FAQs for eduroam System Administrators and Implementation Techs - Part 1

Download as PDFDownload as PDF

This page lists the most common frequently asked questions about eduroam in the UK. The table of contents summarises the questions asked; please scroll down to the relevant section for the answer. See Part 2 if your question is not addressed here.

Last updated: 10/05/2022

Contents:

1) 802.1X and EAP

  • What is 802.1X and EAP and how do they work?
  • Give me one example of how EAP-TLS is preferrable to PEAP/MSCHAPv2 or EAP-TTLS/PAP

2) Roadmap for Implementing eduroam

  • Do you have a step by step process we can follow for implementing eduroam?
  • Visited service provision - overview of steps required
  • Implementing Govroam alongside eduroam

3) Networking issues / Application & Interception Proxies / Firewall configuration / Ports and protocols

  • Can we restrict access to our eduroam Visitor service for devices with obsolete OSs or unpatched devices representing security risks?
  • How can we carry out posture assement of devices trying to connect to our eduroam Visitor service?
  • Is web content filtering permitted on eduroam services?
  • Can TLS/SSL interception proxies (for instance as used in content filtering) be deployed?
  • Can users' traffic be monitored and analysed?
  • Can private IP addressing with NAT be provided for visiting eduroam users?
  • Is PPTP considered secure and can it work with NAT?
  • We can authenticate and get connected to eduroam ok, but client states "no internet" and we can't access web pages?
  • Does eduroam support Wi-Fi calling - we've been experiencing some difficulties?

4) Joining eduroam / Realms / Eligibility

  • Can individuals join eduroam?
  • Can a person have an eduroam ID without host org joining eduroam?
  • Is eduroam available to all members of an organisation?
  • Can alumni have eduroam accounts?
  • Do users need to have a network logon account? What about access for the public/non-registered users?
  • Can we have an additional top level realm for our organisation?
  • Can sub-realms be configured for an organisation?

5) RADIUS server software and configuration

  • Do we really need to deploy a RADIUS server, for Viisted services can't we peer our WLCs to the NRPS?
  • Links to the various RADIUS server software websites
  • How many RADIUS client devices can my ORPS support?
  • What RADIUS server software are other eduroam participants using?
  • Known issues with particular versions of RADIUS server sofware
  • Do you have any example configurations for Radiator?
  • Do you have any example configurations for FreeRADIUS?
  • What is unlang?
  • Where can get up to date binaries for FR2.2 for Centos, which ships with an old version?
  • Microsoft IAS implementation advice
  • Our AD usernames don't match eduroam username format, how can I strip/modify realm for authentication?
  • Cisco ISE Loss of Visited Service Functionality after Applying an Update
  • Cisco ACS implementation advice
  • What Attributes should I NOT filter out?
  • What procedure do I need to follow for changing the IP address of our ORPS?
  • IP Addresses/FQDNs/shared secrets for ORPS - replacing ORPS and moving to a new location
  • How do I set the shared secret for ORPS in a fail-over cluster to be the same?
  • Shared secrets for ORPS - internal RADIUS servers
  • ORPS-NRPS communication problems - possible causes
  • Does Microsoft NPS support RADIUS accounting and how to avoid forwarding accounting packets to NRPS?

1) 802.1X and EAP

What is 802.1x and EAP and how do they work?

Give me one example of how EAP-TLS is preferrable to PEAP/MSCHAPv2 or EAP-TTLS/PAP

EAP-TLS, which uses certificates, has the advantage that there is not a direct correlation between the certificate and the LDAP/AD password store. Should the user's password be changed in the LDAP/AD, the certificate on their device remains working. If you need to ban a user you would do so by blocking the certificate (eg by using OSCP) rather than by disabling their account. By doing this the user could still read e-mails sent over 3G/4G which could be used to advise them of the password change/network access lock/other reasin why eduroam connection is not working for them. Using MSCHAPv2 notification may also help.

Users do not enter their password credential when logging on with eduroam using EAP-TLS and their password isn't stored in cache on the device, which is a security plus, but of course with EAP-TLS you do need to have and operate a certificate management system.

2) Roadmap for Implementing eduroam

Do you have a step by step process we can follow for implementing eduroam?

Yes, see: https://community.jisc.ac.uk/library/janet-services-documentation/implementing-eduroam-roadmap   

Visited service provision - overview of steps required

  • Join eduroam(UK)!
  • Decide on how your RADIUS server/service host(s) (e.g. a VM host server) will be connected into your network including how the unit will interface with the WLC management network and interface to the internet (some deployments use two network interfaces, others don’t care and just use one for both; next item addresses implications) – give consideration to issues if unit is to be set up in a DMZ. (PS. Some organisations have used cloud-based RADIUS servers/services and for these a VPN link to your WLC management network will be needed.)
  • Decide on what RADIUS server software you wish to use - what vendor/command line or GUI/performance/cost you are comfortable with. RADIUS server selection guide Acquire the RADIUS software.
  • Unless you have opted for an appliance product, set up the server/VM host platform and OS to support the RADIUS software – needs only a basic server specification, but try to opt for maximum fault tolerance or deploy a second server for resilience. (If you have opted for an appliance product, install the hardware.)
  • You are planning a Visited-only service with none of your own users authenticating by it so you won’t need a RADIUS server certificate. Feel free to discuss options through the eduroam(UK) support via Jisc helpdesk.
  • We address RADIUS server configuration and registration later. At this stage the next step is to connect your RADIUS server host interface 1 to the WLC control network, provisioning IP address for that.
  • Connect RADIUS server host interface 2 (assuming two interfaces) to the DMZ/public internet (via firewall if desired), provision IP address.
  • Create A record(s) (and AAAA if applicable) in DNS for the RADIUS server(s).
  • Set up an eduroam network service for the eduroam-authenticated devices to connect to – comprising IP address pool (private or public), DHCP, DHCP logging, firewall and NATing if applicable (note, only eduroam-authenticated devices can be connected to this network service). Access to a DNS service will also be needed.
  • Decide on ports and protocols to be closed with regard to your organisation's security policy - whilst also ensuring compliance with the eduroam Tech Spec which lists the ports/protocols that must NOT be closed. And configure the firewall that will be supporting the eduroam network service. Provision internet connectivity.
  • Configure your RADIUS server(s)/service and register your server(s) with eduroam(UK) via the Support portal. This generates the ORPS-NRPS shared secrets you'll need to complete this stage of the RADIUS configuration.
  • Configure eduroam SSID on your WLC/APs. Configure your WLC/APs for 802.1X and generate the WLC/AP-ORPS shared secrets to enable completion of the configuration of your RADIUS server to peer with the WLC/APs.)
  • Complete the configuration of your RADIUS server(s) to filter out bad usernames/realms and unnecessary RADIUS attributes.
  • Test your deployment and verify that it complies with the Technical Specification (checklist available).
  • Last but by no means least – create/include on Wi-Fi service information web page the eduroam service information web page for your organisation.

