Last updated: 
2 months 2 weeks ago
Blog Manager
eduroam Service News Follow us on Twitter @eduroamuk - for news, interest, information, photos and fun. Contents - click on item and scroll to bottom of box to read item 15/04/19 - Advisory: EAP-PWD Vulnerability 12/10/18 - Advisory: Injection of Operator-Name attribute by the NRPSs 23/02/18 - eduroam Seminar pre-Networkshop 2018 - FreeRADIUS 4 etc 24/10/17 - Advisory: WPA2 Key Reinstallation Attacks vulnerability, KRACK 14/07/16 - Release of Technical Specification v1.4 10/05/16 - Advisory: Ending of RADIUS Accounting within eduroam(UK) 22/01/15 - eduroam Support Clinic Tues March 1st 14:15-15:30 18/09/15 - Advisory: Impact of change of Certificate Service CA for eduroam Home (IdP) service providers 27/01/15 - eduroam now available at seven hospitals in Cardiff 22/01/15 - eduroam Support Clinic Tues January 27th 10:45-12:00am 23/12/14 - Calling Station Identity 01/12/14 - New DNS Name for eduroam(UK) Support Server 19/12/14 - eduroam Support Clinic Tues January 6th 10:45am 28/11/14 - eduroam Support Clinic Tues December 2nd 10:45am 19/11/14 - Advisory: Microsoft Security Bulletin Affecting NPS and IAS 27/05/14 - eduroam training course June 11-12 Birmingham; Aug 6-7 Aug Bristol 08/04/14 - Advisory: OpenSSL TLS Heartbleed Vulnerability rev 1.1 21/02/14 - Auth Timestamp Feature on eduroam(UK) Support Server 30/10/13 - Release of FreeRADIUS 2.2.2 07/10/13 - Release of FreeRADIUS 3.0.0 17/09/13 - Release of FreeRADIUS 2.2.1 13/06/13 - Release of Technical Specification v1.3 13/06/13 - eduroam training course June 27 Glasgow 23/04/13 - eduroam training courses July 24-25 London 23/04/13 - Chargeable User Identity how-to guide now available in Library 25/03/13 - eduroam training courses May 2-3 Manchester 24/02/13 - Time for a review of your eduroam deployment - Technical Specification v 1.2 Main Changes from v 1.1 30/01/13 - Configuration Assistant Tool (CAT) now available - builds eduroam client installers for user devices 23/01/13 - Advice regarding keeping eduroam credentials secure 09/01/13 - eduroam(UK) Announcement of Change of Name of the Janet Roaming Service to eduroam(UK) 19/11/12 - Uptake of NAPTR record definition in DNS (to enable RadSec DD) is increasing 31/10/12 - eduroam(UK) Support Server Update: Nagios LG and check for NAPTR records 30/10/12 - Cisco ACS 5.4 released: now support Operator-Name 29/10/12 - Unscheduled service outage Friday 26/10/2012 1:02 AM - 9:48 AM 03/10/12 - Advisory: Improving Efficiency of International Authentication through utilisation of RadSec at National Level 11/09/12 - Advisory: FreeRADIUS 2.1.10,11,12 Security

Group administrators:

eduroam(UK) Technical Specification v 1.2 Main Changes from v 1.1

Audience - eduroam(UK) system administrators and implementors

Although the eduroam(UK) Technical Specification 1.2 has been released for a little while now, with the imminent release of exciting new service features, now might be a good time to review your eduroam service deployment.

Mandatory Requirements introduced in Tech Spec 1.2

1. Emphasised that only RFC 4282 compliant usernames (of the form userID@realm) to be employed for user authentication both for roaming users and for users when at the Home site.
2. Mandatory requirement that Visited sites must not forward malformed usernames to the NRPS (e.g. usernames with realms that are malformed, typos, bad higher level domain).
3. Specification of RADIUS parameters to be logged now include User-ID, Calling-Station-Idendity (CSI) and Chargeable-User-Identity (CUI).
4. Improvement in service status information that must be published on the orgs eduroam service information web site.
5. Removed the different tiers of technical standards from the specification (JRS2/JRS3).
6. Range of Tiers replaced with a ‘base engineering standards’ together with evolutionary progression path for introduction of enhanced standards.
7. Relating to ORPS using RadSec (TLS over TCP) to NRPS i) definition of use of TCP 2083 ii) only Geant eduPKI certificates to be used.
8. Home organisation ORPS must not reject based on NAS-Port-Type not matching a specific value and must process all auth requests against a user database.
9. It is now permitted that NASs can connect multiple users to a single port (to accommodate controller-based systems).
10. Due to simplification of Tiers, although not recommended, NAT permitted regardless of whether or not IPv6 supported.
11. Mandatory ports and protocols additions:
• IP Protocol 41 (IPv6 Tunnel Broker Service)
• TCP/3128 (SQUID Proxy)
• TCP/8080 (HTTP Proxy)
• IP Protocol 50 (ESP)
• IP Protocol 51 (AH)
• UDP/500 (ISAKMP)
12. Removed requirement to support WPA/TKIP – replaced with permission that existing deployments may continue to do so until end December 2014, recommend to phase out asap.
13. All Visited sites MUST now support WPA2/AES and new joiners can only offer WPA2/AES.
14. Emphasized that all NASs must include CSI and NAS-IP-Address.
15. Broadcasting of eduroam SSID at non-operational sites must be limited to test environment.
16. Due to deprecation of PAP authentication, test accounts must now use the EAP method normally used at the organisation and not PAP.
17. List of attributes that must not be filtered out updated to reflect recommendation to use Operator-Name and CUI (ie O-N and CUI must not be filtered out).

Recommendations added in v1.2

1. Recommended that Visited organisations should request Chargeable User Identity in Access-Requests if possible.
2. Recommended that Home organisations should add Chargeable User Identity in accordance with RFC4372 when solicited in Access-Requests.
3. Recommended that IPv6 should be implemented.
4. Recommended to avoid inclusion of VLAN assignment attribute in Access-Accepts where no bilateral agreement exists.
5. Recommended that organisation implement load balancing on ORPS between NRPS.
6. Recommended that Operator-Name should be inserted wherever possible.

Full change log published at:
Also includes downloadable Word version of latest Technical Specification

Full web version and pdf of Technical Specification published at: