2024-01 Advisory: Migration of Roaming0.ja.net NRPS

Download as PDFDownload as PDF

Released: 16th January 2024
Updated: 20th February 2024

This advisory is important and relevant to all eduroam(UK) service organisations.

  • Summary
  • Background and Scope
  • Phase 1 - DNS, Firewall and RADIUS Server Changes and Verification
  • Phase 2 - Firewall and RADIUS Server Changes 
  • During The Migration Phase
  • Supplementary Information

SUMMARY

Roaming0 is moving to a new platform and this means that all member organisations need to update their RADIUS server configurations and firewall settings. The new host is already online but we are not commencing the migration process until 6th February. To ensure a smooth transition we request our members to configure interim RADIUS peering with the eduroam(UK) national infrastructure. Your configuration changes should be completed by 20th February.

On 6th February 2024 the IP address for roaming0.ja.net will change so you must reconfigure your firewall and RADIUS servers as described below.

On 20th February 2024 you must remove the old IP addresses for Roaming0/interim hostname from your configurations.

BACKGROUND AND SCOPE

The eduroam(UK) team is migrating all national roaming proxy servers (NRPS) to Jisc shared infrastructure. This migration is now at the point where we would like all eduroam service administrators at member organisations to prepare for the migration of roaming0.ja.net.

The move to the new platform involves a necessary IP address change - this enables us to better manage our IP address space and provides for future development of the service.

The existing shared secrets for roaming0 will not change and are displayed for administrators via the RADIUS servers configuration panel on your Configure page on eduroam(UK) Support Server (ESS) portal.

The necessary IP address change for roaming0.ja.net is as below:

Obsolete IPv4 Address: 194.82.174.185
Obsolete IPv6 Address: 2001:630:1:128::185

New IPv4 Address: 193.63.195.58
New IPv6 Address: 2001:630:1:133::58

Phased migration:

To ensure minimal impact on service levels, the migration is being carried out over a two week transition period during which both old and new IP address will be supported - at the end of the transition window the old IP address will be taken out of service. The phased approach to the migration means that there are two configuration updates that you need to make. Phase 1 - firewall and DNS switch using interim hostname on 6th February 2024 and Phase 2 removal of obsolete roaming0.ja.net IP addresses on 20th February 2024.

1) The new host for roaming0 will be brought into production on 6th February during the maintenance window - so from 6:00 onwards, authentication requests from your roaming users and the eduroam(UK) monitoring systems will be sent to your ORPSs from all four NRPS IP addresses - including the the new IP address for roaming0. Your ORPSs must be able to respond to these requests from the new address.

i) At your earliest convenience on Tues 6th Feb you should update your RADIUS and firewall configurations as explained in detail in the section below – this involves configuration of an interim RADIUS client/network>device and remote RADIUS server/proxy/authenticator. Since not all members will switch the IP address of roaming0 for sending authentication requests from their visitors first thing on 6th Feb, your ORPSs will continue to be sent auth requests via the old IP address for roaming0. Do not delete the old roaming0 configurations.

ii) Also on 6th Feb you should send authentication requests for your visitors via the new IP address for Roaming0 in addition to sending requests to the old IP address. You should load balance auth traffic to all the NRPSs (ideally favouring Roaming2 and Roaming1) but if using primary/secondary mode, set the new Roaming0 as secondary. This will ensure that the new server is exposed to auth traffic and we can verify that you have succeesfully configured your systems. Your RADIUS and firewall configurations must be updated as described in detail in the section below.

2) On 20th February the old host for roaming0 will be taken out of production and the old IP address will not support eduroam authentication traffic.

i) Remove the interim host roaming0.eduroam.uk and the old IP address for roaming0 from your firewall and RADIUS configurations. Roaming0 ‘roaming0.ja.net’ will operate using the new IP address only.

We recognise that the above timeframe is tight, especially for organisations which may have lengthy change control processes to follow; it is for this reason that we give several weeks’ notice for you to gain approval.