Implementing Govroam alongside eduroam

Of course you would need to join the Govroam federation (free for Visited-only services) and deploy a Govroam SSID and network service for authenticated Govroam user devices... but how could you set up RADIUS efficiently to support both services?

The following presentation shows a high level howto by using the SSID name in the Called-Station-Identity attribute (this may or may not be the case with your APs/WLC) in order to effeiciently implement both services using just one RADIUS service:

https://jisc365.sharepoint.com/:b:/s/PublicDocumentLinks/EYNd3t02k8hGhsEC8K2f338BnKEO5Nrm5b-0aJmdbWgwrw?e=tbytM4

The alternative is simply to run a second RADIUS service to support Govroam.

3) Networking Issues, Application & Interception Proxies, Firewall Configuration, Ports and Protocols for Visitor services

Can we restrict access to our eduroam Visitor service for devices with obsolete OSs or unpatched devices representing security risks?

Q) We're winding down our support of Windows 7 (or even XP!) and we now deny network access to our own user devices that have not been upgraded/have a long term exception in place. Can we apply the same restrictions to visitors connecting to our eduroam Visitor service? We're concerned that simply denying access will result in many calls to our helpdesk being generated and we don't have the contact details of our regular visitors to even advise them of such a restriction.

A) Member organisations manage and control their own network services and in participating in eduroam make them available for use by eduroam visitors under the terms of the eduroam(UK) Policy and Technical Specification. This arrangement preserves the organisation’s right to enforce its own Acceptable Use Policy and Security Policy provided that the Technical Specification is complied with. Therefore, if a Visited organisation wishes to restrict access for devices that are not properly patched or which present an unacceptable security risk, the organisation is perfectly entitled to do so. 

Furthermore, there is a clause in the eduroam(UK) Policy stating that organisations ‘must ensure that systems that support visiting users are configured, maintained and operated securely, so as not to put the security of other organisations or their users at risk’ so there is the expectation that security of user access to eduroam networks is of high importance. Of relevance here are client isolation features that are to be found on high end Wi-Fi APs and switches. With client isolation configured on your APs, rougue/compromised devices will not be able to act as an attack vector to 'good' trusting devices connected to your eduroam service.

If you are going to deploy a restriction/quarantining system, then it is important that it should advise the user about the action taken (*) or that the organisation’s eduroam service information web page should either provide i) a clear link to the organisation’s AUP that states that this restriction applies or ii) a statement that such a the restriction mechanism is in place and what OSs it applies to. The scenario of a user device apparently being authenticated by the home organisation successfully and yet simply not being connected to a network service without knowing the reason can lead to user dissatisfaction - and this should be wherever possible be avoided.

(*) e.g. a captive portal screen is displayed on the suspect device whose access has been restricted when it is connected to a remediation network after successful user authentication.

See query in FAQ part 2 - 1) eduroam Policy Related Issues and Dealing with Virus/Copyright Breach Incidents: Dealing with a virus incident involving an eduroam visitor.

How can we carry out posture assement of devices trying to connect to our eduroam Visitor service?

There are now many older devices in circulation that are still functional and have working software (and so it is tempting to keep in use) but which have old, obsolete and unpatched operating systems such as XP, Windows Vista, older versions of macOS, Mac OS, iOS and Android, that can be vulnerable to exploits. Such devices may still have correctly set up eduroam profiles with valid credentials and may attempt to connect to eduroam services. They represent a significant security risk. 

The problem is exacerbated by the fact that there is a widespread lack of user understanding that a device may be massively out of date, vulnerable and in urgent need of patching despite the device OS not alerting the user the device is highly vulnerable.   

How you can actually implement a posture assessment system and restrict access to the Visitor service is not easy to answer, but technically you may do so subject to a few important provisos, see below.

Member organisations manage and control their own network services and in participating in eduroam make them available for use by eduroam visitors under the terms of the eduroam(UK) Policy and Technical Specification. This arrangement preserves the organisation’s right to enforce its own Acceptable Use Policy and Security Policy provided that the Technical Specification is complied with. Therefore, if a Visited organisation wishes to restrict access for devices that are not properly patched or which present an unacceptable security risk, the organisation is perfectly entitled to do so.

Furthermore, there is a clause in the eduroam(UK) Policy stating that organisations ‘must ensure that systems that support visiting users are configured, maintained and operated securely, so as not to put the security of other organisations or their users at risk’ so there is the expectation that security of user access to eduroam networks is of high importance.

Provisos: It is important that the restriction/quarantining system works with a high level of accuracy and there should be a mechanism to advise the user about the action taken (*) and/or that the organisation’s eduroam service information web page should provide i) a statement that such a restriction mechanism is in place or ii) a clear link to the organisation’s AUP that states that this restriction applies. The scenario of a user device apparently being authenticated by the home organisation successfully and yet simply not being connected to a network service without knowing the reason can lead to user dissatisfaction.

(*) e.g. a captive portal screen is displayed on the suspect device whose access has been restricted when it is connected to a remediation network after successful user.

Detection of legacy devices with a high degree of accuracy:

There are three methods of detecting the 'posture' of a device that we are aware of:

1) DHCP fingerprinting

2) web browser identification

3) embedded software

1. is unreliable at best, 2. requires capturing traffic when visiting a web site (only works if and when a device browses to somewhere - great for captive portals, not so good for 802.1X) and 3. requires the user to install something either permanently or temporarily (difficult to enforce on eduroam visitors). Our understanding is that neither 1 or 2 can identify patch levels or hacked status.

DHCP fingerprinting systems are somewhat of an unknown quantity and systems operate with a closed algorithmic determination process which is likely to be unpublished. So this opaque process may get things wrong in a hard-to-diagnose kind of way.

