JRS Home | About JRS/how JRS works | Map - where you can use JRS eduroam

Using JRS | Documentation | Technology/FAQs | Technical Support | How to Join

Roaming Technology - FAQs

• About JANET Roaming/eduroam
• Workstation/Laptop Setup/MS Vista issue
• Travelling abroad - eduroam
• User Authentication
• Web Redirect
• 802.1x and EAP Technical Sheets
• Joining JANET Roaming / Realms / Eligibility
• RADIUS server software and configuration
• Server Certificates for ORPS
• Integration of RADIUS server with back end user database
• RADIUS server log keeping and interpretation / JRS Support Server Tests
• Upgrading FreeRADIUS from v 1.1.x to v2.0.x
• Firewall configuration
• Shibboleth
• Wireless Networks
• Roadmap for Implementing JANET Roaming

 

About JANET Roaming/eduroam

Can the JANET Roaming and eduroam graphics be included in our own JRS web page and JRS eduroam promotional / advertising material? Can the images be downloaded?

Yes. See Promotional Material for JRS Participating Organisations.

How widely available is the service and how popular is it - have you got any usage figures?

You can see where the UK institutions/organisations that have registered to participate in the JANET Roaming service are situated by clicking on the link in the top menu bar - 'MAP - where you can use JRS eduroam'.

For maps and details of the overseas countries that are members of eduroam, click here -

Europe: www.eduroam.org/index.php?p=europe

Asia Pacific: www.aarnet.edu.au/Content.aspx?p=137

Membership of the service has been steadily growing since launch and there are currently 92 registered JRS UK participating organisations. This represents 14.6% of the total of the c.630 total of JANET connected organisations, which is a healthy percentage considering the broad mix of JANET customers from HE to small specialist colleges (for many of which JRS is not relevant).

Regarding usage, we have seen a threefold increase as at summer 2008 compared to Autumn 2007.

Workstation/Laptop/Palmtop Setup

How do I configure Windows to work with 802.1x?

Details of all aspects of setting up the client and using JANET Roaming are included in the JANET Roaming User Guide however the following extract details setup of the client in Windows XP.

• 802.1x supplicant configuration for Windows XP (Word)

Why am I having a problem using JANET Roaming with MS Vista?

Windows Vista has a slightly different PEAP authentication to that of WinXP. This difference means that Vista 802.1x authentication will not work with older versions of Cisco ACS, RADIATOR or FreeRADIUS ORPS software at Home organisations.

Updated versions the most popular RADIUS servers have been released which fix this problem:

FreeRADIUS 1.1.4* - tested (1.1.7 was the last 1.1.x release. Latest version is now 2.0.5)
RADIATOR 3.16 - tested
Cisco ACS 4.1 - not tested (would like feedback from sites using this)

As this issue is only at the authentication end, visitors with Vista should happily be able to use JANET Roaming at a Visited site if their Home site has upgraded their ORPS.

*Vista will work with 1.1.4 but 1.1.5 and 1.1.6 had further SSL fixes to improve/fix SSL behaviour and stability in general (as well as more than 30 other bug fixes). A 1.1.6 system would be far better than 1.1.4 and the final release of 1.1.x was 1.1.7 and is the one to use IF you must use 1.1.x. We see no reason not to go for the later 2.0.x version though. 2.0.5 is the latest release and fixes many 1.1.x issues. The forthcoming 2.0.6 has a much enchanced stats monitoring system which is eagerly anticipated.

How can I get my Palm TX handheld to work with JANET Roaming?

Palmtops need 802.1x supplicant software to work at the vast majority of JANET Roaming sites (excepting those providing web redirect authentication JRS1) - the supplicant software must support the authentication protocols in use on your home network (EAP-TLS, EAP-TTLS, EAP-PEAP(v0 or v1)). The Palm TX uses Palm OS Garnet 5.4 which supports wireless connection, but unlike XP and Vista does not include an 802.1x supplicant. This software is however available in the Wi-Fi Enterprise Security Update (ESU) package which costs $5.99 from www.palm.com/us/software/esu.

