RADIUS attributes for eduroam


It is recommended that eduroam eduroam deployments include a number of "optional" RADIUS attributes. This summarises those attributes and explains what they do.


Attributes sent by identity providers


Chargeable-User-Identity


The Chargeable-User-Identity attribute is sent by identity providers and contains a unique, opaque, persistent, pseudo-anonymous identifier for the user who is being provided service. This can be used as a privacy-preserving alternative to sending the User-Name.


Identity providers are strongly encouraged to send Chargeable-User-Identity since it can be used by service providers to isolate and contain abuse. Service providers' only real alternative in the absence of a unique identifier is to simply blackhole an entire realm, which would result in all users from a given identity provider being punished for the actions of one individual.


Service providers can use the Chargeable-User-Identity sent by identity providers, coupled with session and accounting information from wireless controllers, to do simultaneous use detection and limit visitors to a reasonable number of concurrent sessions (5-10 is reasonable; 300 is unlikely).


Attributes sent by service providers


Calling-Station-Id


Wireless controllers and other NAS devices send the Calling-Station-Id attribute to indicate the identity of the device initiating an authentication request. It typically contains the MAC address of the client device connecting to your wireless infrastructure.


Service providers are strongly encouraged to ensure their wireless infrastructure and RADIUS servers do not withhold or filter this attribute, as it can help identify providers detect abuse of their account. It is also useful for statistical purposes.


Identity providers can use the Calling-Station-Id sent by service providers to do simultaneous use detection, and limit their users to a reasonable number of concurrent devices (3-5 is reasonable; 300 is unlikely). However, this approach is complicated by a lack of session information and MAC address randomisation, and allowing service providers to handle this with Chargeable-User-Identity is preferable.


Since a MAC address may be considered personally identifying, service providers that have concerns about privacy should consider hashing it in a similar way to Chargeable-User-Identity. In any event, the NRO hashes this in all statistical information.


Operator-Name


The Operator-Name attribute uniquely identifies the operator of a service provider. In eduroam, it should be formatted using the REALM encoding method, which means that it should contain a valid DNS domain preceded by a 1 (e.g. 1example.ac.za).


Operator-Name is often used by identity providers to generate a targeted Chargeable-User-Identity, and it is also used for statistical purposes. Service providers are encouraged to send it, but the South African eduroam FLR servers will add for providers that do no.


Called-Station-Id


The Called-Station-Id is sent by many NAS devices to indicate the identity of the access point and (sometimes) the wireless SSID a user's device connected to. This can be useful within your own campus to differentiate between different local wireless networks and apply local policy depending on which network a user connects to.


However, implementations of Called-Station-Id vary widely between wireless controllers. In addition, some service providers choose to filter this attribute to avoid releasing design information about their wireless network. You should not rely on remote eduroam service providers to send this attribute. Instead, you should assume that all authentication requests coming from the eduroam FLR servers are related to the eduroam service.