Do you want to get started with iotroam for your institution? The steps below will get you started.  Detailed explanation of all features in the administrator portal can be found in the administrator manual. 

Administrative steps - requesting iotroam

To start using iotroam, the steps below must be followed. Be aware that your organization must also use SURFconext in order to use iotroam.

1. The Institutional Contact Person (ICP) or Institutional Representative (BVI) requests the iotroam service on SURFdashboard. A Service Provision Agreement (DVO) is prepared and sent by SURF Klantsupport.
   
   After signing the DVO, SURF gives its approval and the following steps can be carried out:
   
   
2. The SURFconext manager of the institution links iotroam to the institution at https://dashboard.surfconext.nl.
3. The Institution Contact Person (ICP) assigns the role of iotroam-beheerder in SURF Authorisation Management (SAB) to one or more ICT administrators in SURFdashboard.
4. The ICT administrator(s) with the role of iotroam-beheerder can then log in to the portal to set up iotroam for the institution. The iotroam infrastructure at SURF is automatically configured.

Technical step 1 - Configure wifi network and RADIUS

The first technical steps are the configuration of the wifi network and optionally the institutions RADIUS servers.

In the network, the SSID iotroam must be configured with the appropriate parameters. What the correct setting are and how it works is different for each vendor. There are several manuals in the iotroam wiki. This also applies to the configuration of the institutions RADIUS servers.

It is possible to point to iotroam's RADIUS servers directly from the wireless LAN controller, i.e. without local RADIUS configuration. SURF always advises to run iotroam authentication through an institutions own RADIUS servers and to configure the iotroam RADIUS servers as so-called RADIUS proxy for more control, insight and troubleshooting capabilities by the administrators of the institution so that iotroam is not an exception with respect to the rest of the environment.

The IP addresses of iotroam's RADIUS servers are listed on the welcome page of the iotroam administrator portal.

Technical Step 2 - Basic setup iotroam portal

Go through the following steps for a basic setup of iotroam:

1. Login to iotroam.nl and hover over your name at the top right and click Admin. You are now on the welcome page of the iotroam administrator portal.
2. Default device profile setting: Click Settings on the left and if the menu is not visible click the arrow at the top of the light blue column. Then click Device Profiles. Click Add profile and fill in at least:
   1. Name: choose a logical name. Description is optional, but you can put some more information there.
   2. VLAN ID: This is the VLAN ID that will be included and thus the default VLAN for all personal devices, roaming devices and devices in groups that are not associated with another device profile.
   Click Add.
3. Setting up RADIUS Client: Click Settings on the left and if the menu is not visible click the arrow at the top of the light blue column. Then click RADIUS Clients. Click Add Client. Enter at least:
   1. Description: useful for distinction between multiple RADIUS Clients.
   2. IP Address: The IP address of your own institution's RADIUS client, i.e. your own RADIUS server or wireless LAN controller (WLC) if your don't use the institution's own RADIUS server.
   3. RADIUS secret: for authentication between the iotroam RADIUS servers and the institution's own RADIUS client. You also need to enter this shared secret in your own environment.
   4. Device profile: this is the default device profile. This default profile is used for all authentications for which you have not set an exception. If you do not enter anything here, the default settings of the SSID will be used.
   Check Enabled and click Create.

Users can now start using iotroam by adding personal devices. Creating groups and assiging users to groups is described in the administrator manual.