In conclusion, although the requirement to install additional software before a user can use eduroam is contrary to the ethos of eduroam - 'just open you laptop and connect,' it is permissible subject to the above provisos. However we would advise caution about restricting access by either the fingerprinting method or agent installation as these could mis-identify a lot of devices, with both false positives and false negatives resulting in users experiencing a poor quality of service.

Is web content filtering permitted on eduroam services?

Filtering of web traffic both URL or content-based, whilst not encouraged, is permitted on eduroam services – provided that TLS/SSL interception is not employed in respect of services for visitors.

Furthermore, an organisation can setup a local VLAN/network segment for its own eduroam users on which the organisation can implement any policy it choses (including web content filtering) and when users are at their home organisation, local users once authenticated, can be connected to this local VLAN (using dynamic VLAN assignment). Visiting eduroam users however must be connected to eduroam-compliant network services (refer to Technical Specification).

Can TLS/SSL interception proxies (for instance as used in content filtering) be deployed?

The Technical Specification v 1.3, whilst advising against such deployment, stated that Visited organisations may in fact install application or 'interception' proxies, provided that the fact that such a sysem is being used is published on the eduroam service information page. Furthermore, if a proxy is not transparent, instructions for the configuration of applications to use the proxy must be published. Version 1.3 of the specification went on simply to note that "interception proxies, often used by intrusion and virus detection systems, may result in the user experiencing unexpected network behaviour."

This policy was formed with the use of proxies such as Squid in mind. Over the past year or so the deployment of TLS/SSL interception proxies has become more popular. Such proxies are employed in some content filtering systems, particularly those filtering HTTPS content (and may also be used in some intrusion and virus detection systems). TLS/SSL interception requires the user to install a CA certificate from the intercepting organisation. This is undesireable for a number of reasons. It requires significant effort by the user. It also results in the proxy breaking the secure path between user and service. It is in effect a man-in-the-middle interception and is contrary to recommended security practice. Several web browsers will flag up the security deficiency to users, who may then discontinue their (legitimate) use of the network. The v1.3 specification advised simply that unexpected network behaviour might be experienced, and noted that significant effort would be required by the user to install certificates from (untrusted) third parties.

There is an interesting article on the pros and cons of HTTPS interception at: https://www.helpnetsecurity.com/2017/03/08/https-interception-dilemma/

The policy of eduroam(UK) has now evolved in response to the development of TLS/SSL proxies and a new version of the Technical Specification has been released. Version 1.4 of the Tech Spec requires that TLS/SSL interception proxies are NOT permitted on eduroam network services that visiting eduroam users are connected to.

It should be noted that organisations are not obliged to connect their own users when they are at their Home organisation to the eduroam Visitor network. Rather, local users may be connected to non-eduroam network services suited to local users as required for instance where deemed necessary for a college to implement its policies on Prevent and Safeguarding. So you would been to implement dynamic VLAN assignment such that your own users are connected to the filtered and monitored network that they currently use and visitors are connected to a non proxied/intercepted network service (aka an eduroam VLAN). This eduroam network service needs to comply with the eduroam(UK) Technical Specification.

It should also be noted that content filtering not involving interception proxies IS permitted on eduroam network services for Visitors (providing its use is advertised), although this is not encouraged.

Can users' traffic be monitored and analysed?

Q. We are contemplating data mining of the websites visited by eduroam users (for the purpose of providing analytics on the most visited web pages and repeat visits since such metrics are very useful to our collections staff and such data would prove to be force multipliers for much needed funding bids to demonstrate delivery of resources).

The eduroam T&Cs do not prelude the monitoring and analysis of traffic but clarification is sought on whether we can:

Log our eduroam users’ outbound traffic and analyse the traffic for frequently used websites and repeat visits, given that we anonymise the data so that is not personally identifiable and delete the information when no longer needed.

A. eduroam policy does not say anything about a member organisation monitoring of use of the network. However the ability to monitor suggests that a proxy may be utilised somewhere. If so, this needs to be documented to assist Jisc in any debugging that may be required. Such a proxy must also comply with eduroam(UK)’s restrictions on the employment of TLS interception. In addition, the depolyment of monitoring and analysis of traffic on the eduroam service must be advertised on the organisation's eduroam service information web page.

Moreover there are some laws that need to be complied with:

At present, the Data Protection Act 1998 requires organisations to inform users of any processing of personal data, which would include logs of IPaddr/URL etc. The organisation also needs to work out which legal basis applies to the processing (Data Protection Act 1998 section 6), and ensure it meets the relevant requirements of that basis. If the organisation is using the information for internal purposes then one option is "Necessary for the Legitimate Interests of the Data Controller" (art.6f), in which case it needs to ensure that any risk of impact on the individual is minimised *and* that any remaining risk is justified by the benefit to the organisation. There is an introduction to the different legal bases, as they will be from May 2018 under the General Data Protection Regulation, at https://community.jisc.ac.uk/blogs/regulatory-developments/article/gdpr-.... That article also includes a link to the ICO's thoughts on the requirements for consent to be valid under the GDPR, which becomes relevant, because...

Things are going to get more complicated from a date that the European Commission would like to be 25th May 2018. That's the proposed start date for a new ePrivacy Regulation. The current draft of that will prohibit all uses of information relating to the use of electronic communications networks - both content and metadata - unless:

a) it's necessary for providing the network, or

b) it's necessary for securing the network, or

c) you have the individual user's positive, informed, consent.

So under the current draft, consent is likely to be their only option. The legislation is at a very early stage - the Commission has published their draft, the EU Parliament has decided which committee is going to discuss it, and the Council of Ministers has had one meeting - so there are likely to be changes. There's also the question of how that timetable relates to Brexit, which adds a further layer of uncertainty to what the UK might implement. Advice for designing a system for user monitoring, would include a contingency for a *lot* of change, or indeed having to turn it off, in a year or two's time.

Can private IP addressing with NAT be provided for visiting eduroam users?

We are currently providing visiting users with public IP addressing, however we are fast approaching capacity on the allocated subnet. Can we change the addressing to RFC1918 and NAT (NAT overload) their connections via our routers/firewalls?

Yes, you can implement private networking with NAT for all eduroam users (your own and visitors). You simply have to ensure that the ports and protocols that must NOT be blocked as specified in the Technical Specification at least are open for devices connected to your eduroam network service for visitors.

