University Campus WiFi: eduroam, Residence Halls, and BYOD at Scale

This reference architecture provides advanced deployment strategies for university campus WiFi, covering eduroam federation mechanics, per-room VLAN micro-segmentation in residence halls, and automated BYOD certificate onboarding at scale. It equips IT leaders and network architects with vendor-neutral, immediately actionable guidance to enhance security, reduce helpdesk overhead, and deliver a seamless connectivity experience across academic and residential environments.

📖 8 min read📝 1,940 words🔧 2 examples❓ 3 questions📚 10 key terms

🎧 Listen to this Guide

View Transcript

Welcome to the Purple Technical Briefing. I'm your host, and today we're diving deep into the reference architecture for University Campus WiFi. We'll be covering eduroam federation, managing residence halls at scale, and BYOD onboarding for thousands of concurrent users.

For IT directors and network architects in higher education, the campus network is mission-critical infrastructure. It's not simply about coverage anymore. It's about handling immense device density, securing the perimeter, and providing a frictionless user experience for tens of thousands of concurrent users — students, faculty, visiting researchers, and a growing fleet of IoT devices.

Let's begin with eduroam. It's the backbone of academic mobility worldwide, operating in over 100 countries. But how does it actually work at scale?

The architecture relies on an 802.1X framework paired with a hierarchical RADIUS proxy system. When a visiting student connects to your local eduroam SSID, your access point — acting as the Network Access Server — sends an EAP request to your campus RADIUS server. Your server inspects the realm: the domain portion after the at-symbol in the user's identity. If that realm doesn't match your local domain, your RADIUS server proxies the request up to a national proxy. In the UK, that's JANET. In Europe, it's GÉANT. That proxy then routes the request to the student's home institution. The home Identity Provider validates the credentials against its directory — Active Directory or LDAP — and sends an Access-Accept or Access-Reject message back down the chain.

The golden rule here is what I call the 'Home Always Knows' principle. The visited institution never sees the password. Authentication always resolves at the home institution. This is a critical security property. If a visiting researcher from Edinburgh arrives at your campus in Bristol, your RADIUS server is simply a relay. You are never in possession of their credentials.

This has important implications for troubleshooting. If a visiting user cannot connect, and your local RADIUS logs confirm the request is being forwarded outward, the problem lies upstream — either at the national proxy or at the home institution. Escalate accordingly.

Now, let's talk about the most challenging RF environment on any campus: the residence hall. You have massive device density — sometimes three to five devices per student — concrete and masonry walls, fire doors, and a flood of consumer IoT devices including smart speakers, gaming consoles, streaming sticks, and wireless printers.

The legacy approach of deploying a flat subnet across an entire building is a recipe for operational disaster. Broadcast storms, security vulnerabilities, and a degraded user experience are the inevitable outcomes. A single compromised device on a flat network has lateral movement access to every other device in the building.

The modern architectural standard is Per-Room VLAN mapping. Using your Network Access Control system, you dynamically assign a unique VLAN to every individual dorm room or suite. When a student authenticates, RADIUS evaluates their identity and location attributes, and drops them into their specific micro-segment. We describe this as creating a Personal Area Network — a PAN — around each room. The student's phone can discover and communicate with their Apple TV or wireless printer, but they are completely isolated from the room next door.

This architecture requires in-room AP deployments. Hallway access points are an anti-pattern for modern high-density environments. When APs are deployed in a long corridor, they can hear each other perfectly, causing severe co-channel interference. More critically, the RF signal must penetrate thick fire doors and masonry walls to reach devices inside the rooms — exactly where users are. The result is poor signal quality and low throughput precisely where it matters most. The correct approach is one AP per room, or one AP per two rooms in newer construction, with transmit power reduced to create clean RF boundaries.

Now let's address BYOD onboarding. The start of the academic year is a high-stakes event for any university IT team. In the first 48 hours of term, you may need to onboard 10,000 or more devices. A manual or poorly designed onboarding process will overwhelm the helpdesk. I've seen institutions where the WiFi helpdesk queue hits 2,000 tickets within 24 hours of term starting. That is entirely avoidable.