The new host for roaming0.ja.net is already in place and is accepting RADIUS traffic on the new IP addresses. Until 6th February you MUST ONLY send visitor test authentications to the new host/IP addresses. From 6th February you MUST start sending production authentication requests. We intend to decommission the old host (and IP addresses) on 20th February 2024.

Basic updating instructions: Instructions for the most commonly used RADIUS server products in the UK are included as supplemental information at the end of this advisory.

Customers of Jisc Trust & Identity Group’s retained expertise consulting services: You must contact your Trust & Identity Group point of contact as per the terms of your Retained Expertise agreement if you require help with the transition between the old and the new IP addresses.

Roaming1.ja.net and Roaming2.ja.net: Roaming1 and Roaming2 remain in service, unchanged.

Queries/comments: The eduroam clinic on 6th February 2024 will be dedicated to this transition process, with the eduroam(UK) team on hand to discuss any problems you may encounter, and you can also lodge a support ticket with our help desk by e-mailing help@jisc.ac.uk with your query, or by using the support form at https://www.jisc.ac.uk/forms/eduroam-support-request.

PHASE 1 - DNS, FIREWALL AND RADIUS SERVER CHANGES

This work must be commenced ON OR AFTER 6TH FEBURARY 2024, NOT BEFORE. It is applicable to ALL MEMBERS.

The IP addresses for roaming0.ja.net will change from the set ending in .185 to the set ending in .58 at approximately 6 AM London time (6 AM UTC). The TTL for the DNS entry for roaming0.ja.net will be shortened starting approximately 24 hours before the switch and will return to the default TTL approximately 6 hours after.

An interim hostname, roaming0.eduroam.uk, is already configured to resolve to the current roaming0 IP addresses ending in .185 during the migration period, which ends on 20th February 2024.

Firewall Configuration

For members using hostnames-based firewall and NAT rules:

  • Configure your firewall to accept/send traffic (UDP/1812) and accept ICMP from the hostname roaming0.eduroam.uk, which resolves to the current IP addresses of roaming0.ja.net (ending in .185) until approximately 7am BST on 6th February 2024.
  • You must ensure that any NAT rules are updated accordingly.
  • DO NOT REMOVE the hostname roaming0.ja.net from your configuration. Its IP addresses will change at approximately 7 AM BST on 6th February to the new IP addresses (ending in .58).

For members using IP-address-based firewall and NAT rules:

  • Configure your firewall to accept/send traffic (UDP/1812) and accept ICMP from the new IP addresses (ending in .58) for roaming0.ja.net
  • You must ensure that any NAT rules are updated accordingly.
  • DO NOT REMOVE the old IP addresses (ending in .185) for roaming0.ja.net.

RADIUS Server Configuration

For members using hostnames-based configuration of their RADIUS servers:

  • You MUST add roaming0.eduroam.uk as an interim RADIUS client/network>device and also as an interim remote RADIUS server/authenticator to your RADIUS server configuration with the same secret as the old roaming0.ja.net, so that RADIUS traffic exchanges with other members who have not yet applied their configuration changes will still be supported(*).
  • DO NOT REMOVE the hostname roaming0.ja.net from your RADIUS configuration since this will be the new host and will be handling live traffic via the new IP address.
  • If you are not using the roaming servers in a load-balancing configuration (i.e. you use a primary and several secondary RADIUS servers), we recommend that you ‘demote’ roaming0.ja.net (and roaming0.eduroam.uk) from being the primary RADIUS server and use either roaming1.ja.net or roaming2.ja.net as primary RADIUS server.
  • You MUST RESTART your RADIUS server to force it to refresh its DNS information for the existing and new clients and servers. FreeRADIUS and Microsoft NPS in particular only refresh their DNS information on start-up, and a restart for either is REQUIRED. This may also be the case for Aruba ClearPass Policy Manager (which is based on FreeRADIUS).

(*) roaming0.eduroam.uk resolves to the old Roaming0 IP address. Nb. You must cease sending users’ RADIUS traffic to this old server on 20th February 2024 by following the actions described for Phase 2 below.

