Testing your eduroam IdP or SP

Testing an Identity Provider (authentication)

Our monitoring service provides an easy way to test an Identity Provider works. It emulates a remote service provider on another campus and uses test credentials to perform a full EAP authentication.

If you have enrolled for eduroam CAT, you can use the "Check realm reachability" links in the administrator interface to verify your realm(s) are reachable from Europe. CAT also provides the ability to perform a live login for your realm(s) with test credentials you supply, or to test the reachability of any other valid realm.

You can, of course, also test your Identity Provider by visiting another campus. However, you should be aware that when you do that, you're also testing that institution's service provider.


Testing a Service Provider (wireless network)

To properly test the eduroam wireless network on your campus, you need to try logging in as both a local user and as a visitor. This means you'll need some test credentials from a different identity provider (representing a visitor to your campus).

Getting test credentials

When you provide us with test credentials to monitor your eduroam IdP, we automatically create a reciprocal test account that you can use to test your eduroam SP (wireless).

The username for the test account is of the form your.realm@monitor.eduroam.ac.za. So if your realm is example.ac.za and you've added a monitored realm account of nren_radius_test@example.ac.za via the eduroam management portal, you'll also immediately have a test account of example.ac.za@monitor.eduroam.ac.za that you can use.

The password for this test account will always be the same as the one you supplied for your realm's test account and changes immediately when you update your test credentials in the management portal.

There are some eduroam CAT profiles available for the Test IdP.

The Test IdP supports outer EAP types of either PEAP or TTLS and inner (phase 2) authentication via either MSCHAPv2, PAP or GTC. The encryption certificate it uses is signed by a dedicated, private CA.

If you wish to test anonymous outer identities, you may use anonymous@monitor.eduroam.ac.za.

To aid with debugging, a subset of the most recent logs from the Test IdP can be viewed here.

Please note the test credentials are for testing by a single institution's administrator(s) only. Do not re-share them with your users or with another institution, or you risk compromising your own test accounts too.

Other credentials

Some institutions have exchanged test credentials with each other, much as they've done with ourselves. There's some merit in doing this even if you make use of the Test IdP, since it gives you another perspective and a real-world test case.

This is easiest to arrange when you already know the administrator of the remote eduroam identity provider and can leverage your existing trust relationship with them. Maybe you can reciprocally provide them with test credentials for your network?

You should make sure you are aware of any constraints on those credentials — for instance, not re-sharing them with other institutions. Note: we cannot provide you with another institution's test credentials without their explicit consent.

Performing tests

Once you have some test credentials, you can use them to test that the eduroam wireless network works on your campus in the way you expect. Remember that you need to test with both local (your own) credentials as well as visitor credentials.

You should test as many scenarios as you can — different devices (laptop, tablets, smartphones) and operating platforms (Windows, Linux, Android) — to ensure you're supporting the full array of likely visitors.

Note that there is more to testing than just authentication: it is very important that you also test that you've made all the required ports and protocols available (including, for instance, email, SSH and VPN). portquiz.net provides a useful service with open ports you can test against. Please periodically re-test this, as people sometimes inadvertently make firewall changes that break the eduroam service for visitors.

Remember too that visitors to your campus have no knowledge of your network. This means you cannot require them to make any changes (proxy configs, etc) to their device; it should just work™ for them as soon as they connect.

Automated monitoring

You may also wish to set up automated monitoring of your RADIUS routing, in much the same way we've implemented the monitoring service. The rad_eap_test Nagios plugin may be useful here. 

NB: If you intend using the credentials from our Test IdP for automated monitoring, please be aware that this is an experimental service and is not intended to be redundant in any way. This means that it's possible for the Test IdP service to report an error even when everything on your side is working correctly. Please don't report such failures to us; our own monitoring will alert us to the problem.

If you're using another institution's credentials, make sure the person who gave you test credentials is aware that you intend doing automated monitoring with them.


Further developments

eduroam globally is investigating better ways to monitor eduroam service providers. Ideas that are currently in trial include using the RIPE Atlas Network and developing custom probes. We've a limited number of Atlas probes that we can make available for people who want to join the trials.