Last updated: 
4 months 2 weeks ago
Blog Manager
eduroam Service News Follow us on Twitter @eduroamuk - for news, interest, information, photos and fun. Contents - click on item and scroll to bottom of box to read item 15/04/19 - Advisory: EAP-PWD Vulnerability 12/10/18 - Advisory: Injection of Operator-Name attribute by the NRPSs 23/02/18 - eduroam Seminar pre-Networkshop 2018 - FreeRADIUS 4 etc 24/10/17 - Advisory: WPA2 Key Reinstallation Attacks vulnerability, KRACK 14/07/16 - Release of Technical Specification v1.4 10/05/16 - Advisory: Ending of RADIUS Accounting within eduroam(UK) 22/01/15 - eduroam Support Clinic Tues March 1st 14:15-15:30 18/09/15 - Advisory: Impact of change of Certificate Service CA for eduroam Home (IdP) service providers 27/01/15 - eduroam now available at seven hospitals in Cardiff 22/01/15 - eduroam Support Clinic Tues January 27th 10:45-12:00am 23/12/14 - Calling Station Identity 01/12/14 - New DNS Name for eduroam(UK) Support Server 19/12/14 - eduroam Support Clinic Tues January 6th 10:45am 28/11/14 - eduroam Support Clinic Tues December 2nd 10:45am 19/11/14 - Advisory: Microsoft Security Bulletin Affecting NPS and IAS 27/05/14 - eduroam training course June 11-12 Birmingham; Aug 6-7 Aug Bristol 08/04/14 - Advisory: OpenSSL TLS Heartbleed Vulnerability rev 1.1 21/02/14 - Auth Timestamp Feature on eduroam(UK) Support Server 30/10/13 - Release of FreeRADIUS 2.2.2 07/10/13 - Release of FreeRADIUS 3.0.0 17/09/13 - Release of FreeRADIUS 2.2.1 13/06/13 - Release of Technical Specification v1.3 13/06/13 - eduroam training course June 27 Glasgow 23/04/13 - eduroam training courses July 24-25 London 23/04/13 - Chargeable User Identity how-to guide now available in Library 25/03/13 - eduroam training courses May 2-3 Manchester 24/02/13 - Time for a review of your eduroam deployment - Technical Specification v 1.2 Main Changes from v 1.1 30/01/13 - Configuration Assistant Tool (CAT) now available - builds eduroam client installers for user devices 23/01/13 - Advice regarding keeping eduroam credentials secure 09/01/13 - eduroam(UK) Announcement of Change of Name of the Janet Roaming Service to eduroam(UK) 19/11/12 - Uptake of NAPTR record definition in DNS (to enable RadSec DD) is increasing 31/10/12 - eduroam(UK) Support Server Update: Nagios LG and check for NAPTR records 30/10/12 - Cisco ACS 5.4 released: now support Operator-Name 29/10/12 - Unscheduled service outage Friday 26/10/2012 1:02 AM - 9:48 AM 03/10/12 - Advisory: Improving Efficiency of International Authentication through utilisation of RadSec at National Level 11/09/12 - Advisory: FreeRADIUS 2.1.10,11,12 Security

Group administrators:

Release of eduroam(UK) Tech Spec v1.4

Audience - eduroam(UK) system administrators and implementors

The eduroam(UK) Technical Specification 1.4 has now been released and is effective as of 14th July 2016.

The update primarly addresses the removal of the requirement to forward RADIUS accounting messages to the NRPS, the expriy of the permissive grace period for TKIP, TLS proxies disallowed and the removal of LDAP and POP from the list of ports/protocols that must be open to visitors. Other changes are essentially general housekeeping and updates.  

