Appendix Comparison of GovWifi, Govroam and Eduroam

GovWiFi

GovWifi is centrally funded as part of the Government Property Agency’s interoperability portfolio. The service doesn’t charge fees to network operators or end users and doesn’t generate any profits. Budgets are reviewed in line with the Spending Review process.

Govroam

Jisc operates under a ‘not for profit’ model, meaning that govroam membership fees cover the following: Support Team (currently 2.5 headcount based on operational need); Hosting/Maintenance/Support of core Jisc technical infrastructure; A small marketing budget to promote the service. Any small surplus generated after these costs are covered is re-invested into development. Budgets are reviewed annually to ensure that a) membership revenues are covering the core delivery costs and b) any surplus generated for re-investment is not excessive.

Eduroam

See govroam. The primary difference being that operating costs for eduroam are reviewed against the portion of funding it is allocated from the central funding to Jisc for the Janet network, so there is not the same opportunity for revenue to grow in line with membership.

GovWifi

GovWifi is centrally funded by HM Treasury as part of the Government Property Agency Technology Portfolio. GovWifi have stated that their aim is to provide a service across the whole of the public sector and that any attempt to recover costs, other than via central funding, would not provide best value for money.

Govroam

Funded through onboarding fees and annual subscription fees paid by member organisations. Jisc is a ‘not for profit’ company so all income goes on providing/improving the services.

Eduroam

Membership is free of charge. Funded from a portion of budget allocated to provision of the national Janet network. Jisc is a ‘not for profit’ company so all income goes on providing/improving the services.

GovWifi

Free of charge

Govroam

Membership can be procured directly through Jisc (Govroam - Jisc) or via GCloud14 (G-Cloud 14 - CCS). Four Levels of Membership. ‘Visited Only’ (enables visitors from full govroam member organisations to access a share of the local Wi-Fi provision when on the subscribers premises and is free of charge). ‘Individual Membership’ (enables an organisation’s employees to authenticate their identity and access the internet through the govroam service of any other member. There is no limitation on user numbers, volume of data sent/received etc. Costs are £1k onboarding fee, and £3,640 p.a. subscription). ‘Federation Membership’ (enables up to 25 organisations to enjoy ‘Individual Membership’. One of the organisations manages the relationship with Jisc on behalf of all others. Data is usually routed through member organisations rather than via Jisc. This type of membership would suit an ICB. The total cost is £3,000 onboarding, £8,460 pa subscription). Super Federated Membership’ (enables 26+ organisations to enjoy ‘Individual Membership’. The total cost is £9,000 onboarding, £36,220 pa subscription). This is used in Wales by the PSBA and in Scotland for the SWAN Network, as well as in the Yorkshire, Kent and Greater London Regions. An NHS Wide subscription model would need to be negotiated separately, as that scope would be significantly larger than any of the scenarios modelled in the current pricing structure. Jisc is a ‘not for profit’ so all costs go on providing/improving the services. Any bespoke pricing for an NHS wide agreement would be reflective of the costs to Jisc for providing the service.

Eduroam

There is only one model of membership ‘Individual Membership’, although participants may implement ‘Visited-only’, ‘Home-only’ or ‘Home and Visited’ types of service. Every member joins the eduroam (UK) directly and peers their RADIUS service directly to the eduroam (UK) national RADIUS servers. There is no regional federation operator level. Membership of eduroam (UK) is free of charge.

GovWiFi

GovWifi was launched in 2016 and completed its live service assessment in 2020. GovWifi sees continued take up across the whole of the public sector.

Govroam

Established in 2017 and has seen continued growth ever since especially with NHS and ICB organisations

Eduroam

eduroam was launched in the UK in 2006.

GovWifi

Govroam

Members have the flexibility to deploy govroam anywhere on their network, both via Ethernet and over WLAN. The govroam SSID can be broadcast using any Wi-Fi technology and any vendor that supports 802.1X. The network manager adds the govroam SSID to the WLAN which allows the member’s own staff and visitors to access the service. The network manager also implements a RADIUS service which is peered to either the govroam national RADIUS servers or those of the local federation.

In the case of visitors, following successful authentication of the user, the user’s device is connected to a network service that is dedicated to govroam users and which provides the user with access to the internet. The internet service provided must support commonly used applications such as web, e-mail, VPN. Partitioning of network services is supported such that a member’s own users may be connected to a network service that gives access to local resources that would not be made available to visitors. Local security policies for own staff may also be implemented on such network partitions for the organisation’s own users.

See govroam – the eduroam service is provided through the eduroam SSID and may be provided via wired Ethernet connection.

Eduroam

GovWifi

GovWifi delivers centralised authentication services through a robust, cloud-based architecture designed to serve thousands of public sector locations seamlessly. The system leverages RADIUS servers on AWS infrastructure, supporting reliable and resilient authentication for users nationwide.