A scalable BYOD architecture moves away from manual PEAP configuration — where students must enter complex EAP settings by hand — and instead relies on automated certificate provisioning. The optimal flow uses an open onboarding SSID that restricts traffic to the captive portal and provisioning servers only. The student connects, gets redirected to a branded self-service portal, authenticates via Single Sign-On using their university credentials, and downloads a small configuration payload. That payload uses SCEP — the Simple Certificate Enrollment Protocol — or EST to request a unique client certificate from your campus Certificate Authority. Once the certificate is installed, the device automatically drops the onboarding connection and associates with the secure 802.1X network using EAP-TLS.

This is the critical shift: you are decoupling WiFi authentication from the user's directory password. When a student changes their AD password — which many institutions force every 90 days — their WiFi connection is completely unaffected. The certificate remains valid for its full lifetime, typically one to four years. This single architectural decision eliminates the number one cause of WiFi helpdesk tickets in higher education.

For headless IoT devices — gaming consoles, smart TVs, Chromecasts — that do not have a native 802.1X supplicant, you implement a self-service device registration portal. Students log in with their university credentials and register the MAC address of their device. Your NAC system uses MAC Authentication Bypass, or MAB, to authenticate that registered MAC address and place the device into the student's designated Per-Room VLAN. This ensures the Xbox in Room 214 is on the same micro-segment as the student's laptop and phone, enabling local discovery protocols to function correctly.

Let me now walk through the key implementation steps for this architecture.

First, standardise your identity store. Ensure your Active Directory or LDAP directory is clean, with well-defined groups for students, faculty, staff, and guests. This is foundational for policy enforcement. Garbage in, garbage out.

Second, deploy a robust NAC solution with high availability. Your RADIUS infrastructure must handle peak loads without timeout failures. Implement load balancing across multiple RADIUS nodes, and tune EAP timers on your wireless LAN controller to accommodate slight proxy delays during peak periods.

Third, configure your eduroam RADIUS proxies correctly. Establish secure tunnels to your national roaming operator and implement strict realm routing rules. You must prevent routing loops and ensure only valid, registered realms are proxied outward.

Fourth, implement device registration for IoT. The self-service portal must be simple enough for a first-year student to use without IT assistance. Tie it directly to your NAC for automatic VLAN assignment.

Fifth, optimise your RF design for high density. Commission a proper RF survey before deployment. In residence halls, plan for in-room coverage. In lecture theatres and libraries, use high-density APs with directional antennas and disable legacy data rates below 12 megabits per second to force clients to roam to the optimal AP.

Now let's cover the common pitfalls and how to mitigate them.

RADIUS timeout failures during peak onboarding are the most common operational issue. The mitigation is pre-emptive capacity planning: load test your RADIUS infrastructure before term starts, not during it.

IoT device discovery failures are the second most common complaint. Students report that they cannot cast to their smart TVs. If devices are on separate VLANs, you need an mDNS gateway or Bonjour proxy service to forward multicast DNS traffic across the VLAN boundary. Configure this carefully — you want to allow discovery within a Per-Room VLAN, not broadcast it across the entire building.

Rogue DHCP servers are a persistent threat. A student plugging a consumer router into a dorm room Ethernet port can take down the entire subnet. Enforce DHCP Snooping and BPDU Guard on all access switch ports without exception.

Finally, let's talk about the business impact and ROI.

Automated certificate-based BYOD onboarding can reduce WiFi-related helpdesk tickets by up to 70% during the critical start-of-term period. That translates directly to reduced staffing costs and faster resolution times for the tickets that do come in.

Micro-segmentation through Per-Room VLANs dramatically reduces the blast radius of a compromised device. In a flat network, ransomware can propagate laterally across the entire building. In a micro-segmented architecture, it is contained to a single room's VLAN.

