[italian version]

Eduroam is based on the standard IEEE 802.1x and on a gerarchic net of proxy server RADIUS that route the authentication request produced by the user (at any federated institution in eduroam he can find) to the authentication
radius server of his organization. For that reason the authentication parameters are the ones provided by owner's institution and the user can receive assistance by the staff of the institution is visiting.

Passed the authentication phase, the user receives the internet access. The routing of the authentication request generated by the user to his authentication server RADIUS
takes place as described below.
The eduroam users usernames should obligatory be in the form name@realm (for example galileo.galilei@unipd.it or elena.cornaropiscopia@unipd.it) where realm is a DNS domain
managed from the Organization and name is an arbitrary string. The realm allows the correct management of requests from the hierarchic chain of the federation RADIUS server.

In the presence of the eduroam signal the device's software "supplicant 802.1x" sends to the access point (defined "authenticator" from the standard 802.1x, even if it doesn't authenticate) an authentication request. Each institution
authenticates only users affering to their realms, through their own institutional RADIUS server (defined "authentication server" from the standard 802.1x). Other users authentication request are forwarded from the insitutional RADIUS
server to the national top RADIUS server of the nation in whom the institution is located.

Thw national top server RADIUS (NTLR, "National Top Level RADIUS") consults a relation table between institutions and their competence's nation and in turn they forward the received authentication request: or directly to the
user's institution's authentication RADIUS server or, if the domain isn't in a table, to their Regional Top Level RADIUS (RTLR).

The RTL, instead, consult a table that correlates nations to NTRL of competence. Routing continues until creation of a crypted channel who starts with the supplicant and ends at the authentication RADIUS. Solved succesfully the
authentication process (conducted using the protocol EAP: EAPOL with the wireless part, EAP encapsulated RADIUS for the cabled part) cryptated channel colapses and succesfully wireless connection's security between the user's device
and the AP is granted at layer 2 fro cryptography IEEE 802.11i - WPA2/AES Enterprise.

University's insitutional RADIUS server is managed by CSIA and authenticates all users affering to the "unipd.it" and "studenti.unipd.it" realms with University's SSO credentials. The only EAP protocol it supports is the Protected
EAP (PEAP) in the version PEAPv0: the EAP method used for the user's authentication is MSCHAPv2 (through Single Sign On's username and password) protected by a TLS tunnel.

Italian NTLR is managed by Garr Consortium, european RTLR is managed by SURFnet in Netherlands and UNI-C in Denmark.