Configuring eduroam


This page is aimed at institutional I.T. technical staff implementing eduroam on their campus. There is also a high-level overview of how to get eduroam at your institution available.


1) Policy and registration


Read through the National Policy for eduroam South Africa


Read through the info for new participants if you want to join as an eduroam service provider and/or identity provider. Once you've done some planning, submit a registration request form.


2) Plan your RADIUS


Create DNS entries for your RADIUS server(s). e.g. eduroam0.example.ac.za and eduroam1.example.ac.za. The actual name is not important provided it is properly reflected in DNS, so you can use whatever your RADIUS server is already called. However, the RADIUS server(s) do need to be reachable from the Internet.


Let the national roaming operator (NRO) know when your DNS is working so that they can add your realm to the eduroam servers and provide you with a shared secret.


3) Configure your RADIUS


See information about certificates for eduroam.


Windows NPS


If you're making use of Active Directory, you may be able to make use of the Network Policy Server (NPS) feature. For information on how to configure this, read through GÉANT's documentation on Using Windows NPS as RADIUS in eduroam.


In that document, references to ntlr1.eduroam.no and ntlr2.eduroam.no should be replaced with the South African FLR servers flr-cpt.eduroam.ac.za and flr-jnb.eduroam.ac.za (you do need both!)


Note that the priority of servers in the eduroam-proxies RADIUS server group is important (pg. 21). You should set the one that's geographically closest to you (i.e. has the lowest ping time/latency) as the highest priority (i.e. 1) so you try it first. That means that Eastern, Northern & Western Cape sites should generally have flr-cpt.eduroam.ac.za as priority 1 and flr-jnb.eduroam.ac.za as priority 2; Gauteng, Limpopo, Mpumalanga, and Kwazulu-Natal sites should generally have flr-jnb.eduroam.ac.za as priority 1 and flr-cpt.eduroam.ac.za as priority 2.


The CISCO-CAPWAP-CONTROLLER.uninett.no client is an example demonstrating how you'd add your own wireless controller to NPS — consult your wireless vendor for details on how to configure your controller. Please use a different secret to the eduroam FLR servers.


FreeRADIUS


For detailed instructions for FreeRADIUS, see GÉANT's documentation for IdPs and SPs. The South African-specific bits are summarised below (they're aligned with the GÉANT documentation, so should be drop-in replacements). There is also a template configuration available that has these changes incorporated.


In clients.conf add the two FLR servers:


client flr-cpt.eduroam.ac.za {
ipaddr = 155.232.195.20
   shortname = flr-cpt
   secret = MySharedSecret
require_message_authenticator = yes
nastype = other
# you have to create this in sites-enabled/ - see the GEANT docs
virtual_server = eduroam
}

client flr-jnb.eduroam.ac.za {
ipaddr = 155.232.195.21
   shortname = flr-jnb
   secret = MySharedSecret
require_message_authenticator = yes
nastype = other
virtual_server = eduroam
}


In proxy.conf you should have realm rules to keep all the requests from example.ac.za + any sub-domains local and a default realm rule that forwards all other requests to the eduroam FLR servers:


proxy server {
        default_fallback = no
}

# home server definitions
home_server flr-cpt {
type = auth+acct
ipaddr = 155.232.195.20
port = 1812
secret = MySharedSecret
status_check = status-server
}

home_server flr-jnb {
type = auth+acct
ipaddr = 155.232.195.21
port = 1812
secret = MySharedSecret
status_check = status-server
}

home_server_pool EDUROAM {
type = fail-over
#
# The order of the home_server entries in the pool is important. You
# should put the one that's geographically closest to you (i.e. has the
# lowest ping time/latency) at the top of the list so you try it first.
# That means Eastern, Northern & Western Cape sites should generally
# have flr-cpt at the top of the list and Gauteng, Limpopo, Mpumalanga,
# and Kwazulu-Natal sites should generally have flr-jnb at the top.
home_server = flr-jnb
home_server = flr-cpt
}