 

Travelling Abroad - eduroam

I am travelling to an eduroam-participating country, how do I find out the status of the service provided by their NREN (local JRS equivalent)?

The status of the NREN eduroam infrastructure is monitored here:

http://monitor.eduroam.org/

The status of individual national RADIUS proxy servers is available here:

http://monitor.eduroam.org/eduroam/monitor.php

How do I find out whether the organisation I plan to visit offers eduroam and details about it?

You should check out the web site of the organisation you intend to visit to determine availability of wired/wireless network and encryption/SSID settings - just as you would before visiting a UK site.

To find the web site of the organisation overseas, you will be able to navigate to the country NREN eduroam site and from thence to their maps and links to the places you plan to visit, click here -

Europe: www.eduroam.org/index.php?p=europe

Asia Pacific: www.aarnet.edu.au/Content.aspx?p=137

 

User Authentication

I've heard of pGina, can it be used to enable authentication for a Windows machine into a non-Windows network?

As standard, the Microsoft Windows NT/2000/XP client operating system only provides for a single method of user authentication - via a Microsoft Windows Server. Should you wish to use a user database on a non-Windows server to authenticate access for Windows machines, eg. an existing Unix server and its existing base of users, there are a few non-ideal options - eg. use a Windows server for authentication and maintain identical lists of usernames/passwords on each server or use Samba to emulate a Windows NT 4 Server.

The pGina project however has developed a replacement for the authentication portion of the Windows 2000/XP OS. This has created a wide choice of many different methods for the authentication and login of a user. It has been achieved through the creation of a substitute for Microsoft's replaceable GINA (Graphical Identification aNd Authentication) dynamic link library DLL component that is loaded by the Winlogon executable. The pGINA can dynamically load “plugins', where a plugin can be created to use ANY method of authentication. For further information see: What is pGina?

Top of page

 

Web Redirect

What is Web Redirect?

Many early adopters of distributed authentication for network access chose to present a web-based authentication interface, typically on a guest wireless LAN. The approach has been to intercept web traffic from the client, either by policy-based routing or DNS manipulation, and redirect it to a web proxy. This then presents a login screen in place of the requested web pages until such time as a successful authentication has been accomplished, after which it acts
as a transparent pass-through for the length of the session. Some organisations have elected to offer a web-only guest service; others used dynamic firewall rules on the proxy device to open up a wider range of protocols to the authenticated visitor. Many commercial wireless ISPs follow this strategy for user authentication, since it is intuitive and effectively self-documenting.

A number of manufacturers have introduced products implementing this model, among which Bluesocket and Vernier have attained significant market share in the higher and further education arena.

The JANET Roaming Service in the UK accommodates legacy web-redirection network access services within tier JRS1, but they are deprecated for a number of reasons:

• entered credentials are visible at the NAS (Network Access Server) and any intervening RADIUS servers
• subsequent data communications are not secured in any way unless additional measures are taken, such as VPN
• IP/MAC spoofing may allow trivial session hijack
• they are potentially vulnerable to the so-called ‘evil twin’ attack, whereby an attacker creates a ‘clone’ of an authorised login screen on a rogue access server in order to harvest credentials
• proxying may break some web applications.

Where web redirect systems are used in a JANET Roaming Service context, for example as an adaptation of an existing standalone guest service, a number of conditions must be met - in particular, the interface must support SSL or TLS security based on certificates acquired from ‘a well-known’ certificate provider. This improves security by ensuring that all WRD NASs use a certificate to identify themselves to the visitors' web browsers. These provisions do not entirely eliminate the concerns set out above (being focused on credential protection), and tier JRS1 services are considered low security contexts in which additional data privacy measures should be adopted, such as VPN.

Overall, the current tier JRS1 web redirect option is deprecated and is likely to be withdrawn in the future. Organisations adopting JANET Roaming Service without an existing web-based guest infrastructure along these lines are strongly encouraged to develop a tier 2 or higher service from the start.

