eduroam network originates from the federated authentication paradigm, which is a system that allows the user to authenticate (i.e. send his own username and password) only and exclusively with his own home institution, ensuring security and privacy (the institution where the user is physically located can not see user’s username and password). Appropriate authentication systems configuration, based precisely on a federated infrastructure (that is, configuring appropriate authentication chains between different institutions), technically allows to achieve this result.
As stated, the consequence is that it is possible to access the network everywhere, with security and privacy, without the necessity to modify the device’s configuration.
Unfortunately however, the gigantic variety of devices, operating systems, and different interpretations and implementations from the various vendors, allow to achieve this result only if the correct device’s configuration steps are followed (moreover sometimes vendors put some limitations or have some implementation bugs that limit users*).
Specifically, the “heart” of the operation is telling the device which are the real authorized authentication servers of the user’s institution, to which send user’s username and password. This has to happen before the first connection, otherwise users could be exposed for example to the possibility that some malicious figure presents a Wi-Fi network named eduroam but inserts a fake authentication server that seizes user’s credentials.
This is why it is mandatory to use CAT configuration tool to correctly and in advance configure the devices. Not doing so exposes (with different risk levels, depending on the specific device) to the easy stealing of own personal credentials, with all the relevant consequences.
* for example, on Android devices, Google requires to set up a “secure” unlock method, otherwise correct configuration is not possible; another example is Samsung that for some time on some of its Android 11 devices imposed limitations on the anonymous identity usage, removing this feature assurance to the user.