The following address ranges are used for private networks, as specified in RFC1918:

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

NAT overload is the most commonly implemented form of NAT. There is an excellent article about this at:

http://www.firewall.cx/networking-topics/network-address-translation-nat/233-nat-overload-part-1.html

Is PPTP considered secure and can it work with NAT?

Q. "eduroam network must permit TCP port 1723 and IP protocol 47 in order to support PPTP, but surely PPTP is regarded as an insecure protocol these days?"

A. Almost all protocols that people use are insecure in some way - usually due to the way that a site or system implements it.  PPTP is a weaker for of VPN and , like many protocols, there are ways of attacking it - but sites/people still choose to use PPTP for basic VPN usage and that's their choice.

Q. Can PPTP be made to work with NAT?

A. PPTP and NAT can be made to work fine together - after all, PPTP works fine at most people's homes and it is commonly used to connect to work networks - most people have NAT on their home Internet services. So PPTP and NAT coexistence depends on the firewall being used and whether a site needs to activate some extra helper.... natively it won't work as the PPTP session has source/destination address - the system needs a pass-through or helper to keep track of the session.

We can authenticate and get connected to eduroam ok, but client states "no internet" and we can't access web pages.

We did an OS upgrade on our firewall and although that appeares to have been successful, since then we've been experiencing this problem.

If devices can connect to eduroam then the authentication part of the system, which eduroam deals with, is running OK. The local Wi-Fi service provision on the other hand can be affected by many things. Since your firewall was upgraded recently, the chances are this is where the problem lies. Check sequence:

1) Are connected devices assigned an IP address?

If no IP address is assigned there is a DHCP issue - is the DHCP service provided by the firewall and is it running/configured correctly?

2) Are they assigned a DNS server and can they resolve URLs?

If not there's a DNS resolver issue - how are DNS resolvers made available to clients?

3) If any access to local network resources should be available, does that work?

If local access is OK then there is an internet access problem - firewall permissions for outbound traffic and any NAT config should be checked. Are the requisite ports and protocols correctly enabled?

Does eduroam support Wi-Fi calling - we've been experiencing some difficulties?

There’s no reason it should not. Mobile phones participating in Wi-Fi calls make ESP protocol connections to hostnames such as: ‘edpg.epc.mnc260.mcc310.pub.3gppnetwork.org’ Note that 3gppnetwork.org is the root domain for most Cell-over-Wi-Fi calling.

The firewall for the VLAN you connect your users to and the VLAN you connect your eduroam Visitors to – have you ensured that the ports and protocols specified in the Tech Spec that must NOT be blocked are indeed open? See section 4.5.1 in the spec https://community.jisc.ac.uk/library/janet-services-documentation/eduroamuk-technical-specification Note this is the list that must NOT be blocked, you can have open any additional ports you wish.

If you have implemented URL filtering on a ‘safeguarding’ appliance or the firewall it would also be worth checking that the domain 3gppnetwork.org is not in any URL filter.

4) Joining eduroam / Realms / Eligibility

  • Can individuals join eduroam?
  • Can a person have an eduroam ID without host org joining eduroam?
  • Is eduroam available to all members of an organisation?
  • Do users need to have a network logon account? What about access for the public/non-registered users?
  • Can we have an additional top level realm for our organisation?
  • Can sub-realms be configured for an organisation?
  • Can we use a non-uk-specific realm, ie one that doesn't have a country identifier?

Can individuals join eduroam? / Can a person have an eduroam ID without host org joining eduroam?

No. Individuals can only use eduroam as members/associates of an organisation that itself is a member of eduroam(UK) and that acts as an identity provider, i.e. an IdP / Home service participant. The member organisation authenticates the user. eduroam(UK) does not act as an identity provider/authenticator (apart from for Jisc staff members). Even if the organisation with which the individual is associated is part of the Jisc community, the host organisation must be a member of eduroam(UK).

Is eduroam available to all members of an organisation?

To whom the member organisation grants a network access account and to authenticate is a matter for the organisation to decide, provided that the various Janet AUP and Security policies are complied with and that the private network status of Janet is not compromised; this results in the exclusion of general members of the public and alumni who are not currently actively engaged with the organisation/university. Temporary visitors such as conference delegates and people engaged in joint research with the organisation/university may be given network accounts strictly for the duration of their association with the university. This is all covered in the documents under https://community.jisc.ac.uk/library/janet-policies/eligibility-policy-guidance

All members of organisations whose primary business activity is research or education are eligible to be given credentials for eduroam roaming.

Organisations whose primary activity is not research or education, but who are nevertheless eligible to participate in eduroam(UK) (e.g. local authorities, national health service organisations and other public sector bodies - see separate FAQ) as a Home service (IdP) provider, must limit eduroam roaming capability to those members who are engaged in research, education, training or support of these activities.

Can alumni be granted eduroam accounts?

The Janet AUP, Security Policy and the private network status of Janet result in alumni generally being ineligible to be granted network access privileges and hence eduroam enabled accounts. Together with former members of staff, alumni may only be given eduroam credentials if they have an ongoing close association with / are currently actively engaged with the organisation/university / are on site for the purpose of contributing to the organisation's primary business activity (research/education).

The network accounts of students/researchers/staff who have left the organisation and no longer have a close association should be promptly disabled, as least in respect of eduroam and the leavers should be encouraged to delete the eduroam profiles from their devices.

Do users need to have a network logon account?

Yes, users need to be authenticated by their host organisation. Such authentication is for the purpose of providing eduroam network access. Most organisations deploying eduroam make eduroam their primary network. It would be permissible for a user to have an eduroam account that the organisation did not permit local network connectivity for - although we can't think why. A more understandable scenario would be where a small organisation did not provide its own eduroam Wi-Fi service but still acted as an eduroam IdP, for instance an organisation that is hosted by/embedded in a university/NHS trust/local authority.

What about access for the public/non-registered users?

To whom the member organisation grants a network access account and to authenticate is a matter for the organisation to decide. Such users will invariably need to register to be granted a network access account. Organisations may grant temporary accounts for visitors to conferences, events, training courses, contractors etc. provided that the various Janet AUP and Security policies are complied with and that the private network status of Janet is not compromised. Unregistered access for the public is not permitted - see the Janet factsheet on Guest and Public Network Access https://community.jisc.ac.uk/library/janet-policies/guest-and-public-network-access

Can we have an additional top level realm for our organisation?