By integrating network telemetry with analytics platforms, universities can make data-driven decisions about space utilisation, AP placement, and capacity planning. Real-time heatmaps and client association data can inform facilities management decisions about study space allocation and HVAC scheduling.

Let me close with a rapid-fire summary of the key decisions every campus IT architect needs to make.

On eduroam: use EAP-TLS for managed devices and EAP-TTLS or PEAP only as a fallback for unmanaged. Always monitor your RADIUS proxy logs, not just the local authentication logs.

On residence halls: deploy in-room APs, implement Per-Room VLANs via NAC, and build a self-service IoT registration portal before the first day of term.

On BYOD: automate certificate provisioning. Do not rely on users to manually configure 802.1X settings. The onboarding experience must be as simple as connecting to a consumer WiFi network.

On IoT: treat IoT devices as a separate policy class. Register them by MAC, assign them to the correct micro-segment, and never put them on the same VLAN as managed endpoints.

To summarise: the university campus WiFi challenge is fundamentally a policy and identity problem, not just a radio frequency problem. Get your identity infrastructure right, automate onboarding, and micro-segment your residential network. Those three decisions will define the quality of your campus connectivity for the next decade.

Thank you for joining the Purple Technical Briefing. For further guidance on campus network architecture, guest WiFi solutions, and WiFi analytics, visit purple.ai.

Executive Summary

For modern universities, the campus WiFi network is no longer a mere amenity — it is critical infrastructure that underpins academic delivery, student life, and operational efficiency. As higher education institutions scale, IT teams face a triad of complex networking challenges: managing the seamless, secure federation of eduroam, engineering high-density micro-segmented environments in residence halls, and automating Bring Your Own Device (BYOD) onboarding for tens of thousands of concurrent users.

This reference guide provides senior IT leaders, network architects, and venue operations directors with a practical, vendor-neutral blueprint for campus connectivity. We examine the hierarchical RADIUS proxy model that powers eduroam, detail the implementation of per-room VLANs to secure student devices, and outline a robust device registration lifecycle. By adopting these architectural standards, institutions can significantly reduce helpdesk overhead, ensure compliance with data protection regulations, and deliver a seamless digital experience across academic and residential spaces. The principles explored here are equally transferable to Hospitality and Healthcare environments where high-density, multi-tenant connectivity is a daily operational challenge.

Technical Deep-Dive

The eduroam Federation Architecture

eduroam (education roaming) is the secure, worldwide roaming access service developed for the international research and education community. It allows students, researchers, and staff from participating institutions to obtain internet connectivity across campus and when visiting other participating institutions, simply by opening their laptop or connecting their mobile device — no manual configuration required at the visited site.

Behind the scenes, eduroam relies on an IEEE 802.1X authentication framework coupled with a hierarchical RADIUS (Remote Authentication Dial-In User Service) proxy architecture. When a user attempts to connect to the eduroam SSID at a visited institution (the Service Provider, or SP), the local access point acts as the Network Access Server (NAS). It forwards the authentication request via the Extensible Authentication Protocol (EAP) to the campus RADIUS server.

If the user's realm (e.g., @university.edu) does not match the local domain, the campus RADIUS server proxies the request to a National RADIUS Proxy — JANET in the UK, GÉANT at the pan-European level. The national proxy routes the request to the user's Home Institution (the Identity Provider, or IdP), which validates the credentials against its identity store (Active Directory or LDAP) and returns an Access-Accept or Access-Reject message through the proxy chain.

This architecture ensures that user credentials are never exposed to the visited institution, maintaining strict security and privacy standards consistent with GDPR requirements. The visited campus never holds or processes the user's password — it is only ever transmitted to and verified at the home institution.

Residence Hall Micro-Segmentation: Per-Room VLANs

Residence halls present one of the most challenging RF environments in enterprise networking. The density of devices — often three to five per student — combined with the proliferation of consumer IoT (smart speakers, gaming consoles, streaming sticks, wireless printers), creates an environment that quickly overwhelms flat network architectures. Traditional single-subnet dormitory networks generate excessive broadcast traffic, create significant security vulnerabilities, and produce a degraded user experience as devices discover each other across the entire building.