For members using IP-address-based configuration of their RADIUS servers:

  • You MUST add the new Roaming0 host with the new IP addresses (ending in .58) as a RADIUS client/network>device and as a remote RADIUS server/authenticator to your RADIUS server configuration using the same secret as the old roaming0.ja.net. This new peering will ensure that your RADIUS server will exchange inbound and outbound authentications with the new host.
  • Essential for interim RADIUS peering - DO NOT REMOVE the old IP addresses (ending in .185) of old Roaming0 from your existing RADIUS clients and remote RADIUS servers configurations. If applicable, rename any templates, friendly names etc to e.g. ‘old Roaming0’. This is to ensure that RADIUS exchanges with other members who have not yet applied their configuration changes will still be supported(*) during the transition.
  • If you are not using the roaming servers in a load-balancing configuration (i.e. you use a primary and several secondary RADIUS servers), we recommend that you ‘demote’ the IP addresses for both the IP addresses ending in .185 and .58 from being the primary RADIUS server and use either the IP addresses ending with .34 or the IP addresses ending with .50 as primary RADIUS server.
  • You SHOULD RESTART your RADIUS server to refresh its configuration for the existing and new clients and servers. FreeRADIUS in particular only refreshes its configuration on start-up, so a restart for FreeRADIUS is REQUIRED. This may also be the case for Aruba ClearPass Policy Manager (which is based on FreeRADIUS).

(*) Nb. You must cease sending users’ RADIUS traffic to the old IP addresses (ending in .185) on 20th February 2024 by following the actions described for Phase 2 below.

Verification

For ALL members:

  • Receiving from new Roaming0 - You MUST SUCCESSFULLY complete troubleshooting at https://support.eduroam.uk/troubleshoot/ by attempting a certificate check or an authentication check. An ICMP check is INSUFFICIENT. Select ‘roaming0’ from the dropdown list on the blue Tests panel top line to test your connection from the new IP address (ending in .58). Acceptable authentication or certificate check responses are OK, Warn, Reject or Fail.

If authentication requests arising from your roaming users are sent via the new IP addresses of roaming0.ja.net but your ORPS is not reachable or does not respond, the request will not complete, the user authentication will fail and the following message will appear in your ESS portal Radius errors log on the Troubleshoot page:

roaming0 : No working hosts in AuthBy for Identifier <your realm>, sending reject to clear backlog

  • Sending to new Roaming0 - You must check that authentication requests from eduroam Visitors to your campus can be sent to the new IP address for Roaming0. You can do this by a) by making use of the visitor simulation test credentials posted in the Tests panel on your Troubleshoot page on Support server or b) viewing the NRPS Authlog for your organisation via the Logs panel on your Troubleshoot page. If you apply the filter Operator:<your realm> the report will show only authentication requests that are being sent from your ORPS to the NRPS. (Note: For the purpose of testing you may need to adjust the weighting/primary-failover status to favour your new Roaming0 authenticator - for production, Roaming0 should be load balanced/set as a backup).

PHASE 2 - FIREWALL AND RADIUS SERVER CHANGES

This work MUST BE COMPLETED ON 20TH FEBRUARY 2024. This deadline is fixed; any organisations who DO NOT COMPLETE the work on this date WILL RISK DEGRADATION of their eduroam service. It is applicable to ALL MEMBERS.

The interim hostname roaming0.eduroam.uk will be withdrawn on this date, and any RADIUS traffic to the IP addresses ending in .185 will not be responded to.

Firewall Configuration

For members using hostnames-based firewall and NAT rules:

  • Configure your firewall and NAT rules to remove roaming0.eduroam.uk from your configuration. That hostname will cease to proxy RADIUS traffic after 20th February 2024 and will cease to exist soon after.

For members using IP-address-based firewall and NAT rules:

  • Configure your firewall and NAT rules to remove the old IP addresses for roaming0.ja.net (ending with .185). The server at the old IP address will cease to proxy RADIUS traffic after 20th February 2024 and will be decommissioned soon after.