Changes introduced in Tech Spec 1.4

  • All references to ‘Janet’ in an organisational context changed to ‘Jisc’; references to Janet in the context of the network and network-related documentation remain unaltered.
  • Overview, reference 1 to GÉANT European confederation policy, updated. Scope of document updated to accommodate provision of service in all UK associated territories.
  • Section 4 introduction: removed explanation of the historical legacy of the JRS technical standards tiers system, which allowed WPA and captive portal technologies to be included in service variations as defined in previous versions of this specification up to and including v1.1.
  • New Requirement 4: participating organisations must accurately assert both the service type and compliance level, and the operational status of their service via the Support server; and these assertions must be kept up to date. v1.3 requirement 4 renumbered to 5 and subsequent requirements numbering incremented by 1.
  • Requirement 5 (previously 4) worded to improve readability and clarity.
  • Requirement 6 (previously 5) changed timestamp requirement to be ‘in GMT’ to the more correctly applicable ‘UTC’ standard.
  • Requirement 11 (previously 10) revised to remove requirement for ORPS to be reachable on accounting ports UDP/1813 or UDP/1646 since NRPS no longer forward accounting requests to ORPS, and wording updated to more RFC conventional style.
  • Requirement 14 deleted because whilst the NRPS will continue to respond to accounting requests if forwarded to them, the content of the requests is not important as they are not forwarded onwards. Subsequent requirements numbering decremented by 1.
  • Requirement 16 deleted because provided that the requirements relating to logging are satisfied, exactly how organisations do this is outside the scope of this specification. It is for the organisation to determine what logging of RADIUS accounting requests and attributes are appropriate. Subsequent requirements numbering decremented by 1.
  • Discussion 2.4.3: paragraph 3, 4 edited to remove references to accounting ports (1813 and 1646). New paragraph appended to explain reasoning behind deprecation of forwarding of accounting requests and notice of future mandatory requirement to not forward such requests to the NRPS.
  • Requirement 19.4 (previously 20.4): reference to ‘User ID’ changed to ‘User-Name’ to clarify need for all parts of the user name to be logged.
  • Requirement 19.7 added: Operator-Name attribute must logged if present in Access-Request.
  • Requirement 22 (previously 23) reworded to more accurately tie the requirements relating to test accounts to the capability of the Support server
  • Requirement 23 (previously 24) changed to align with current self-service process of making updates to test account details through the Support server web portal rather than via the support team personnel.
  • Discussion 3.4.3 updated to reflect withdrawal of support for PAP in the Support server monitoring system and the self-service nature of the Support web portal now.
  • Recommendation 3.6.2 reworded to improve readability.
  • Discussion 3.6.3 updated to more accurately qualify NAS-Port-Type attribute and to include Service-Type in the explanation.
  • Section 4 introduction: base engineering standards summary table updated to reflect the requirement that WPA/TKIP must not be supported in any circumstances and IPv6 specification uprated to SHOULD.
  • Requirements 31.3 (previously 32.3) and 31.4 (previously 32.4) deleted.
  • New Requirement 39: the setting on the Support server web portal to enable Status-Server requests sending from the NRPS to an ORPS MUST NOT be enabled if the ORPS cannot correctly respond to such requests.
  • New recommendations 16 and 17 inserted relating to utilisation of and response to Status-Server queries if ORPS have such capability. Subsequent recommendation numbering adjusted.
  • Visited service IP forwarding: list of ports and protocols that must as a minimum be permitted updated to remove LDAP and POP. Table tidied up.
  • Recommendation 4.5.2 updated to specify ‘the Internet’ rather than specifically ‘Janet’ since Visited network services providing access to the Internet can be implemented other than via a Janet connection.
  • New Requirement 48: Transport Layer Security (TLS)/Secure Sockets Layer (SSL) interception proxies MUST NOT be applied to network services for eduroam visitors.
  • Discussion 4.6.3 expanded to include reference to TLS interception and noting that users when at their home organisation may be connected to non-eduroam network services.
  • Requirement 50 (previously 49) reworded for clarification.
  • Discussion 4.8.2: paragraph relating to XP deleted since XP is no longer a current operating system.
  • Discussion 4.9.4 updated as IPv6 is becoming increasingly widely deployed.
  • Requirement 54 (previously 55) reworded to explicitly disallow WPA and TKIP.
  • Recommendation paragraph 4.10.2 and Recommendation 22 removed since no longer applicable.
  • Discussion paragraph 4.10.3 removed since text on WPA and the transition period no longer relevant.
  • Discussion paragraph 4.11.2 updated and altered to reflect specification that WPA2/AES is the only standard and cipher permitted in the UK, although noting that in some countries mixed TKIP/AES environments may be encountered.
  • Appendices updated.

The full version of the specification published at:

https://community.jisc.ac.uk/groups/eduroam/document/eduroamuk-technical-specification-v14
Full web version and pdf is available at:
https://community.jisc.ac.uk/library/janet-services-documentation/eduroamuk-technical-specification