Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Fix broken link

...

Operating a federation involves managing and supervising eduroam Identity Providers, eduroam Service Providers, as well as keeping authentication logs, fulfilling uptime requirements, etc. Prospect federation operators should read and understand the requirements in DS5.1.1 ("eduroam Service Definition and Implementation Plan") at httphttps://www.eduroam.org/downloads/docs/wp-content/uploads/2020/02/GN2-07-327v2-DS5_1_1-_eduroam_Service_Definition.pdf, particularly sections 4.1.4 ("Roles and Responsibilities - NROs") and section 6 ("Requirements on Confederation Members").

...

Code Block
<Handler User-Name = /\@/>
        <AuthBy DNSROAM>
                Port                2083
                Protocol            radsec
                Transport           tcp
                UseTLS              1
                Secret              radsec
                ReconnectTimeout    1
                NoreplyTimeout      5
                ConnectOnDemand
                TLS_CAPath          /etc/radiator/certs/CAs/current/
                TLS_CertificateFile /etc/radiator/certs/server.pem
                TLS_CertificateType PEM
                TLS_PrivateKeyFile  /etc/radiator/certs/server.key
                TLS_PolicyOID       .1.3.6.1.4.1.25178.3.1.2
                TLS_ExpectedPeerName CN=.*
                <Route>
                        Realm DEFAULT
                        Address etlr1.eduroam.org
                        Port 2083
                        Transport tcp
                        Protocol radsec
                </Route>
        </AuthBy>
        AuthLog TICKS
</Handler>

...

Currently (10th June 2011) there are some bugs with handling unreachable remote proxies which causes the daemon to die. A few of these have already been dealt with via bug reports but some still lurk. Also, the certificate checking/verification code does not currently work - we hope to be able to verify the certificate issuer and OID as we do with RADIATOR and RadSecProxy. Note that this software only does RADSEC/TLS with TCP - DTLS over UDP is not yet an option. Clients are 'radsec' only and the standard naslist or naslist imported from SQL won't operate with radsec.

VitalAAA

To set up a federation-level RADIUS proxy server for VitalAAA you must change the following configuration files:

  • server_properties
  • method_dispatch
  • clients

You must also download the following files from http://www.eduroam.org/downloads/docs/eduroam-cookbookscripts.zip:

Code Block
Radius-Acct-Address = "*:1813"
Radius-Auth-Address = "*:1812"
Database-Address = "0"
Radius-CharSet = UTF8
Delimiter-Precedence = "@"
Suffix-Delimiters = "@"

method_dispatch file:

Code Block
radius             Auth 1             prepare             setWorkingVars
radius             acct 4              aaa                   dropRadiusAcct

clients file

Add the lines with the eduroam proxy server and the local RADIUS servers to the clients file:

Code Block
192.87.106.34          <eduroam_secret>
130.225.242.109      <eduroam_secret>
<192.168.1.10>                <local_server_secret>
<192.168.1.20>                <local_server_secret>

Gauging your federation's performance

Monitoring

It is important to constantly monitor your infrastructure on all levels, in order to react to system failure and see upcoming problems. There is a multitude of monitoring solutions on the market, and it is not possible to describe ways to monitor eduroam infrastructure for all of them; but we have provided a selection below.

Gauging your federation's performance

Monitoring

It is important to constantly monitor your infrastructure on all levels, in order to react to system failure and see upcoming problems. There is a multitude of monitoring solutions on the market, and it is not possible to describe ways to monitor eduroam infrastructure for all of them; but we have provided a selection below.

First, for First, for Europe, some parts of monitoring are done by the eduroam Operation Team which we will describe in the following section; please contact your own regional operator for the corresponding monitoring solution in your area if you are operating outside Europe.

...

When you set up a federation-level RADIUS server, the OT will start monitoring your server availability and will send out email alerts in case of failure. This is done by the OT sending authentication requests for the special realm @eduroam.<TLD> from their monitoring server to your server, and your server is expected to mirror these back to the OT monitoring infrastructure. The technical set-up of this is described in the corresponding HOWTOs configuration guidelines for federation-level RADIUS servers.

...

On that web page, you can find historical evolution of roaming service usage in federations, as well as an overview which realms were most active, and from which countries visitors come from. In the future, detailed views per SP and per IdP can be made available if your federation opts to send the data in the extended detail level. Please contact your federation operator to find out which level of statistics your federation provides. Include Pageradsec certificatesradsec certificates