Yes, provided that your organisation is entitled to use the DNS domain. The technical wording is 'owns or manages by delegation'. We interpret this to include realm names/sub-realms that the organisation owning the DNS domain has given permission for your organisation to use for eduroam. To request an additional top level realm, simple put in a request via the Jisc Service Desk / Jisc online service request form.

Can sub-realms be configured for an organisation?

Yes. This is a self service function that sys admins an perform via the eduroam(UK) Support server portal.

Can we use a non-uk-specific realm, ie one that doesn't have a country identifier?

Yes. A realm such as camford.org does not contain a country identifier but if you own the domain you may use this as a realm name. If you use such a realm name, you are strongly advised to ensure that you create a relevant NAPTR record in your DNS zone. A NATPR record is needed when your realm has no country identifier in order to support international roaming when any of your staff/students travel to another country and encounter an eduroam service. The user device will automatically try to connect to that eduroam service and authentication requests will be forward from the visited institution to the local country’s national RADIUS service and thence to the European Top Level RADIUS servers. The ETLRs now only use NAPTR lookups to determine to which country they should forward auth requests for non-country specific realms. Since the .org realm does not contain country information, without a NAPTR record, all authentication requests will fail at this point.

For information about creating a NAPTR record see https://community.jisc.ac.uk/library/janet-services-documentation/advisory-improving-efficiency-international-authentication

Our DNS name server does not support NAPTR records, what can we do?

Member organisations are perfectly at liberty to use realms which lack a country identifier, but should appreciate that in order to support international roaming, a NAPTR record needs to be present in DNS. Now NAPTR records are not covered in the current Technical Specification so your organisation may participate in eduroam even without a suitable NAPTR record. The service will work perfectly well for your staff and students in the UK. However, the eduroam(UK) Support server detection logic has been configured to flag up the lack of a NAPTR record for .org members as a critical error. This is reasonable since limiting the geographical range of an international service (without ensuring that users are made aware of such a restriction) is not desirable.

The eduroam(UK) Support server Status page will display a critical error. If your organisation has not already ticked the 'Deployment complete' box on the Configure/Organisation settings panel, you will not be able to tick this box. The solution is for you to switch to a name server that supports NAPTR records or to change to a realm name that includes the uk identifier, e.g. camford.org.uk. You may request eduroam(UK) Support to manually change the flag in the database but if you operate a service that does not support international roaming you must state this on your eduroam service information web page.

5) RADIUS server configuration

In this section you will find specific information on Radiator, FreeRADIUS and MS Internet Authentication Service / Network Policy Server as well as information relevant to all RADIUS software.

Do we really need to deploy a RADIUS server; is it forbidden to simply peer our WLC to the NRPS (particularly for Visited-only services)?

Yes, pretty much. (This question is also addressed in section 9 on https://community.jisc.ac.uk/library/janet-services-documentation/faqs-eduroam-system-administrators-and-implementation-techs-0 )

It would be technically possible to configure WLCs as clients of remote RADIUS servers - you would need to allocate a public IP address for each WLC, create A records in your DNS and configure your firewall to support the addresses and forward to your WLCs. You would also need to set the WLCs as your 'ORPSs' in the eduroam(UK) Support server portal. However, this is strongly deprecated and there are further technical issues to be considered.

The deployment model on which eduroam is based is that of a RADIUS server being peered to the NRPSs with the member organisation's APs/WLCs providing the Wi-Fi service and pointed to the RADIUS server for authentication. The Technical Specification (to underpin the trust fabric of eduroam and to comply with security policies) requires that there is logging of authentication events. It also requires that non-essential VSA attributes, which in many cases essential to internal network operation, are not included in authentication responses to the NRPS/visited ORPSs - so it may be required that your system can support attribute filtering. In addition, some authentication filtering based on realm may be required. For all these reasons, unless your WLC system can support the aforegoing, the deployment of a RADIUS server is the strongly preferred solution.

Having a dedicated RADIUS server allows you to implement the following:

  1. Choose a fully functional RADIUS server/service that meets your requirements/vendor supply policy (*)
  2. Makes it easier to provision a public facing IP address c/w A record in DNS - one ORPS can support multiple WLCs
  3. Put in place authentication filters to ensure that rubbish auth requests containing malformed/bad/nuisance usernames are not sent to the eduroam(UK) servers
  4. Put in place RADIUS attribute filters to remove spurious/troublesome attributes that may ‘leak’ out of your own and other member organisation services as required in the eduroam(UK) Technical Specification
  5. Comply with the eduroam(UK) Technical Specification RADIUS logging requirements
  6. Allow for upgrades/replacement of WLC separately from RADIUS service function

(*) There are several top quality RADIUS server systems available:  FreeRADIUS, Aruba ClearPass, Microsoft NPS, Radiator, Cisco ISE etc

Do you have links to the various RADIUS server platform websites?

FreeRadius website

Radiator website

Microsoft IAS (Internet Authentication Service) (Windows Server 2003) website

Microsoft Network Policy Server (NPS) (Windows Server 2008 and Windows Server 2012) website

Cisco ACS (Secure Access Control Server for Windows) website

Juniper Funk Steel-Belted Radius website

How many RADIUS client devices can my ORPS support?

Please note that this answer relates to RADIUS clients (eg NAS devices - such as wireless access points and switches) NOT actual users using the ORPS.

  • Windows Server 2003, Standard Edition or Enterprise Edition (for IAS and Certification Authority (CA) installation). Standard edition supports maximum of 50 wireless APs (RADIUS clients) per server.
  • FreeRADIUS - as many as your server can logically handle
  • RADIATOR - as many as your server can logically handle
  • CiscoACS - Number of Access Points. To determine the number of access points that a Cisco Secure ACS can manage, start with the assumption that each access point manages about ten WLAN users. Then divide the total number of users that can be supported by a Cisco Secure ACS - 21,000 by this number. With this formula we have 21,000 divided by 10 or 2,100 access points that can be supported by one Cisco Secure ACS. This is the minimum number of access points that can be supported because not all access points will be supporting the maximum number of users at any one time.
  • Number of Network Access Servers - a Cisco Secure ACS can support up 5,000 discrete network access servers (NASs). This number can be increased by the use of the multi-NAS capability of an ACS. Multi-NAS is a concept that allows one or more addresses to be configured for a given NAS entry. Using multi-NAS, the Cisco Secure ACS can support a theoretical maximum of 255 multiplied by 5,000 discrete NAS equaling 1.275 million devices. However, a configuration of 1.275 million devices per Cisco Secure ACS is clearly not realistic.