The industry standard approach is Per-Room VLAN mapping. In this architecture, the Network Access Control (NAC) system dynamically assigns a unique VLAN to every individual dorm room or suite. When a student connects their smartphone, laptop, or registered IoT device, the RADIUS server evaluates the user's identity and location attributes, assigning them to their specific micro-segment. This creates a Personal Area Network (PAN) experience: the student's devices can communicate with each other (e.g., casting from a phone to an Apple TV), but are completely isolated from devices in the adjacent room.

To manage this at scale, IT teams must implement dynamic VLAN assignment using 802.1X for capable devices (laptops, smartphones), and MAC Authentication Bypass (MAB) coupled with a device registration portal for headless IoT devices that do not support enterprise authentication. The VLAN assignment is returned by the RADIUS server as a standard attribute in the Access-Accept message (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID).

BYOD Onboarding at Scale

At the start of the academic year, universities experience massive onboarding spikes. A manual or poorly designed BYOD process will overwhelm the IT helpdesk within hours. A scalable architecture relies on automated certificate provisioning rather than requiring users to manually configure complex EAP settings or remember to update their WiFi configuration every time their directory password changes.

The optimal flow utilises an open onboarding SSID that restricts access to a captive portal and necessary provisioning servers. Users authenticate via Single Sign-On (SSO), after which a native OS profile payload is downloaded. This payload uses SCEP (Simple Certificate Enrollment Protocol) or EST (Enrollment over Secure Transport) to request a unique client certificate from the campus Certificate Authority.

Once the certificate is installed, the device automatically drops the onboarding connection and associates with the secure 802.1X network (such as eduroam) using EAP-TLS. This eliminates password-related connection issues — the leading cause of WiFi helpdesk tickets — and provides the network team with granular visibility into every connected device.

For institutions managing a mix of personal and university-owned devices, integrating the onboarding flow with an MDM (Mobile Device Management) solution allows policy profiles to be pushed automatically during the certificate provisioning step, enabling per-device policy enforcement without additional user interaction.

Implementation Guide

Deploying this architecture requires careful coordination between network engineering, identity management, and security teams. The following sequence represents a proven deployment order for a greenfield or major refresh project.

Step 1 — Standardise the Identity Store. Ensure your Active Directory or LDAP directory is clean, with well-defined groups for students, faculty, staff, and guests. Confirm that group membership is accurate and that automated provisioning and de-provisioning processes are in place. This is foundational for policy enforcement: garbage in, garbage out.

Step 2 — Deploy a Robust NAC Solution. Implement a Network Access Control system capable of handling high-volume RADIUS requests, dynamic VLAN assignment, and device profiling. Ensure redundancy across multiple nodes in separate data centres. Load test the infrastructure before term starts, not during it.

Step 3 — Configure eduroam RADIUS Proxies. Establish secure tunnels to your national roaming operator. Implement strict realm routing rules to prevent loops and ensure only valid, registered realms are proxied outward. Configure monitoring alerts for proxy latency and failure rates.

Step 4 — Implement Device Registration for IoT. Deploy a self-service portal where students can register the MAC addresses of their gaming consoles, smart TVs, and other headless devices. The portal must be simple enough to use without IT assistance. Tie it directly to your NAC for automatic VLAN assignment via MAB.

Step 5 — Optimise RF for High Density. Commission a proper RF survey before deployment. In residence halls, plan for in-room AP coverage. Disable legacy data rates below 12 Mbps to force clients to roam to the optimal AP. Configure transmit power to create clean RF boundaries between rooms.

For public areas across the campus — libraries, student unions, outdoor spaces — consider leveraging Guest WiFi solutions with social login or SMS authentication for visitors who do not have eduroam credentials. Monitoring these environments with WiFi Analytics enables real-time capacity management and proactive identification of coverage gaps.