# your local realms
# leaving them blank stops them from ever being forwarded
realm LOCAL {
}
realm NULL {
}
realm example.ac.za {
}
# this catches subdomains
realm "~.+\\.example\\.ac\\.za$" {
}

# blackhole routing - EAP-SIM/MNOs
realm "~\\.3gppnetwork\\.org$" {
nostrip
}

# the default destination for unknown realms
# forward to the upstream FLR servers
realm "~.+$" {
pool = EDUROAM
nostrip
}
realm DEFAULT {
pool = EDUROAM
nostrip
}


In the sites-available/eduroam virtual server the unlang stanza to add Operator-Name: needs to cover both FLR servers, like this:


if ("%{client:shortname}" != "flr-jnb" && "%{client:shortname}" != "flr-cpt") {
update request {
Operator-Name := "1example.ac.za"
}
}

Please also enable Chargeable-User-Identity in the sites-available/eduroam-inner-tunnel virtual server by adding cui-inner into the post-auth section. You will need to set cui_hash_key in policy.d/cui to protect your users' privacy.


4) Firewall


Make sure your firewall will allow UDP on port 1812 coming in from flr-cpt.eduroam.ac.za and flr-jnb.eduroam.ac.za to your servers (155.232.195.20/31).


5) Configure DNS for your realm


You may want to enable dynamic discovery by adding the following DNS record for your realm (if you use multiple realms [e.g. staff and students on different domains], you should add a separate NAPTR record for each of your realms):


example.ac.za. IN NAPTR 100 10 "s" "x-eduroam:radius.tls" "" _radsec._tcp.eduroam.ac.za.

Dynamic discovery makes international roaming much more efficient, so please do this if you expect any of your users to travel abroad. If you are interested, you can read about how the NAPTR record works.


6) Test your IdP


Create a test user called nren_radius_test@example.ac.za on your server to test your IdP from another site. Supply this user to the NRO so that it gets configured in the eduroam monitoring system. This allows you to check that your users are able to log in from a remote site.


7) Configure your SP


A service provider should be configured with an SSID called "eduroam" with "WPA2 Enterprise" user authentication and AES+CCMP encryption. You should not use WPA or WPA+WPA2 mixed mode, nor should you use TKIP encryption. (Information about eduroam's compatibility with WPA3 is also available.) Note that capitalisation is important — the eduroam SSID is always lower case.


Your wireless network must be configured to authenticate using your RADIUS server.


Please read through the national eduroam policy documents to see what rules an SP should comply with e.g. no portals, minimum service for visitor etc.


It is normal practice to separate traffic from your own users and that of eduroam visitors. How you do this depends on your wireless infrastructure and RADIUS software.


FreeRADIUS


With FreeRADIUS you can usually place users and visitors in different VLANs by adding the following section in your virtual server config file (sites-enabled/eduroam)


post-auth {
# reply_log<
Post-Auth-Type REJECT {
reply_log
attr_filter.access_reject
}
switch "%{Realm}" {
# VLAN settings for your local users
case "example.ac.za" {
update reply {
Tunnel-type = "VLAN"
Tunnel-medium-type = "IEEE-802"
Tunnel-Private-Group-Id = "2505"
}
}
# VLAN settings for visitors to your campus
case {
update reply {
Tunnel-type = "VLAN"
Tunnel-medium-type = "IEEE-802"
Tunnel-Private-Group-Id = "2506"
}
}
} # switch realm
}

Windows NPS


You can achieve the same thing in Windows NPS by using a Network Policy to alter the RADIUS Attributes and add the above Tunnel-* attributes (cf page 41 of the "Using Windows NPS as RADIUS in eduroam document").


8) Test your SP


If you've supplied the NRO with test credentials for your IdP, you automatically have test credentials you can use to test your eduroam wireless network.


9) Update your details


When everything is working, sign up on our eduroam management portal and check that we've captured your site's details correctly. You will use this portal to make changes to your configuration in future.


We also strongly urge you to consider enrolling your institution for eduroam CAT to make things easier for your users.