What RADIUS server software are eduroam participants using?

Number of ORPS installations by RADIUS software type:

Number of ORPS installations by RADIUS software type

 

Dec 2006

July 2007

Dec 2007

Apl 2008

July 2008

Apl 2009

Aug 2010

June 2013

June 2014

FreeRADIUS

27

51

59

64

74

74

106

256

308

Microsoft IAS/NPS

12

15

16

21

24

31

47

119

153

Radiator

13

13

13

15

14

16

16

28

34

Cisco Secure ACS

2

3

4

4

10

15

14

23

37

Cisco IOS

0

1

1

1

1

0

1

1

1
Aruba Clearpass - - - - - - - - 7

Juniper Steel-Belted

-

-

-

-

-

-

-

- 1
Other - - - - - - - - 8

Typo / not stated

14

9

5

6

4

5

0

17

12

Are there any known issues with certain versions of RADIUS server software?

Yes! We of course make the general recommendation that you keep your RADIUS server software updated to the latest releases. There are particular known issues with versions of the popular choices of RADIUS software, including the following:

FreeRADIUS - version 3.0.22 is the current release at the time of writing https://freeradius.org/releases/

The 2.x.x release series is now End Of Life. Only security fixes will be applied to 2.x.x. Users of 2.x.x are encouraged to migrate to the latest 3.0.x series release. If you are using versions of FR before 2.2.10, upgrade to version 2.2.10 or 3.0.22. Release 2.2.10 was the final version of the 2.2.X product (which whilst end of life fixed many 1.1.x issues).  

Archive note: Versions prior to 1.1.4 did not support Vista clients due to the change in PEAP handling with Vista compared to XP. 1.1.5 and 1.1.6 had further SSL fixes to improve/fix SSL behaviour and stability in general...as well as more than 30 other bug fixes.

Versions 1.1.3-1.1.7 were vulnerable to being crashed by an attacker sending a Tunnel-Password attribute in an Access-Request packet.

Use of the old 1.1.x code is deprecated, 1.1.8 was the final version of the 1.1.x product.

Further details regarding security vulnerabilities of FreeRADIUS versions can be found here:http://freeradius.org/security.html

Radiator - in June 2007 the eduroam(UK) NRPS had to be upgraded to the current version due to several EAP-TLS broken parts. This was leading to failed authentication attempts from visited sites for users from a participating organisation using EAP- TLS with MS IAS.

The problem, which was traced to the RADIUS exchange not completing, was resolved by upgrading our NRPS Radiator software from v 3.13 to 3.17.1. It is likely that if you are running older versions of Radiator on your ORPS and you get a visitor from a site that utilises EAP-TLS then similar problems will be encountered.

We specifically recommend that if you are still running older versions of Radiator, you should upgrade as soon as possible to the latest version. (Radiator 4.4 is the latest version, last modified 11 March 2009).

In addition to the above, a compounding problem was that the ipf firewall software configurations on our NRPS were set to discard UDP fragments. The script was therefore changed to pass fragments using the keep frag keyword. If you employ the ipf filewall on your ORPS, you should check this.

A full history of Radiator software revisions can be found here: Radiator Revision History

Are there any example configurations for Radiator available?

We currently don't have any direct cut'n'paste for Radiator that is clearly available for any site due to the uniqueness of each site requirement (backend authentication and such).

However, OSC (the publisher of Radiator) has produced a number of example configuration file snippets and templates which can be found in the goodies directory on a Radiator server. Eg. ntlm_eap_multi.cfg is a simple config which handles Radius PAP, CHAP, MSCHAP and MSCHAPV2 and also handles the outer and inner requests for TTLS and PEAP. In this case, the <AuthBy NTLM> sub-handler is doing the work. (Of course this is only suitable for Active Directory. If sites are using passwords or eDirectory etc then the requirements will be different).

Resources:

Also appendix A.2 of the Geant2 Roaming Infrastructure Service and Support Cookbook provides useful information on configuring the ORPS server software.

Are there any example configurations for FreeRADIUS available?

We don't have any direct cut'n'paste configurations for FreeRADIUS that would be suitable for all sites due to the uniqueness of each site requirement (backend authentication etc).

However there are some hints and tips on the Support web site and there is some useful information in the following case study, which is a practical description of how University of Bristol implemented and complies with the Technical Specification using FreeRADIUS in an AD environment: A Case Study in Complying with the Technical Specification.

What is unlang?

The unlang language available in FreeRADIUS takes flexibility in authorization to new heights. Unlang is not a full blown programming language, but rather a processing language. The purpose of unlang is to implement policies and not to replace complex scripts like those created with Perl or Python. Unlang sticks to a basic syntax that includes conditional statements and manipulation of variables. The unlang code does not get compiled but is interpreted by the FreeRADIUS server. The interpretation happens when the server reads the configuration files, which typically happens during start-up. The use of unlang is restricted to specified sections inside the configuration files and cannot be used inside the modules.

Source: https://www.safaribooksonline.com/library/view/freeradius-beginners-guid...

Where can I get up to date binaries for FR2.2 for Centos (which ships with an old version)?

As of Jan 2015 CentOS 6.5 ships with 2.1.12, which is a somewhat deprecated version. I'm keen to get an up to date version. I'm loathe to compile from sources because we don't have the time to maintain manually compiled versions of things.

Try here: http://software.opensuse.org/download.html?project=home%3Afreeradius%3A2.x.x%3Acentos&package=freeradius 

What's the Difference between MS IAS and NPS?

Here's what msdn says - Internet Authentication Service vs Network Policy Server. But we have also found difference in that IAS requires a workaround to be applied in order to avoid a problem related to Operator-Name

Microsoft IAS Deployment

Microsoft NPS (Windows 2008/R2 and 2012/R2) Deployment

Troubleshooting Microsoft IAS as a RADIUS server and as a RADIUS proxy

This link to the MS TechNet site should be useful:

Our AD usernames don't match eduroam username format, how can I strip/modify realm for authentication?

Our usernames in AD just use the userID format not userID@realm - how do I strip the realm prior to authenticaiton?

Our usernames in AD use a different realm (e.g. @ad.camford.ac.uk) - how do I modify the realm component?