Best Practices

Mandate EAP-TLS for Managed Devices. For university-owned assets, use certificate-based authentication exclusively. It provides the highest level of security and prevents credential theft. EAP-TTLS or PEAP should be reserved as a fallback for unmanaged personal devices during a transition period only.

Enforce DHCP Snooping and BPDU Guard. A student plugging a consumer router into a dorm room Ethernet port can take down the entire subnet. These controls must be applied to all access switch ports without exception.

Monitor and Analyse Continuously. Utilise WiFi Analytics to monitor AP utilisation, client counts, and roaming patterns. This data is invaluable for capacity planning and identifying RF dead zones in lecture theatres and libraries. Correlating WiFi presence data with space utilisation metrics enables data-driven facilities management decisions.

Leverage Location Services for Campus Operations. Implement Wayfinding integration in the campus app to help new students navigate complex buildings and locate available study spaces based on real-time AP association data. This reduces pressure on physical signage and improves the student experience during high-traffic periods.

Align with WPA3 Transition Planning. While WPA2-Enterprise remains the dominant standard, plan your AP refresh cycle to support WPA3-Enterprise (192-bit mode for high-security environments) and Enhanced Open (OWE) for guest SSIDs. WPA3 eliminates the KRACK vulnerability class and provides forward secrecy, which is increasingly relevant for GDPR compliance.

Troubleshooting & Risk Mitigation

RADIUS Timeout Failures During Peak Onboarding. During the first 48 hours of term, RADIUS servers can become overwhelmed, leading to authentication timeouts and a flood of helpdesk calls. Mitigation: Pre-emptive load testing, load balancing across multiple RADIUS nodes, and tuning EAP timers on the wireless LAN controller to accommodate slight proxy delays.

IoT Device Discovery Failures. Students frequently report that they cannot cast to their smart TVs or connect to wireless printers. Mitigation: If devices reside on separate VLANs, configure an mDNS Gateway or Bonjour Proxy to forward specific discovery protocols across the VLAN boundary for the relevant Per-Room VLAN pairs. Ensure the gateway is scoped to individual room VLANs, not the entire building.

eduroam Proxy Routing Loops. Misconfigured realm routing rules can cause authentication requests to loop between proxy servers, resulting in timeouts. Mitigation: Implement strict realm whitelisting and configure loop detection on your RADIUS proxy. Regularly audit routing tables against the national operator's published realm registry.

Certificate Revocation at Scale. When a student leaves the institution, their certificate must be revoked promptly to prevent continued network access. Mitigation: Implement OCSP (Online Certificate Status Protocol) stapling and ensure your CA's CRL (Certificate Revocation List) is published and accessible to your RADIUS servers. Automate revocation as part of the student de-provisioning workflow.

ROI & Business Impact

Investing in a robust, automated campus WiFi architecture delivers significant, measurable returns across multiple dimensions.

Metric	Baseline (Legacy Architecture)	Target (Modern Architecture)	Improvement
Helpdesk WiFi tickets (Week 1)	2,000–3,000	600–900	~70% reduction
Mean time to onboard a new device	15–30 minutes (manual)	3–5 minutes (automated)	~80% reduction
Security incident blast radius	Entire building subnet	Single room VLAN	Contained
AP deployment cost per room	High (hallway model)	Moderate (in-room, lower power)	Comparable with better outcomes

Reduced Helpdesk Volume. Automated certificate-based BYOD onboarding can reduce WiFi-related support tickets by up to 70% during the critical start-of-term period, freeing IT staff to focus on higher-value work.

Enhanced Security Posture. Micro-segmentation and 802.1X authentication dramatically reduce the blast radius of a compromised device, mitigating the risk of lateral movement by ransomware — a growing threat in higher education environments.

Data-Driven Campus Management. By integrating network data with Sensors and analytics platforms, universities can optimise space utilisation, adjust HVAC schedules based on occupancy, and improve overall campus operations. The same WiFi Analytics infrastructure used for network management becomes a strategic asset for facilities and estate planning.