GovWifi supports multiple authentication methods to meet diverse organisational needs:

• EAP-MSCHAPv2/PEAPv0 for traditional username/password authentication via mobile and email registration

RADIUS implementation processes authentication requests through sophisticated policy engines, utilising virtual servers to handle encrypted EAP tunnel requests securely. Each user receives unique, randomly-generated credentials that cannot compromise other systems if intercepted.

GovWifi uses enterprise-grade security and encryption paired with 802.1X network access control.

This targeted approach ensures networks maintain robust security standards while maximising authentication efficiency across the organisation.

This architecture enables seamless Wi-Fi access across government buildings while maintaining the robust security posture essential for public sector operations.

GovWifi have stated they remain open to exploring decentralised authentication solutions that could better serve evolving user needs. GovWifi actively seeks feedback from organisations about potential decentralised approaches that might enhance flexibility while maintaining security standards.

Govroam

Visitor users access govroam through the SSID presented by the Host WLAN. Authentication of the user is necessary before the visitor’s device is allocated an IP address and connected to the Host organisation’s network. Authentication requests arising from the user’s device are directed from the WLAN to the Host RADIUS server.

The Host RADIUS server forwards authentication requests through the govroam RADIUS hierarchy to the Visitor’s home organisation RADIUS server. The user’s home organisation is identified by the @realm component of the username which shares the same format as an e-mail address (userID@realm). The decision as to whether to allow or deny access to network services is made by the home organisation’s RADIUS server.

The user’s home organisation RADIUS server looks up the user’s identity from typically the Active Directory and verifies the credentials (username and password or client certificate) submitted by the user’s device. Based on this validation and the status of the user’s account the home organisation RADIUS server sends an ‘accept’ or ’reject’ back to the Host RADIUS server to allow or deny connection to the network, allocation of IP address and access the internet. If access is granted, the Host network provides the visitor with internet access using a govroam specific VLAN that it has allocated a portion of bandwidth to.

Govroam decouples the requesting of access from the granting of access. The national Jisc govroam service does not manage user credentials. User credentials are managed by the user’s home organisation. The govroam RADIUS hierarchy serves to route authentication requests back to the user’s home organisation for authentication. The govroam RADIUS hierarchy only receives an acceptance or denial message which is forwarded to the organisation that the user is visiting.

Hosts need to provide a minimum of infrastructure (WLAN, RADIUS server, AD/LDAP/Text File of users), internet connectivity, support for VPN, e-mail and web protocols. Member organisations can build on this for example give high bandwidth VPN access to certain organisations, they can even provide a VPN tunnel back to the visitors own network.

The only dependency is to support RADIUS authentication.

Eduroam

See govroam

GovWifi

Vision

To be the seamless, trusted Wi-Fi roaming service for everyone in public sector buildings.

GovWifi actively serves central government, local authorities, and is expanding support to the NHS, ensuring comprehensive coverage across the entire public sector ecosystem.

GovWifi remains committed to delivering a reliable, secure and relevant service. Given rapid technological advancements, a focus on security and quality is essential to maintaining user confidence and meeting evolving needs.

2025/26 Roadmap priorities

Security and infrastructure

• automate certificate rotations to reduce security vulnerabilities
• accelerate disaster recovery response times for improved resilience
• advance certificate-based authentication to public beta for enhanced security

User experience and accessibility

• complete WCAG 2.2 accessibility remediations for inclusive access
• transform the admin experience with streamlined management tools
• automate reporting and build comprehensive dashboards for better insights

Service expansion and innovation

• improve and publish network standards for consistent implementation
• explore AI applications to enhance both security and user experience
• investigate guest registration alternatives for more flexible access options

Govroam

The govroam Wi-Fi roadmap is aligned to Wireless Broadband Alliance Wi-Fi roadmap of which Jisc is a member.

Authentication: Jisc is running an Alpha Trial of the OpenRoaming Standard. It will reach out to member organisations soon to start Beta Testing. This initiative is speculative, as currently there is only a very small footprint of OpenRoaming deployments. However, in 3 to 5 years the availability of OpenRoaming will be greater and govroam could take advantage of this. OpenRoaming has reconciliation and charging features that eduroam could potentially bootstrap from.

Standards: govroam are interested in exploiting the features and capabilities of Wi-Fi 6E and are also considering 5G. Govroam provide ‘edubox’ which provides 4G/5G cellular roaming where there is no Wi-Fi coverage for example as a temporary solution for green field sites or outdoor events.

User Groups: govroam invites users to input on the ongoing development of the system and undertake joint development of the solution with the users.

Eduroam

See govroam

Authentication: Jisc is running an Alpha Trial of the OpenRoaming Standard. It will reach out to member organisations soon to start Beta Testing.

