Last updated: 
1 month 1 week ago
Blog Manager
eduroam Service News Follow us on Twitter @eduroamuk - for news, interest, information, photos and fun. Contents - click on item and scroll to bottom of box to read item 15/04/19 - Advisory: EAP-PWD Vulnerability 12/10/18 - Advisory: Injection of Operator-Name attribute by the NRPSs 23/02/18 - eduroam Seminar pre-Networkshop 2018 - FreeRADIUS 4 etc 24/10/17 - Advisory: WPA2 Key Reinstallation Attacks vulnerability, KRACK 14/07/16 - Release of Technical Specification v1.4 10/05/16 - Advisory: Ending of RADIUS Accounting within eduroam(UK) 22/01/15 - eduroam Support Clinic Tues March 1st 14:15-15:30 18/09/15 - Advisory: Impact of change of Certificate Service CA for eduroam Home (IdP) service providers 27/01/15 - eduroam now available at seven hospitals in Cardiff 22/01/15 - eduroam Support Clinic Tues January 27th 10:45-12:00am 23/12/14 - Calling Station Identity 01/12/14 - New DNS Name for eduroam(UK) Support Server 19/12/14 - eduroam Support Clinic Tues January 6th 10:45am 28/11/14 - eduroam Support Clinic Tues December 2nd 10:45am 19/11/14 - Advisory: Microsoft Security Bulletin Affecting NPS and IAS 27/05/14 - eduroam training course June 11-12 Birmingham; Aug 6-7 Aug Bristol 08/04/14 - Advisory: OpenSSL TLS Heartbleed Vulnerability rev 1.1 21/02/14 - Auth Timestamp Feature on eduroam(UK) Support Server 30/10/13 - Release of FreeRADIUS 2.2.2 07/10/13 - Release of FreeRADIUS 3.0.0 17/09/13 - Release of FreeRADIUS 2.2.1 13/06/13 - Release of Technical Specification v1.3 13/06/13 - eduroam training course June 27 Glasgow 23/04/13 - eduroam training courses July 24-25 London 23/04/13 - Chargeable User Identity how-to guide now available in Library 25/03/13 - eduroam training courses May 2-3 Manchester 24/02/13 - Time for a review of your eduroam deployment - Technical Specification v 1.2 Main Changes from v 1.1 30/01/13 - Configuration Assistant Tool (CAT) now available - builds eduroam client installers for user devices 23/01/13 - Advice regarding keeping eduroam credentials secure 09/01/13 - eduroam(UK) Announcement of Change of Name of the Janet Roaming Service to eduroam(UK) 19/11/12 - Uptake of NAPTR record definition in DNS (to enable RadSec DD) is increasing 31/10/12 - eduroam(UK) Support Server Update: Nagios LG and check for NAPTR records 30/10/12 - Cisco ACS 5.4 released: now support Operator-Name 29/10/12 - Unscheduled service outage Friday 26/10/2012 1:02 AM - 9:48 AM 03/10/12 - Advisory: Improving Efficiency of International Authentication through utilisation of RadSec at National Level 11/09/12 - Advisory: FreeRADIUS 2.1.10,11,12 Security

Group administrators:

Advisory: Ending of RADIUS Accounting within eduroam(UK)

May 2016 - 10/05/2016

This advisory applies to any member organisation that operates an ORPS that is configured to send RADIUS accounting packets to the NRPS.

Originator: Edward Wincott

Scope

The eduroam(UK) Technical Specification v1.4 will be released shortly and will contain the requirement that all member organisations ensure that their ORPSs SHOULD NOT send RADIUS accounting packets to the NRPS. Configuration of the wide range of RADIUS servers that can be used to support eduroam, to not send Accounting-Requests is outside of the scope of this advisory, however if necessary the alternation of configuration should be a simple matter. System administrators should plan to check their ORPS and make any necessary changes as soon as possible but certainly no later than 31st July 2016, which is the end of the transition period.

Background

Historically, the intended purposes of RADIUS accounting were to facilitate billing of users of modem based services, for statistics gathering and for general network monitoring. Inter-organisation RADIUS accounting for billing or any other purpose is not employed within eduroam and there are now far better network and specifically RADIUS monitoring tools available. The handling of accounting packets at the NRPS consumes processing resources that in the current environment of ever growing authentication traffic is undesirably wasteful.

Accounting packets are generated by clients which are configured to use RADIUS accounting. Such clients generate Accounting-Request (acct_status_type = start) packets until they receive an acknowledgement in an Accounting-Response from an accounting server.

The European Service Definition recommends that in dealing with their member organisations’ RADIUS servers (ORPSs), the national RADIUS proxy servers (NRPSs) of National Roaming Operators (such as eduroam(UK)) should be able to receive accounting packets, and in instances where the destination of those accounting packets is outside the national federation, MUST acknowledge the packet but MUST NOT forward the packet to the European top level proxy servers or anywhere else outside the national federation. At the present time, the UK NRPSs behave as above in respect of both packets with destinations outside the UK and also for packets with UK destinations.

So the NRPS currently accept accounting packets and send acknowledgements which means that clients do not re-send further Accounting-Requests. By not forwarding accounting packets, the NRPS avoid having processes tied up waiting for accounting responses from UK ORPS that might not be accounting-enabled. And by not sending (accounting) packets to the European Top Level RADIUS servers, wastage of processing resources on those servers is avoided. There are nevertheless significant processing resources still being devoted by the NRPS to handling incoming accounting from the UK ORPSs. Those resources could be employed more effectively in handling authentication packets.

Notice

The decision has now been made to extend the no-accounting zone to the ORPS-NRPS border. Member organisations will shortly be required to NOT send any accounting packets to the NRPS and will be relieved of the requirement to log accounting requests exchanged with the NRPS. Of course organisations may continue to use accounting within their own networks and should continue with local handling of RADIUS accounting packets arising from local clients – logging of authentication and accounting requests is necessary for problem resolution and the tracking of network abuse.

Benefits: by eliminating forwarding of accounting packets to the NRPS, member organisations benefit through a simplification of the configuration of their ORPS and a gain in performance. The eduroam(UK) NRPS infrastructure will also benefit through a reduction in the processing overhead imposed by having to accept and respond to accounting packets.

Timeline: the NRPS will continue to receive Accounting-Requests and to send responses for a limited period of months during which time continued forwarding of such packets by ORPS will be monitored. At the end of this transition phase, the sending of accounting responses will be turned off. The effect of this on any ORPS that is still sending accounting packets will be that your ORPS will mark the NRPSs as dead and you will effectively disable the eduroam service at your organisation.

This initiative is for the benefit of the UK eduroam service and the whole community, so organisations that continue to send Accounting-Requests during and after the transition phase will be individually contacted and the issue will be escalated.