The architectural patterns described in this guide — micro-segmentation, automated onboarding, and federated identity — are directly applicable beyond higher education. Retail environments benefit from the same BYOD segmentation principles for staff devices, and Healthcare networks require equivalent rigour for medical IoT isolation. The SD-WAN principles that underpin campus WAN connectivity are explored further in The Core SD-WAN Benefits for Modern Businesses .

For organisations looking to extend WiFi-driven intelligence into marketing automation and engagement workflows, the principles of presence-based triggering are detailed in Event-Driven Marketing Automation Triggered by WiFi Presence .

Listen to the Audio Briefing:

Key Terms & Definitions

RADIUS Proxy

A server that forwards authentication requests between a Network Access Server (NAS) and the final authentication server (IdP), routing based on the user's realm.

Crucial for eduroam federation. When a visiting user's realm does not match the local domain, the campus RADIUS server proxies the request outward through the national hierarchy to the home institution.

EAP-TLS (Extensible Authentication Protocol — Transport Layer Security)

An 802.1X authentication method requiring both a server-side certificate (on the RADIUS server) and a client-side certificate (on the endpoint device). No passwords are transmitted.

The gold standard for BYOD security in higher education. Eliminates password-related WiFi helpdesk tickets and provides mutual authentication, preventing rogue AP attacks.

Micro-segmentation

The practice of dividing a network into small, isolated segments — typically at the VLAN level — to limit lateral movement and reduce the attack surface.

Applied in residence halls via Per-Room VLANs to isolate student devices from one another, preventing ransomware propagation and enforcing privacy between residents.

MAC Authentication Bypass (MAB)

A fallback authentication method that uses a device's MAC address as its identity when the device does not support 802.1X.

Essential for connecting IoT devices (gaming consoles, smart TVs, printers) in dormitories to the secure network. The MAC must be pre-registered in the NAC to receive a valid VLAN assignment.

Realm

The domain portion of a user's Network Access Identifier (NAI), typically the part after the '@' symbol (e.g., 'university.edu' in 'student@university.edu').

RADIUS proxy servers use the realm to route eduroam authentication requests to the correct home institution. Misconfigured realm routing is a common cause of eduroam failures for visiting users.

SCEP (Simple Certificate Enrollment Protocol)

A protocol that enables network devices to automatically request and receive digital certificates from a Certificate Authority.

Used in BYOD onboarding flows to automatically provision client certificates to student devices without manual IT intervention, enabling EAP-TLS authentication at scale.

mDNS Gateway (Bonjour Proxy)

A service that forwards Multicast DNS packets across different subnets or VLANs, enabling device discovery protocols to function in segmented networks.

Required in Per-Room VLAN architectures when a student's phone (on the wireless VLAN) needs to discover their smart TV (on the wired VLAN) within the same room's micro-segment.

Network Access Control (NAC)

A security solution that enforces policy on devices seeking to access a network, controlling admission based on identity, device health, and context.

The central orchestration layer in a campus WiFi architecture. NAC handles 802.1X authentication, dynamic VLAN assignment, device profiling, and MAB for IoT devices.

Supplicant

The software component on an endpoint device that handles the 802.1X authentication exchange with the network.

Built into modern operating systems (Windows, macOS, iOS, Android). When troubleshooting eduroam connection failures, the supplicant configuration — specifically the EAP method and server certificate validation settings — is the first place to investigate.

WPA3-Enterprise

The latest generation of the Wi-Fi Protected Access enterprise security standard, introducing 192-bit cryptographic strength and eliminating vulnerabilities present in WPA2.

Relevant for campus network refresh planning. WPA3-Enterprise provides forward secrecy via ECDHE key exchange, meaning captured traffic cannot be decrypted retroactively even if a certificate is later compromised.

Case Studies

A university is upgrading a 500-bed residence hall built in the 1970s. Students are complaining that they cannot see their wireless printers or cast to their smart TVs, while the IT security team is concerned about the flat /22 subnet currently serving the entire building. How should the network be redesigned?