Through the relevant eduroam member organisations, eduroam is being provided on buses in Nottingham and Oxford and on trams in Edinburgh

GovWiFi

As of May 2025, GovWifi serves 373 organisations across over 2,000 locations throughout the UK, making it the largest government Wi-Fi authentication service with 859,000 active monthly users. Their network spans central government departments, NHS organisations, local authorities, emergency services including police and fire rescue authorities, and specialised agencies.

It enables seamless connectivity for public servants, contractors, and public visitors who can access secure Wi-Fi across thousands of government buildings with a single set of credentials while maintaining enterprise-grade security standards.

Govroam

Govroam is targeted at the public sector. This includes organisations that are around 50% public funded, have charitable status, are a service provider to the public sector for example a facilities management company). Some member’s IT suppliers provide govroam on their behalf. Other users are NHS and ICB partners including hospital trusts, ambulance trusts, GP practices. 

333 different organisations. Around a third are NHS organisations. Access is provided from 6,000 locations across the UK. This can vary from an office with a single AP, to a town centre wide deployment for example in North Yorkshire.

Eduroam

There are 650 member organisations in the UK.

The majority of members are educational and research establishments the vast majority of universities and a large proportion of further education colleges. However, there are members from MHS and ICBs. These tend to be visitor only services which enable student doctors and nurses to access educational networks from Teaching Hospitals, University NHS Trusts and GP surgeries.

GovWiFi

GovWifi serves 1.4 million registered users, including 830,000 active users and 506,000 roaming users.

Govroam

Jisc can only see the connection requests that pass through the Jisc network infrastructure which accounts for approximately 25% of total network traffic (this is because network traffic is routed locally where possible for federated clients). Jisc is aware of 4.5m connections in 2022, but this figure could represent only 25% of total usage.

Eduroam

Jisc can only see the connection requests that pass through the Jisc network infrastructure. The majority of eduroam based authentication takes place on campus. Since 99% of higher education institutions are members of eduroam, potentially most of the UK HE student population could be users

GovWifi

Members of the public can access GovWifi. Anyone can create a GovWifi account by texting 'Go' to 07537 417 417 to receive their unique username and password. The email registration route is restricted to users with “allow listed” public sector email domains. SMS registration is open to all users regardless of their organisation.

Organisations can implement GovWifi through network segmentation, using VLANs to separate GovWifi traffic from their corporate networks. Local authorities typically deploy GovWifi for public access while maintaining separate, more secure networks for internal operations.

Govroam

govroam is not available for the public.

Eduroam

See govroam. 

GovWiFi

GovWifi uses centralised authentication. The Cabinet Office (CO) manages the authentication infrastructure while minimising personal data collection. All user data is encrypted both at rest and in transit.

GovWifi supports WPA2-Enterprise and WPA3-Enterprise protocols. CO provides comprehensive security guidance through documentation and the admin portal to ensure secure implementation.

CO follows National Cyber Security Centre (NCSC) recommendations and conducts regular security reviews. External security assessments are performed to validate the service's security posture.

CO enables organisations to configure their local networks according to security best practices. The admin portal provides tools for certificate management and monitoring authentication events, helping organisations maintain compliance with government security standards.

Govroam

govroam uses decentralised authentication. Jisc holds no user personal data and has no visibility of such data. User personal data is only held/stored by the owner and is encrypted at rest and in transit.

govroam supports WPA2 Enterprise and WPA3. Jisc provides users with advice and guidance regarding security in the form of a MOSCOW and Service Definition document.

Jisc invites independent external third parties to review their security measures and have their own in-house cyber security experts advising.

Jisc are developing a way for clients to validate that they have installed govroam in a secure manner and to provide some form of certification for this to help demonstrate clients are “compliant” with Jisc security advice for govroam.

Eduroam

See govroam

GovWiFi

GovWifi is national in scope and NHS staff can use GovWifi to roam across government departments and buildings. Following pilot programmes in social care and private NHS healthcare provider facilities GovWifi can now be provided at any location that provides NHS care.

Govroam

Jisc agrees that there should be a single national Wi-Fi roaming solution and would be delighted to speak to NHS and others further about this. Govroam is already national in scope with current coverage in most area of the UK.

Eduroam

eduroam is the national solution for network access control and Wi-Fi roaming in the education and research community.

GovWiFi

There is a risk of performance impact for organisations implementing GoWifi in areas open to the public, as members of the public use GovWiFi and reduce the bandwidth available for l use by employees and other public sector users.

Reliability: Target SLA 99.9%, 99.93% uptime achieved 12 months to June 2025.

User experience: 85% of users report positive onboarding experience

Network load balancers: Authentication requests are distributed across network load balancers deployed in multiple availability zones.

