...
Making sure that your eduroam network is functional for eduroam visitors is an important part of being a member of eduroam. If visitors cannot connect to eduroam at your institution, it leads to dissatisfaction not only with your network but also with eduroam itself. Many members across the world include their eduroam connection as part of their network monitoring. The ideal kind of monitor is for the administrator to be alerted should an interruption to the service occur for whatever reason (RADIUS issue, internet connection outage, NRPS FLR issue etc), and although this monitoring is optional, we have found that where an organisation does have active monitoring, any interruptions to the service has quickly been picked up and the organisation has been able to quickly restore service.
...
Note: For the the examples below, we call this file file eapol_config.cfg and store it in /opt/eduroam_monitor on Linux or C:\eduroamHB on Windows.
...
Call it eduroam_monitor_check.sh and store it alongside the config file in /opt/:
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
#!/bin/sh # Run a heartbeat ip=<the IP address for your server> s=<the secret for the client you created> bssid=<the BSSID for your eduroam network, in a MAC format like 02:00:00:00:00:01> # check that eapol_test works if [[ -x /sbin/eapol_test ]]; then if [[ -f /opt/eduroam_monitor/eapol_config.cfg ]]; then # get the actual output i=$(/sbin/eapol_test -t 5 -c /opt/eduroam_monitor/eapol_config.cfg -N 30:s:$bssid:eduroam -N 32:s:eduroamUKeduroam-heartbeatmonitor -t 5 -r 1 -a $ip -s $s |tail -1) # output is either success or failure /bin/logger eduroam Monitoring: $i fi fi |
The result of this script is not a success or failure error code, but rather a line in the system log with the text 'eduroam Monitoring: <result>', along with a successful authentication in your RADIUS server logs for the test user in your configuration.
| Note |
|---|
If you used a fake username (because your eduroam national operator didn't give you a username to use), you |
...
would see a FAILURE message with this script every time. |
...
In this case, change line 10 to this:
|
You can run this script by either adding a line into a crontab for your monitoring user, or you can copy copy eduroam_monitor_check.sh into /etc/cron.hourly for an hourly run. Alternatively, if you prefer a more frequent run, add a file into /etc/cron.d/ with this contents:
...
Windows traditionally does not have a process to monitor NPS. As with the Linux script, you will need a configuration file, and the eapol_test utility on Windows, which you can download here.The which you can build it directly yourself using the instructions in the testing with eapol_test page. You can also download a copy here, which the eduroam UK team have built, code-signed and published it for Windows, so after . After downloading, you can right-click the executable, click Properties, and then examine the code signing certificate. It should be signed around March 21 2021.
You will need the configuration file (see above). The extension of the configuration file is not important, but do note Note down the location and name because you will need it. In the example code, I assume C:\eduroamHB as the location, and thus I'll use C:\eduroamHB\eapol_peap.cfg as name.
To run eapol_test.exe, place it in the same directory as eapol_peapconfig.cfg (or your chosen name). Then, in the same location, create a batchfile with this contents:
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
@echo off |
...
set ROAMING_IP="<the IP address for your server>" |
...
set ROAMING_SECRET="<the secret for the client you created>" |
...
set BSSID="<the BSSID for your eduroam network, in a MAC format like 02:00:00:00:00:01>" |
...
cd C:\eduroamHB |
...
eapol_test.exe - |
...
t 5 -c eapol_config.cfg -N 30:s:%BSSID%:eduroam -N 32:s: |
...
eduroam- |
...
monitor -a %ROAMING_IP% -s %ROAMING_SECRET% |findstr /R "^SUCCESS$" >nul 2>nul |
...
set MYVAR=%errorlevel% |
...
IF "%MYVAR%" == "0" GOTO EventSuccess |
...
eventcreate /Id 2 /D "eduroam |
...
Monitoring: FAILURE" /T ERROR /L system /SO |
...
eduroamMonitor >nul 2>nul |
...
GOTO End |
...
:EventSuccess |
...
eventcreate /Id 1 /D "eduroam |
...
Monitoring: SUCCESS" /T SUCCESS /L system /SO |
...
eduroamMonitor >nul 2>nul |
...
:End |
As before, adjust the location of the file and the directories in the batchfile accordingly. You can also use this batchfile to test your connection to the roaming servers by adjusting the ROAMING_IP and ROAMING_SECRET settings to the IP of the NRPS FLR of your choice, along with its secret. This will skip your server and test your external connection directly instead.
| Note |
|---|
If you used a fake username (because your eduroam national operator didn't give you a username to use), you would see a FAILURE message with this script every time. In this case, change line 6 to this:
|
To create a scheduled task that runs every ten minutes, you should execute this command as an administrator on your server that the batchfile runs from:
SCHTASKS /Create /U <domain\user> /P <password> /SC MINUTE /MO 10 /TN eduroamHeartBeat eduroamMonitor /TR "C:\eduroamHB\eduroamHBeduroam_mon.bat" /RU 'NT AUTHORITY\SYSTEM'
Adjust the /U and /P parameters to an admin user and its password.
After every run, you should see an event in the 'System' log in the Event Viewer of your server called 'eduroamHeartBeateduroamMonitor'. An 'Information' type message means it will be a success message. An 'Error' type message will contain an error.
Then check your event log regularly to see whether your external connection is still 'up'.
...