Phase 1 — Network Redesign: Replace the flat /22 subnet with a Per-Room VLAN architecture. Assign a unique VLAN ID (e.g., VLANs 1000–1499) to each room. Configure the NAC to dynamically assign the correct VLAN based on the student's authenticated identity and their room assignment in the student records system.

Phase 2 — Device Registration Portal: Deploy a self-service portal where students register the MAC addresses of headless devices (printers, smart TVs, gaming consoles). The portal authenticates the student via SSO and records the MAC-to-room mapping in the NAC database.

Phase 3 — MAB Configuration: Configure switch ports and the residential SSID to use MAC Authentication Bypass for registered devices. When a registered MAC connects, RADIUS returns the student's Per-Room VLAN assignment, placing the device in the correct micro-segment.

Phase 4 — mDNS Gateway: Configure the wireless controller's mDNS gateway to proxy Bonjour and SSDP discovery traffic within each Per-Room VLAN boundary, enabling casting and printing without cross-room exposure.

Phase 5 — AP Refresh: Replace hallway APs with in-room units. Reduce transmit power to 8–12 dBm to create clean RF cells and reduce co-channel interference.

Implementation Notes: This approach resolves both the security concern and the usability complaint simultaneously. Micro-segmentation eliminates the massive broadcast domain of the /22 subnet, significantly improving security and network performance. By placing all of a student's devices — including registered IoT devices — into a single Per-Room VLAN, local discovery protocols (Bonjour, SSDP) function normally within the room's micro-segment, restoring casting and printing without exposing those devices to the rest of the building. The mDNS gateway is the critical enabling component that is most frequently overlooked in initial deployments.

During the first week of term, a 15,000-student university's IT helpdesk receives over 2,500 WiFi tickets in 48 hours. The majority are from students who changed their university portal password and are now unable to connect to eduroam. The current authentication method is PEAP-MSCHAPv2. What is the architectural change required, and how should it be rolled out?

Root Cause: PEAP-MSCHAPv2 authenticates using the user's AD password. When the password changes, the stored WiFi profile credential becomes invalid, breaking the connection.

Architectural Change: Transition from PEAP-MSCHAPv2 to EAP-TLS (certificate-based authentication).

Rollout Plan:

Deploy a Campus Certificate Authority (or integrate with an existing PKI) and configure SCEP/EST endpoints.
Stand up a BYOD onboarding tool (vendor-neutral options include FreeRADIUS with a custom portal, or commercial solutions). Configure it to authenticate via SSO and provision client certificates.
Create an 'Onboarding' SSID (open, captive-portal restricted) alongside the existing eduroam SSID.
Communicate to students: 'Connect to Onboarding-WiFi, follow the steps, and your WiFi will never break when you change your password again.'
Once certificate adoption reaches >80%, disable PEAP-MSCHAPv2 on the RADIUS server and enforce EAP-TLS only.
Set certificate lifetime to 2 years with automated renewal 30 days before expiry.

Implementation Notes: Password churn is the single leading cause of WiFi helpdesk tickets in higher education. The transition to EAP-TLS decouples WiFi authentication from the AD password lifecycle entirely. The phased rollout — running both methods in parallel during the transition — is essential to avoid a mass outage. The certificate renewal automation is equally critical: a certificate expiry event without automated renewal creates the same helpdesk spike as a password change, just on a 2-year cycle instead of a 90-day one.

Scenario Analysis

Q1. A visiting researcher from the University of Amsterdam arrives at your campus in London. They connect to the eduroam SSID but receive an 'Authentication Failed' error. Your local RADIUS logs confirm the Access-Request is being forwarded to the national proxy, but no response is received within the timeout window. Where is the most likely point of failure, and what is your escalation path?

💡 Hint:Apply the 'Home Always Knows' principle. Your local infrastructure is functioning correctly if the request is leaving your campus.

