Page first published 25 July 2025

eduroam(UK) has for some time supported RadSec as the transport for eduroam authentication requests between the NRPSs and members’ ORPSs. We anticipate growing interest and adoption over the coming years.

Why RadSec? Whilst UDP with shared secrets may reasonably be considered sufficiently secure for exchanges over research and education networks such as Janet and the European inter-NREN GEANT network, RadSec provides the assurance that the entire RADIUS message is encrypted. This is particularly relevant where RADIUS messages are exchanged over the public internet (i.e. via non-Janet connections) as is the case as organisations adopt off premises RADIUS solutions including hosting in Azure and AWS, RADIUS as a Service and cloud-based Wi-Fi management platforms incorporating a RADIUS service. We expect that the take up of RadSec will increase over the coming years, although at present the vast majority of our members use UDP with shared secrets.

Improved process – since 2022 the process for requesting an eduPKI certificate for use with RadSec in an eduroam deployment has been significantly streamlined. Previously you had to generate a CSR via the pki.edupki.org portal and then send the CSR pdf to eduroam.org by digitally signed e-mail using a PGP/GPG key signed by the UK federation operator i.e. eduroam(UK).  See https://eduroam.org/support/edupki-eduroam-ra/

Direct submission of the CSR you generate can now be made by eduroam(UK). This has been made possible through a new portal for NRO admins on the eduroam.org CAT website. The turnaround is almost instantaneous.

Prerequisites - First off you must make sure that on eduroam(UK) Support Server you have registered the hosts for which you want the eduPKI certificates. The FQDN(s) of the ORPS will appear as SAN:DNS value(s) on the certificates. If you need to register additional ORPS, do this via Support Server as usual.

It is recommended that the hosts should be set as production servers (at least as clients) i.e. they should NOT be marked as ‘Test and development’. This ensures that they will be included in the European eduroam database, which is a critical requirement.

Generate a CSR – you can use your preferred method to generate a suitable CSR and key. As a guide you can use openssl with the command as below. Replace ‘test’ with your descriptor of choice.

openssl req -new -newkey rsa:4096 -sha256 -out test.csr -keyout test.key -subj /DC=net/DC=geant/DC=eduroam/C=GB/O=WillBeReplaced/CN=will.be.replaced

Note - The O and CN elements will automatically be replaced with values suitable for your organisation when the CSR is submitted. (Please enter the subject string exactly as above to avoid any issues).

Openssl configuration file – the openssl command will by default expect /etc/pki/tls/openssl.cnf as the configuration file. When building this, the Purpose needs to be ‘Server and Client Authentication’. Do not include Code Signing.

Multiple ORPSs? Only *one* CSR will be needed because all your hosts will be listed as Subject Alternative Names in the certificate that will be issued.

Note – the CN that will be applied to the certificate will be selected at random from the list of subjectAltName:DNS values that are included in the CSR. The CSR must include ALL of the ORPS FQDNs for which you want the certificate.

Submit the CSR – once you have generated your CSR, send that to us using the form at the bottom of any Support Server web page or send an e-mail to help@jisc.ac.uk being sure to include ‘eduroam eduPKI’ in the subject line and we’ll get a certificate generated for you – it will be automatically e-mailed to your Support Server account e-mail address.