Walled garden for on-boarding user devices to eduroam – Technical deployment guide

One of the key barriers in successful deployment of eduroam, is around ensuring that users are adequately supported. 802.1x/WPA2 Enterprise configuration on the majority of devices is a little more complex than PSK-based Wireless solutions, which users are familiar with at home. As a result there is a need for on-boarding tools to be made available to users, such as eduroam CAT.

Organisations providing eduroam will need to provide access to their chosen on-boarding tool; typically they will be available via the organisations eduroam support web page. The challenge for many organisations is that devices need Internet access to visit to the organisations eduroam support web page, this usually isn’t a problem for mobile phones which usually have access to the Internet via the mobile network.

However, there are other situations which require an Internet connection or local network access to gain access to the on-boarding tools. This includes where organisations have poor mobile coverage, but also for tablets and laptop devices, which may not have access to the mobile network.

The solution deployed by many organisations is that of a ‘Walled Garden’, this is a network connection that enables sufficient access to download on-boarding tools, gain access to support webpage and any other relevant access, but it should fall short of providing full internet access.

Our work with the Further Education sector has highlighted the need for organisations deploying eduroam to also deploy a ‘Walled Garden’ to on-board large numbers of users onto eduroam, and to enable users to ‘self-service’. The ‘Walled Garden’ is typically made available by broadcasting an open wireless SSID.

The following Walled garden for onboarding user devices to eduroam guide is aimed to help you in configuring a walled garden network. This uses the walledgarden-preview
Open-source product pfSense, which is a Firewall solution based on FreeBSD. It’s a viable solution, even for organisations which typically don’t use Unix-based operating systems, since it is almost entirely configured through a web page, is comparable to appliance-based solutions, and is relatively easy to maintain and update.

pfSense can be configured to run in a Virtual Machine, this guide covers using VMware, but it can also be deployed in a Xen environment, or on physical hardware.


Leave a Reply

Your email address will not be published. Required fields are marked *