RADIUS Server Configuration

For members using hostnames-based configuration of their RADIUS servers:

  • You must remove roaming0.eduroam.uk as a client and a remote RADIUS server from your RADIUS server configuration.   
  • You MUST restart your RADIUS server to ensure roaming0.eduroam.uk is no longer a server or client.

For members using IP-address-based configuration of their RADIUS servers:

  • You must remove the old IP addresses for roaming0.ja.net (ending with .185) from your clients and remote RADIUS servers in your RADIUS server configuration.
  • You SHOULD restart your RADIUS server to ensure that your RADIUS server no longer accepts traffic from or sends traffic to the old IP addresses (ending in .185).

DURING THE MIGRATION PHASE

eduroam(UK) will perform checks from both the new (IP addresses ending in .58) and the obsolete (IP addresses ending in .185) instances of roaming0.ja.net on a 2-hourly basis to ensure that the team can accurately inform Jisc account managers and eduroam admins of members of the migration status. These checks are automatic. Jisc relationship managers will be requested to engage with your organisation's IT management to ensure that migration completes on time.

Home organisation checks will use the test account credentials you provided in your eduroam realm configuration at https://support.eduroam.uk/configure/ - Please check that the credentials(s) provided are accurate and active.

Visited organisation checks will depend on the traffic your organisation sends to the obsolete and new instances of roaming0.ja.net.

SUPPLEMENTARY INFORMATION

Microsoft NPS

Follow the Jisc NPS Guide in Section 11 and Section 14 to add a new RADIUS client and a new RADIUS server with the above information. 

See https://support.eduroam.uk/files/eduroam(UK)%20Microsoft%20NPS%20Configuration%20Guide.pdf.

Restart NPS by right clicking the top entry (with the globe), choosing ‘Stop Service’, and then, after 15-30 seconds, repeating the action and choosing ‘Start Service’.

FreeRADIUS

In FreeRADIUS, you must amend your existing clients.conf file (on RedHat/CentOS in /etc/raddb/, on Debian in /etc/freeradius, on Ubuntu in /etc/freeradius/3.0/) to add the new hostname or IP address as a client. Duplicate the existing ‘client’ stanza for roaming0.ja.net and amend it accordingly.

You must also amend proxy.conf in the same location as clients.conf. In proxy.conf, duplicate the existing ‘home_server’ stanza for roaming0.ja.net and amend it accordingly. You must also add an entry for the newly added stanza into the ‘server_pool’ stanza that includes roaming0.ja.net and roaming2.ja.net.  Then restart your instance of FreeRADIUS for changes to take effect.

Cisco ISE

You must add a new RADIUS client device in ISE for the new host by going to Administration > Network Resources > Network Devices, and Add the new host and Administration > Network Resources > Network Device Groups to include the new network device. You must also define a new external RADIUS server. Go to Administration > Network Resources > External RADIUS Servers, and Add your entry. Also go to Administration > Network Resources > RADIUS Server Sequences to include the new external server and adjust the priorities accordingly.

After applying the above changes you MUST check that ISE is still forwarding auth requests for your visitors to the NRPS. The Support Server Troubleshoot > Logs > Radius authog can be useful here - apply the filter Operator:<your realm> and the report will show only authentication requests that are being sent from your ORPS to the NRPS. The host roaming0a indicates traffic to the new IP address for roaming0.ja.net.

We are aware that some versions/patch levels of ISE corrupt their RADIUS Server Sequences when you add a new host and this effectively stops all your visitor traffic with a message that no RADIUS server responded. In this case, delete and recreate your sequence, and if necessary, update to the latest patch level or contact Cisco TAC to resolve this.

Aruba ClearPass

You must add a new Network Device in ClearPass Policy Manager to accept traffic from the new IP addresses. Go to Configuration, Network, Devices. Follow your systems administration guide’s instructions. You must also add a new external authentication source. Go to Configuration, Authentication, Auth Servers. Click on the + and fill in the new details. You should follow the recommended guidance as per the Aruba manual to adjust timeouts. Then also restart the RADIUS service.