Show Recommended Approach

Since the local RADIUS server is successfully proxying the request outward, the local campus infrastructure is functioning correctly. The most likely failure points are: (1) the national proxy (JANET) is unable to route to the Dutch national proxy (SURFnet), or (2) the researcher's home institution RADIUS server is offline or misconfigured. The escalation path is: first, contact your national roaming operator (JANET) with the timestamp and realm (@uva.nl) to check proxy routing logs. Second, advise the researcher to contact their home institution's IT helpdesk, as the issue is almost certainly on their side. Do not spend time troubleshooting your own RADIUS infrastructure.

Q2. You are designing the WiFi for a new 1,000-bed residence hall. The facilities team wants to install APs in the hallways to save on cabling and installation costs. Provide a technical argument against this approach and specify the recommended alternative.

💡 Hint:Consider RF attenuation through fire doors and masonry, co-channel interference in long corridors, and the implications for Per-Room VLAN architecture.

Show Recommended Approach

Hallway deployments are an anti-pattern for modern high-density residential environments for three reasons. First, RF signals must penetrate thick fire-rated doors and masonry walls to reach devices inside rooms, resulting in poor signal quality and low throughput precisely where users are located. Second, APs deployed in a long corridor have clear line-of-sight to each other, causing severe co-channel interference that degrades performance for all clients. Third, the hallway model makes Per-Room VLAN micro-segmentation architecturally ambiguous — a hallway AP serves multiple rooms simultaneously, complicating dynamic VLAN assignment. The recommended approach is in-room AP deployment: one AP per room for new builds, or one AP per two rooms in modern construction with thin partition walls. Transmit power should be set to 8–12 dBm to create clean RF cells. While the upfront cabling cost is higher, the operational savings from reduced helpdesk volume and improved user experience deliver a positive ROI within the first academic year.

Q3. A student registers their PlayStation 5 MAC address in the device registration portal. The console is connected via the residential SSID but cannot discover the student's phone for Remote Play. Both devices are confirmed to be on the same Per-Room VLAN. What is the most likely configuration issue?

💡 Hint:Consider the wireless controller's client isolation settings and the protocols used by device discovery.

Show Recommended Approach

The most likely cause is that client isolation (also called AP isolation or wireless isolation) is enabled on the residential SSID. Client isolation prevents wireless clients on the same SSID from communicating directly with each other, even if they are on the same VLAN. This is a common security default that is appropriate for guest networks but counterproductive in a Per-Room VLAN environment where device-to-device communication is intentional. The fix is to disable client isolation specifically on the residential SSID (or create a policy exception for the Per-Room VLAN range). If the console is on the wired network and the phone is on wireless, the issue may instead be an mDNS gateway not forwarding Sony's device discovery protocol (SSDP/UPnP) across the wired-to-wireless boundary within the same VLAN.

Key Takeaways

✓eduroam uses a hierarchical RADIUS proxy model — authentication always resolves at the user's home institution, never at the visited campus. The 'Home Always Knows' principle defines your troubleshooting escalation path.
✓Per-Room VLANs create micro-segmented Personal Area Networks in residence halls, simultaneously improving security and enabling IoT device discovery within each room's boundary.
✓Automated EAP-TLS certificate onboarding — not PEAP-MSCHAPv2 — is the only scalable solution for BYOD at university scale. It decouples WiFi authentication from the AD password lifecycle.
✓IoT devices require MAC Authentication Bypass (MAB) and a self-service registration portal, as they lack 802.1X supplicants. They must be placed in the student's Per-Room VLAN, not a separate building-wide IoT VLAN.
✓In-room AP deployments are mandatory for modern residence halls. Hallway APs cause co-channel interference and poor in-room coverage, and are architecturally incompatible with Per-Room VLAN micro-segmentation.
✓DHCP Snooping and BPDU Guard must be enforced on all access switch ports to prevent rogue DHCP servers from consumer routers taking down dormitory subnets.
✓WiFi analytics and sensor integration transform the network from a connectivity utility into a strategic data asset for space utilisation, facilities management, and operational efficiency.