RADIUS attributes for eduroam


It is recommended that eduroam eduroam deployments include a number of "optional" RADIUS attributes. This summarises those attributes and explains what they do.


Attributes sent by identity providers


Chargeable-User-Identity


The Chargeable-User-Identity attribute is sent by identity providers and contains a unique, opaque, persistent, pseudo-anonymous identifier for the user who is being provided service. This can be used as a privacy-preserving alternative to sending the User-Name.


Identity providers are strongly encouraged to send Chargeable-User-Identity, since it can be used by service providers to isolate and contain abuse. Service providers' only real alternative in the absence of a unique identifier is to simply blackhole an entire realm, which would result in all users from a given identity provider being punished for the actions of one individual.


Attributes sent by service providers


Calling-Station-Id


Wireless controllers and other NAS devices send the Calling-Station-Id attribute to indicate the identity of the device initiating an authentication request. It typically contains the MAC address of the client device connecting to your wireless infrastructure.


Service providers are strongly encouraged to ensure their wireless infrastructure and RADIUS servers do not withhold or filter this attribute, as it can help identify providers detect abuse of their account. It is also useful for statistical purposes.


Identity providers can (and perhaps should) use the Calling-Station-Id sent by service providers to do simultaneous use detection, and limit their users to a reasonable number of concurrent devices (3-5 is reasonable; 300 is unlikely).


Since a MAC address may be considered personally identifying, service providers that have concerns about privacy should consider hashing it in a similar way to Chargeable-User-Identity.


Operator-Name


The Operator-Name attribute uniquely identifies the operator of a service provider. In eduroam, it should be formatted using the REALM encoding method, which means that it should contain a valid DNS domain preceded by a 1 (e.g. 1example.ac.za).


Operator-Name is often used by identity providers to generate a targeted Chargeable-User-Identity, and it is also used for statistical purposes. Service providers are encouraged to send it, but the South African eduroam FLR servers will add for providers that do no.