For futher information please see:

http://www.terena.nl/activities/tf-mobility/deliverables/delF/DelF-f.pdf

What are the security issues with web redirect?

WRD is widely deployed within many organisations, and is also supported by all visitor clients possessing a web browser. However, WRD has some significant limitations.

Firstly, because the visitor provides a user name and password to the WRD NAS, these credentials are visible to the NAS and any intervening RADIUS servers involved in forwarding the credentials.

Secondly, it does not provide data privacy for subsequent communications over the wireless LAN.

Thirdly, it is relatively trivial for an unauthenticated attacker to abuse the network in a non-traceable fashion. For example, an unauthenticated attacker can easily spoof the IP and MAC addresses of an authenticated user, and masquerade as that user.

Finally, WRD is vulnerable to the so-called ‘evil twin’ attack, whereby an attacker creates a ‘clone’ of an authorised WRD NAS. Users are easily tricked into entering their credentials into the ‘clone’ because it looks identical to the authorised NAS. This vulnerability is the reason that the JRS tier 1 requires all WRD NASs to use a certificate from a well-known certificate authority to identify themselves to visitors' web browsers.

In the light of these limitations, although WRD is permitted we strongly recommend against its deployment for JRS and it will eventually be prohibited within the service. (Organisations may still offer their own WRD systems for use by their own users if visitors, but they will not be able to advertise them with 'eduroam', use the 'eduroam' SSID nor connect them to the JRS service).

 

802.1x and EAP Technical Sheets

What is 802.1x and EAP and how do they work?

• IEEE 802.1x - three page JANET technical sheet on 802.1x outlining its benefits and describing how it works and listing currently available supplicants together with their main features and applicability.

• Extensible Authentication Protocol (EAP) - three page JANET technical sheet on EAP, describing how it works, EAP types and implementation considerations.

• Resources about EAP and its support in the current versions of Microsoft Windows

Top of page

Joining JANET Roaming / Realms

Can individuals join JANET Roaming? Is there a way for an individual to obtain a JRS/eduroam ID without the user's home institution having to join JANET Roaming?

No. Users must have registered network logon accounts at their home organisations and in order for individuals to use their credentials for authentication at JANET Roaming participating sites, their home organisation has to join JANET Roaming and install a RADIUS server which is peered with the national JRS proxy servers.

The aim of JANET Roaming is to reduce the amount of administration required both by organisations offering guest access to their networks and for visiting users. This is achieved by users being enabled to use their own usernames and passwords when roaming. JANET(UK) has set up the NRPS network and the support service to facilitate this through the JANET Roaming mechanism. There is no facility for users to be issued with independent IDs since this would involve another tier of administration (and defeat the aim of the service).

Is JANET Roaming eduroam available to all members of an organisation - academic staff, administrative staff and students? Do JANET Roaming users have to be registered network logon account users at a participating organisation?

Yes, JANET Roaming eduroam is available to all members of the academic community. Users must have a network account at their participating home organisation in order for their authentication requests to be validated when they attempt to log on at a visited organisation. They must be registered on their home organisation's AD, LDAP, Netware etc user database. This is because JANET connected organisations are not permitted to just let anyone onto their guest networks and to access JANET/the Internet via JANET. Furthermore, there is a logging requirement for organisations to record the date and time and user name of JANET Roaming enabled authentications. We have to be able to track down a visiting user if ever there is any security or anti-social usage incident - hence the need to limit the service to registered users.

Can I have a sub-realm for my organisation?

a) Does the JANET Roaming spec allow us to configure ORPS to forward user@department.example-org.ac.uk RADIUS requests to the department in question's RADIUS server?

b) If so, will the NRPS strip off 'department' and forward RADIUS requests to the example-org ORPS?

a) Yes - you can submit any number of sub-realms (such as "department.example.ac.uk") as you like. To create a new sub-realm, browse to your organisation in the JRS Configuration menu on the support web server, and select 'Realms'. Enter the sub-realm name into the Realm name field and press 'Create realm'.

b) No the NRPS will forward requests bearing these realms to your ORPS unchanged. Because the realm is left unchanged by the NRPS, you can perform additional proxying within your organisation if you wish (for example, to route the request to a departmental RADIUS server). This permits delegation of authentication to other units within your organisation.