Govroam

Jisc advises that govroam was based on eduroam and benefitted from all of the lessons learned during its development. As a result, the architecture and the infrastructure are almost identical, and both are very reliable with minimal downtime.

Eduroam

eduroam has been in existence since 2006 and is a mature and reliable service with minimal downtime.

GovWifi

Personal data retention: Up to 1 year following user credentials becoming inactive - providing extended audit capability compared to many competing services.

Authentication events: Successful and failed events are logged for three months with session information for security monitoring and troubleshooting.

GovWifi captures the following data points:

• user identifiers - email addresses, mobile numbers, and randomly generated credentials
• device tracking - MAC addresses and access point IDs
• network data - IP addresses, authentication results, and location identifiers
• session details - timestamps, connection attempts, and failure reasons

Incident investigation: Detailed session logs support security investigations and policy violation tracking at the organisational level.

Secure deletion: Data destruction follows NCSC Guidelines (IAS 5) using AWS-compliant overwriting techniques when retention periods expire.

Third-party integration: Controlled data sharing with notification services (GOV.UK Notify: 7 days, AWS SES: 30 days) with clear retention boundaries.

Govroam

GovWifi have 3 user journeys. 1. Sign up - by text or email. 2. Sign In - Authentication (details retained for 2 years, likely to become 1 year). 3. Experience – GovWifi cannot guarantee the usage or connectivity experience, nor can they influence this, depends on the body that has implemented it. GovWifi are discussing how this can be addressed with GPA. Certificate based authentication removes these 3 user journeys.

Eduroam

See govroam

GovWifi

Govroam

Jisc has an iOS and Android App (govroam Companion) that lists and has maps of all venues where govroam can be accessed.

govroam has a Configuration Assistant Tool (CAT) that when installed provides govroam access on end user devices depending on which organisation the user works for via an App. Through the tool, members can set up their own profiles and the EAP methods that end user devices must use. The majority of members use username and password, some use certificates for people or devices. EAP SIM can also be used.

The tool defines where the user is from and the app sets up the device to work with govroam. It provides validation via the radius server.

govroam prefers to use automated routes for end user device configuration and validation but members are free to choose. Jisc will support the existing authentication solution of a client.

User devices will connect as soon as they get within range of the network, there are no terms or conditions, no need to prove one’s identity, the user experience is that connectivity ‘just works’.

Eduroam

Jisc has an iOS and Android App (eduroam Companion) that lists and has maps of all venues where eduroam can be accessed.

See govroam. 

GovWiFi

GovWiFi have a robust and resilient infrastructure hosted in public cloud. The infrastructure uses Network Load Balancers (NLBs) across multiple availability zones.

The service maintains multiple databases across the Availability Zones with replicas distributed across multiple regions for redundancy.

GovWifi's disaster recovery approach involves migrating faulty services to secondary regions when the primary region fails, or conducting complete environment rebuilds in new AWS accounts if necessary

Govroam

Onboarding takes around half a day per organisation. This is to configure the host organisations WLAN controller, VLAN and Radius server. All Jisc RADIUS servers are virtual machines hosted in a Tier 3 Jisc data centre certified to ISO27001. Hosts can build on what they have in place, others will stand up a new radius server. Jisc can work with any version of RADIUS. There is a good eco system of organisations with different configurations and licensing models that others can learn from when deploying a new solution.

Eduroam

See Govroam

GovWiFi

Used by 28 NHS trusts, 84 Local Authorities. All ministerial departments and all bar 2 Non-ministerial departments are registered with GovWifi.

Govroam

Govroam has clients across the whole of the UK.

Eduroam

eduroam has clients in 120 territories across the world. The UK is a member of the European Federation. The UK eduroam RADIUS servers are peered with the European RADIUS Proxy servers.

GovWifi

Most support is provided by the organisation’s own IT dept.  Online support is available for issues regarding the GovWifi authentication service only Monday to Friday, 8am to 6pm. Response times are one working day.

Govroam

Most support is provided by the parent organisation’s IT dept (or the lead IT dept for a federated model). The parent organisation manages credentials and routing. Users contact their own IT service. 99% of issues are resolved locally for example certificate issues on a device. Jisc provides a central help desk and will receive and forward tickets to the appropriate organisation. They will assess what level of tech support needed and where the call should go. They have a register of organisations and the contact details of their IT Dept. Organisations are happy with this arrangement as the service usually ‘just works’.

In the event of issues being reported via the central helpdesk, Jisc is committed to a 4hr initial response SLA and a 2-5 working day SLA for a resolution or meaningful action (in the event a resolution is not possible/out of our control) depending on the severity of the issue.

Federation operators accept the same timed SLAs as part of their agreement.

Eduroam

See govroam. The difference being that there is no federated model for eduroam.