Recently, Chen et al. proposed a practical authentication protocol for supporting anonymous roaming in wireless access networks, then the protocol is further improved by Hsieh and Leu. In this paper, we demonstrate the adversarial model of this type of protocols and show that Hsieh-Leu scheme is not as secure as they originally claimed to be. In particular, we show that their protocol does not provide user privacy protection, and it is vulnerable to off-line password guessing attack mounted by a side channel adversary who has compromised all the information stored in the user's smart card. To fix these weaknesses, a new practical authentication protocol with anonymity for wireless roaming is proposed. We use the formal verification tool ProVerif, which is based on applied pi calculus, to prove the security of the proposed scheme. The experimental results confirm that the new scheme not only achieves many desirable properties, such as strong anonymity, perfect forward secrecy and support of session key update, but also provides robustness against all those attacks that Hsieh–Leu protocol does not resist. Copyright © 2013 John Wiley & Sons, Ltd.