computer updated, install an antivirus or firewall if necessary, do not visit websites that could damage your computer, etc ...).

The fact that the network identifier is eduroam should not influence the speed you get when connecting. The most common is that there is a network saturation problem in the place from which you connect, but there could be other problems that should be ruled out, such as interference, or a technical problem in the wireless network infrastructure.

The most advisable thing in these cases is that you contact the IT service of your organization and raise the problem with them, indicating the place and hours at which you have noticed the slowness in the Internet connection.

Las ventajas principales de la red eduroam frente a alternativas tradicionales con PSK (clave precompartida) se resumen en los siguientes puntos:

Seguridad y autenticación

Eduroam utiliza protocolos avanzados de autenticación segura basados en servidores RADIUS y métodos como PEAP, TTLS-PAP, o EAP-TLS, que protegen las credenciales del usuario y cifran el tráfico. Esto evita la vulnerabilidad que tienen las redes con PSK donde la clave compartida puede ser conocida o distribuida, debilitando la seguridad para todos los usuarios conectados.

La diferencia clave entre redes WiFi con PSK y eduroam en cuanto a la naturaleza de la clave es que en PSK la clave puede ser compartida o no, pero típicamente se comparte entre todos los usuarios que necesitan acceso, lo que implica que cualquier usuario con esa clave puede acceder y que la seguridad depende de mantener esa clave secreta. En cambio, con eduroam nunca se comparte la clave entre usuarios, porque la autenticación se realiza de manera individual a través del protocolo 802.1X usando credenciales propias (usuario y contraseña únicas para cada usuario o certificado individual con geteduroam), gestionadas por servidores RADIUS de la institución de origen. Esto significa que cada usuario tiene una clave personal que nunca se divulga a otros, y el acceso se verifica de forma segura con certificados y métodos como PEAP o EAP-TTLS, garantizando que la clave de acceso no sea compartida ni reutilizada.

Por tanto, eduroam ofrece una autenticación individual y segura, evitando que una clave común sea distribuida o expuesta, a diferencia de las redes con PSK convencional donde la seguridad se basa en mantener secreta una contraseña compartida. Esto mejora significativamente la seguridad y el control de acceso en entornos académicos y de investigación.

Movilidad y roaming global

Eduroam permite que usuarios con credenciales de una institución miembro se conecten automáticamente y de forma segura en cualquier otra institución o campus del mundo que use eduroam sin necesidad de configurar nuevamente la red. Esto facilita la movilidad académica y de investigación, eliminando la necesidad de cuentas temporales o invitadas, lo que no es posible con PSK tradicional.

Facilidad de uso para usuarios y administración

Para el usuario final, solo se configura una vez y el acceso posterior en cualquier lugar con eduroam es automático y seguro. Para las instituciones, reduce la carga administrativa de gestionar redes WiFi para visitantes y usuarios móviles, ya que no es necesario crear cuentas temporales ni proporcionar soporte constante para acceso WiFi.

Escalabilidad y compatibilidad con estándares modernos

Eduroam funciona con estándares de seguridad modernos y es compatible con tecnologías Wi-Fi avanzadas, incluidas las nuevas bandas Wi-Fi 6E y WPA3-Enterprise, asegurando un nivel alto de protección y soporte para dispositivos actuales y futuros, algo que redes PSK tradicionales no suelen ofrecer.

En resumen, eduroam supera a redes WiFi tradicionales con PSK en seguridad, movilidad global, facilidad de gestión y adopción de estándares modernos, haciéndola la opción ideal para entornos académicos y de investigación

FAQS about the eduroam ES initiative

1. What is eduroam?

2. How can I know if I can connect to eduroam?

3. Where can I connect to eduroam?

4. What type of authentication does my organization support?

5. My organization does not say anything about the device or operating system with which I want to connect, but in another organization I have seen that it can be done, can I also connect?

6. Why doesn't my organization support the authentication type of my device?

7. Why can't I connect to the eduroam network on my new device?

8. Is the eduroam network secure?

9. I have heard that my university credentials can be leaked to attackers under certain circumstances. What's this about

10. What are the minimum security standards that I must follow when connecting to eduroam?

11. The connection to eduroam is slow, what can I do?

12. ¿Qué ventajas ofrece eduroam frente a Wi-FI tradicionales con psk?