The recommended solution is to add the required realm as a UPN in AD - this will allow NPS to authenticate the eduroam usernames against your AD.

See section 13 of https://community.jisc.ac.uk/library/janet-services-documentation/implementing-eduroam-roadmap-part-2

What is the recommended regex for the Connection Request Policy for eduroam Visitors in Microsoft NPS?

We are experiencing a lot of misconfigured supplicants with the 3gppnetwork.org account, how do we prevent our ORPS from flooding the eduroam(UK) NRPS with spurious authentication requests that unecessarily adds to the load on the national service and which also degrades our ORPS performace as it just waits for a response that will never be returned?

For an organisation with a realm ending in .ac.uk the following regex is recommended - to be used in the Connection Request Policy for eduroam Visitors ('proxy to eduroam') in the Condition: User Name box. It will result in auth requests with usernames that contain common non-eduroam realms not being forwarded to the NRPS:

@{1}(?!((.*\.(ax\.edu|ac\.edu|ax\.uk$|sc\.uk$|au\.uk$|ac\.ik$|ac\.u$|ac\.k$|ac\.ukj$|local))|((myabc|gmail|googlemail|hotmail|live|outlook|yahoo|unimail).com|(.*\.)?3gppnetworks?.org|yahoo.cn)))(([-0-9a-zA-Z\.]+\.[-0-9a-zA-Z\.]+))$

Cisco ISE Loss of Visited Service Functionality after Applying an Update

We've just updated our Cisco ISE version, but now our Visited service doesn't work; nothing is being forwarded to the NRPS.

Solution - remove the config for the NRPSs from the ISE 'External RADIUS Servers List' configuration. Then add them back in. Note the advice on the settings for the Server Timeout/Connection Attemps/Failover Expiration settings in section 10.2 of the Implementation  Guide. https://community.jisc.ac.uk/library/janet-services-documentation/implem...

Cisco ACS Implementation

We have configured the relevant databases for our ACS servers and ports on the ASA firewalls, now we need some help in configuring ACS 4.0 for PEAP.

The following Cisco links give various bits of help regarding ACS and PEAP:

When initially setting this up it is a good idea to maximise the logging as follows.

How to Set the Logging Level to Full in the ACS GUI:

You will need to set ACS to log all messages. To do this, follow the steps listed below:

1. From the ACS home page, go to Systems Configuration > Service Control.
2. Under the Service Log File Configuration heading, set the level of detail to Full.

You can also use the command line tools to further debug - there's a whole suite of them.

ACS Internal Architecture - CSTacacs and CSRadius

CSRadius appears to be the most useful - for an example of it in action see:

Obtaining vs and AAA debug info for Cisco Secure ACS - RADIUS success authentication

I've set up Attribute filtering - what Attributes should I NOT filter out?

The following is the minimum set of attributes required to support eduroam. These must not be filtered out:

RADIUS Access-Request or Access-Challenge message attributes:

1.    User-Name
18.  Reply-Message
24.  State
25.  Class
31.  Calling-Station-ID
33.  Proxy-State
79.  EAP-Message
80.  Message-Authenticator
       MS-MPPE-Send-Key
       MS-MPPE-Recv-Key
89.  Chargeable-User-Identity
126. Operator-Name

RADIUS Accounting messages:

1.    User-Name
25.  Class
33.  Proxy-State
40.  Acct-Status-Type
44.  Acct-Session-ID

This list has been determined following a small number of incidents involving Roaming users being unable to connect at certain institutions (both here in the UK and elsewhere) owing to over-restrictive attribute filtering. Please note that implementation of the list is likely to become a mandatory feature of eduroam.

If you are aware of any other attributes then please contact eduroam Support.

For more information on this topic see:

What procedure do I need to follow for changing the IP address of our ORPS?

This depends on the architecture of your ORPS - firewall/router - internet connection.

a) If you have implemented network address translation via your external router/firewall and your ORPS has a non-public IP address that you wish to change, you simply need to change the setup of the NATing and the IP address configuration of the interface used to handle RADIUS traffic with the NRPS. 

b) If the public facing IP address of your ORPS has to be changed, there are three or four steps to take depending on whether your network arrangement requires you to change the IP address of the ORPS itself. These involve your DNS configuration, the registration of your ORPS in the eduroam(UK) Support portal, the configuration of your firewall and the IP address configuration of the ORPS interface used to handle RADIUS traffic with the NRPS. There will be some loss of ORPS-NRPS RADIUS service during the IP address change process, but this can be minimised by timing the switch-over to be close to the top of the hour and the routine NRPS config refresh. 

The IP address that is used by eduroam(UK) and which is registered as the address of your ORPS in the NRPS configuration, is registered in your DNS space with an A record (and AAAA record if supporting IPv6). 

So to change the (public) IP address of your ORPS:

i) Update the A record for your ORPS in DNS. Do this several hours before the switch-over to allow DNS propagation. Nothing will happen at this point.

ii) Update the configuration of your router/firewall for the new public internet address. At this point RADIUS exchanges with the NRPS will cease. You may need to adjust the rules on your firewall, particularly if you need to make internal networking changes.

iii) If you need to change the internal IP address of your ORPS make this change now.

iv) To restore NRPS-ORPS RADIUS interchange, simply log in to the https://support.eduroam.uk Support site. Click on the Configure page. In the green 'RADIUS servers' panel, select your ORPS. This will result in a popup box appearing and the Support server will perform a DNS lookup. The IP address found should be your new IP address. Click on the [Save] button. The changes are propagated to the NRPS at the next hourly config refresh (on the hour).

Relocating or replacing ORPS to a new location - ORPS IP Addresses/FQDNs/shared secrets

If you are replacing your ORPS with a new server (usually a VM these days) in a new location you will probably wish to deploy your new server whilst keeping your existing one running until the switch over date. See section 8.3 on https://community.jisc.ac.uk/library/janet-services-documentation/implementing-eduroam-roadmap-part-2 for how to register the additional ORPS with eduroam(UK).

Use the https://support.eduroam.uk Support site. Go to your ORPS configuration page and select your ORPS, change the name (FQDN) of the RADIUS server and click on the [Save] button. (Check that the shared secret does not change (it should not)). The changes are propagated to the NRPS at the next hourly config refresh (on the hour).

How do I set the shared secret for ORPS in a fail-over cluster to be the same?

