Radius Hierarchy Protocol

Eduroam is based on the 802.1X technology and a hierarchy of RADIUS proxy servers. The following figure provides an overview how it works :

The guest user toto from the institution B wants to use the institution A's network infrastructure. To proceed, toto will provide his credentials to the authenticator (here the Access Point of A). The credentials are constituted by a username and a realm; it looks like an email address. (ie: toto@institution_B.be)

The AP asks local RADIUS server if the user can access the network using the provided credentials. The RADIUS server notices that the realm is not one it can serve itself. It will then forward the request to the national top level RADIUS proxy server. If the realm belongs to a national institution, then the national top level RADIUS proxy forwards the request to the institution serving the realm. If this is not the case, the national RADIUS server will forward the request to the European top level RADIUS that will forward the request to the appropriate national proxy RADIUS, etc.

The next figure provides an overview of RADIUS proxies hierarchy model.