eduroam

Last updated: 
2 months 4 weeks ago
Blog Manager
Log in to request membershipHide blog description
eduroam Service News Follow us on Twitter @eduroamuk - for news, interest, information, photos and fun. Contents - click on item and scroll to bottom of box to read item 15/04/19 - Advisory: EAP-PWD Vulnerability 12/10/18 - Advisory: Injection of Operator-Name attribute by the NRPSs 23/02/18 - eduroam Seminar pre-Networkshop 2018 - FreeRADIUS 4 etc 24/10/17 - Advisory: WPA2 Key Reinstallation Attacks vulnerability, KRACK 14/07/16 - Release of Technical Specification v1.4 10/05/16 - Advisory: Ending of RADIUS Accounting within eduroam(UK) 22/01/15 - eduroam Support Clinic Tues March 1st 14:15-15:30 18/09/15 - Advisory: Impact of change of Certificate Service CA for eduroam Home (IdP) service providers 27/01/15 - eduroam now available at seven hospitals in Cardiff 22/01/15 - eduroam Support Clinic Tues January 27th 10:45-12:00am 23/12/14 - Calling Station Identity 01/12/14 - New DNS Name for eduroam(UK) Support Server 19/12/14 - eduroam Support Clinic Tues January 6th 10:45am 28/11/14 - eduroam Support Clinic Tues December 2nd 10:45am 19/11/14 - Advisory: Microsoft Security Bulletin Affecting NPS and IAS 27/05/14 - eduroam training course June 11-12 Birmingham; Aug 6-7 Aug Bristol 08/04/14 - Advisory: OpenSSL TLS Heartbleed Vulnerability rev 1.1 21/02/14 - Auth Timestamp Feature on eduroam(UK) Support Server 30/10/13 - Release of FreeRADIUS 2.2.2 07/10/13 - Release of FreeRADIUS 3.0.0 17/09/13 - Release of FreeRADIUS 2.2.1 13/06/13 - Release of Technical Specification v1.3 13/06/13 - eduroam training course June 27 Glasgow 23/04/13 - eduroam training courses July 24-25 London 23/04/13 - Chargeable User Identity how-to guide now available in Library 25/03/13 - eduroam training courses May 2-3 Manchester 24/02/13 - Time for a review of your eduroam deployment - Technical Specification v 1.2 Main Changes from v 1.1 30/01/13 - Configuration Assistant Tool (CAT) now available - builds eduroam client installers for user devices 23/01/13 - Advice regarding keeping eduroam credentials secure 09/01/13 - eduroam(UK) Announcement of Change of Name of the Janet Roaming Service to eduroam(UK) 19/11/12 - Uptake of NAPTR record definition in DNS (to enable RadSec DD) is increasing 31/10/12 - eduroam(UK) Support Server Update: Nagios LG and check for NAPTR records 30/10/12 - Cisco ACS 5.4 released: now support Operator-Name 29/10/12 - Unscheduled service outage Friday 26/10/2012 1:02 AM - 9:48 AM 03/10/12 - Advisory: Improving Efficiency of International Authentication through utilisation of RadSec at National Level 11/09/12 - Advisory: FreeRADIUS 2.1.10,11,12 Security

Group administrators:

Recent members:

Calling Station Identity

Calling Station Identity Missing in Significant Proportion of Access-Requests Being Sent to the NRPS Dec 2014

CSI Recap

Inclusion of the Calling-Station-Identity attribute in Access-Requests generated by APs and WLCs (and switches, if wired eduroam is offered) is a mandatory requirement of the UK Technical Specification (and the European Service Definition for SPs). The CSI is used to uniquely identify the device the user is authenticating from and must include the MAC address of the device. The Tech Spec states it is essential that this attribute is logged at both SP and IdP sites. This ensures that participating organisations are able to comply with the Janet Security Policy. When matched with DHCP logs, a link between the user's device, an IP address and an authentication event can be definitively proved - essential in cases of investigation of network access abuse.

How well is the Community Complying with this Requirement?

All RADIUS traffic sent to and forwarded by the NRPS is logged, which facilitates both troubleshooting and usage monitoring. The NRPS logs enable a monthly count to be made of the total number of all Access-Request events and also the total number of Access-Request events not containing CSI. In order to reveal how successfully member organisations are complying with the Tech Spec in this regard, these two counts are compared. The chart below presents the results.

Note that the no-CSI events axis is 1/10 of the total A-R events count.

Why would there not be CSI in an A-R sent to the NRPS?

As far as is known, there are no 802.1X compliant NASs that are not capable of including CSI. The reasons for no CSI are a)  misconfiguration of NAS b) misconfiguration of ORPS such that it filters out CSI from A-Rs forwarded to the NRPS c) use of AUTH command for status check of NRPS (as documented in the old Sussex FreeRADIUS case study) - the 'ping' status-check method should be used instead.

How can a Sys Admin check to see if ORPS is sending A-Rs with no CSI?

This should be pretty obvious from your ORPS logs!

Sys admins can also look in the 'Examine Problem Log Files' function on the Support server. This allows the sys admin to see daily excerpts from the NRPS logs filtered for their organisation and particular issues. Check the identifier and realm error files to see if CSI is present or blank.

Conclusion and Actions Arising

It is heartening to see that the proportion of A-R with no CSI has fallen over time. Nevertheless the proportion remains too high. A significant fraction (28%) of no-CSI A-R events arise from outside of the UK eduroam zone and as such we have no authority to require the organisations from which these originate to correct their services. However UK participants which are not including CSI are currently being requested to investigate and rectify such non-conformance.

  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo
eduroam
Calling-Station-Identity