It is best practice to use one shared secret for each ORPS-internal RADIUS server pair. This is to limit the effect of one RADIUS server being compromised or having the credentials leaked giving further access to the rest of the RADIUS infrastructure. In some cases it is not feasible to have seperate shared secrets, for example in a system where the RADIUS servers have a shared/synchronised database.

In this case you can request eduroam(UK) Support to set the same set of shared secrets to be same for all you ORPSs.

What is the recommendation regarding use of same or unique shared secrets for ORPS / internal RADIUS servers?

We have multiple internal RADIUS servers at departments and colleges, should be use separate shared secrets for each pairing or would a common one be acceptable?

It is best practice to use one shared secret for each ORPS-internal RADIUS server pair. This is to limit the effect of one RADIUS server being compromised or having the credentials leaked giving further access to the rest of the RADIUS infrastructure. In some cases it is not feasible to have seperate shared secrets, for example in a system where the RADIUS servers have a shared/synchronised database.

In this case you can request eduroam(UK) Support to set the same set of shared secrets to be same for all you ORPSs.

We don't think our ORPS are communicating with the NRPS properly although we've set the NRPS up as clients and configured forwarding. What's going wrong?

'Invalid message authenticator' type error entries may be seen in the NRPS Radius errors logs on your eduroam(UK) Support server Troubleshoot page or you may see similar error messages in your ORPS error logs (e.g. NPS event log) 

'Bad Authenticator' error entries are being seen in the NRPS error logs views on eduroam(UK) Support:

- Mon Oct xx xx:xx:xx 2014: WARNING: Bad EAP Message-Authenticator

- Mon Oct xx xx:xx:xx 2014: WARNING: Bad authenticator in request from xxx.yy.zzz.118 (xxx.yy.zzz.72))

'Message-Authenticator attribute that is not valid' error messages being seen in Microsoft NPS server error/event log:

- An Access-Request message was received from RADIUS client 194.83.56.233(*) with a Message-Authenticator attribute that is not valid        (*) any NRPS address

Bad authenticator in an Access-Request indicates that the shared secret is incorrect. So the log error entry indicates that an ORPS that has a incorrect shared secret configured for a NRPS. (Remember, each NRPS-ORPS pair has an individual shared secret).

If there is a further IP address in brackets in the error entry, this indicates that you might have an internal system with an incorrect shared secret with your ORPS. (Best practice is for each RADIUS pair on your internal network to have its own secrets). The NAS systems (APs, WLCs [switches if applicable], that talk to your ORPS internally need to have their own correct shared secrets. If your ORPS behaves badly and forwards RADIUS packets containing a bad EAP Message-Authenticator, the result will be that the NRPS detects the error, drops the packet and records the entry in the log - which is propagated to your view of the error log on eduroam(UK) Support.

Solution - correct your shared secrets on NASs and ORPS.

'Unknown client' error entries are being seen in the NRPS error logs views on eduroam(UK) Support:

Unknown client means that the RADIUS client is unknown, the NRPS don't recognise the IP address of the RADIUS server that is sending authentication requests to them. This could be because you have not correctly added the ORPS details into the ORPS config screen on the Support server. Alternatively it could be that there is a DNS issue. You define your ORPS as a FQDN. If this is not correctly resolved or if your ORPS is using an address other than can be resolved, the NRPS will not reply and the unknown client error will be logged. 

'Network Policy Server denied access to a user - reason code: 23 - An error occurred during the Network Policy Server use of the EAP protocol' error messages are being seen in the Microsoft NPS logs (a 6273 event is being logged)

This indicates a server certificate issue. The server must have a valid certificate and that certificate must be referenced in the connection request policy and the network policy that serve your clients (i.e. the local user connection policy and the user authentication policy). The EAP log files on the server may reveal more detail.

Note that there are certain requirements pertaining to the server certificate - see https://wiki.geant.org/pages/viewpage.action?pageId=121346259#Howtodeplo...(ADVANCED)-Consideration2:Recommendedcertificateproperties

In addition, the client device needs to trust the RADIUS server certificate and different client operating systems/Wi-Fi client software have differing requirements and configuration settings. 

Does Microsoft NPS support RADIUS accounting and how to avoid forwarding accounting packets to NRPS?

Yes Microsoft NPS does indeed support RADIUS accounting. But by default NPS does not log any data - although you should be logging authentication events in order to comply with the eduroam(UK) Technical Specification. https://msdn.microsoft.com/en-us/library/cc725566%28v=ws.11%29.aspx and https://technet.microsoft.com/en-us/library/dd197475%28v=ws.10%29.aspx

By default NPS does NOT forward accounting packets, but it is possible to configure the server to do so!

Microsoft documentation states: ‘Connection request policy accounting settings function independently of the accounting configuration of the local NPS server. In other words, if you configure the local NPS server to log RADIUS accounting information to a local file or to a Microsoft® SQL Server™ database, it will do so regardless of whether you configure a connection request policy to forward accounting messages to a remote RADIUS server group.’

To comply with eduroam(UK) Tech Spec you need to ensure that you configure the local NPS server to log RADIUS accounting information to a local file or to a Microsoft® SQL Server™ database.

The May 2016 eduroam(UK) advisory notice requests that you ensure that you have NOT set a connection request policy to forward accounting messages to the NRPSs.

NB. A default connection request policy is created when you install NPS. This policy has the following configuration:

  • Authentication is not configured.
  • Accounting is not configured to forward accounting information to a remote RADIUS server group.
  • Attribute is not configured with attribute manipulation rules that forward connection requests to remote RADIUS server groups.
  • Forwarding Request is configured so that connection requests are authenticated and authorized on the local NPS server.
  • Advanced attributes are not configured.

To learn about accounting and logging in NPS see:

https://msdn.microsoft.com/en-us/library/cc725566%28v=ws.11%29.aspx

https://technet.microsoft.com/en-us/library/dd197475%28v=ws.10%29.aspx

http://services.geant.net/cbp/Knowledge_Base/Wireless/Documents/CBP-13_Using-Windows-NPS-as-RADIUS-in-eduroam_final.pdf   (p.42 (section 6))

Further references:

https://msdn.microsoft.com/en-us/library/bb892012%28v=vs.85%29.aspx

https://msdn.microsoft.com/en-us/library/cc753603.aspx

https://technet.microsoft.com/en-us/library/dd197475%28v=ws.10%29.aspx