Can I request a wild-card realm?

No. However, you are able to define as many "sub-realms" as you require. For example, if your realm is example.ac.uk, you can additionally define bar.example.ac.uk and foo.bar.example.ac.uk.

Top of page

RADIUS server configuration 

In this section you will find specific information on Radiator, FreeRADIUS and MS Internet Authentication Service / Network Policy Server as well as information relevant to all RADIUS software.

Do you have links to the various RADIUS server platform websites?

FreeRadius website

Radiator website

Microsoft IAS (Internet Authentication Service) (Windows Server 2003) website

Microsoft Network Policy Server (NPS) (Windows Server 2008)website1 website2

Cisco ACS (Secure Access Control Server for Windows) website

Juniper Funk Steel-Belted Radius website

 

How many RADIUS clients can my ORPS support?

Please note that this answer is only for RADIUS clients (eg NAS devices - such as wireless access points and switches, NOT actual users using the ORPS)

Windows Server 2003, Standard Edition or Enterprise Edition (for IAS and Certification Authority (CA) installation). Standard edition supports maximum of 50 wireless APs (RADIUS clients) per server.

FreeRADIUS - as many as your server can logically handle

RADIATOR - as many as your server can logically handle

CiscoACS - Number of Access Points. To determine the number of access points that a Cisco Secure ACS can manage, start with the assumption that each access point manages about ten WLAN users. Then divide the total number of users that can be supported by a Cisco Secure ACS - 21,000 by this number. With this formula we have 21,000 divided by 10 or 2,100 access points that can be supported by one Cisco Secure ACS. This is the minimum number of access points that can be supported because not all access points will be supporting the maximum number of users at any one time.

Number of Network Access Servers - a Cisco Secure ACS can support up 5,000 discrete network access servers (NASs). This number can be increased by the use of the multi-NAS capability of an ACS. Multi-NAS is a concept that allows one or more addresses to be configured for a given NAS entry. Using multi-NAS, the Cisco Secure ACS can support a theoretical maximum of 255 multiplied by 5,000 discrete NAS equaling 1.275 million devices. However, a configuration of 1.275 million devices per Cisco Secure ACS is clearly not realistic.

What RADIUS server software are JANET Roaming participants using?

Number of ORPS installations by RADIUS software type:

	Dec 2006	July 2007	Dec 2007	Apl 2008	July 2008
FreeRADIUS	27	51	59	64	74
Radiator	13	13	13	15	14
Microsoft IAS	12	15	16	21	24
Cisco Secure ACS	2	3	4	4	10
Cisco IOS	0	1	1	1	1
Typo/not stated	14	9	5	6	4
Funk/Juniper Steel-Belted	-	-	-	-	-

 

Are there any known issues with certain versions of RADIUS server software?

Yes! We of course make the general recommendation that you keep your RADIUS server software updated to the latest releases. There are particular known issues with versions of the popular choices of RADIUS sofware, including the following:

FreeRADIUS - versions prior to 1.1.4 do not support Vista clients due to the change in PEAP handling with Vista compared to XP. 1.1.5 and 1.1.6 had further SSL fixes to improve/fix SSL behaviour and stability in general...as well as more than 30 other bug fixes. If you are sticking to 1.1.x code, 1.1.7 was the final version of the 1.1.x product.

However we see no reason not to upgrade to the 2.0.x version of FreeRADIUS. 2.0.5 is at the time of writing the latest release and fixes many 1.1.x issues.

Radiator - in June 2007 the JANET NRPS had to be upgraded to the current version due to several EAP-TLS broken parts. This was leading to failed authentication attempts from visited sites for users from a participating organisation using EAP- TLS with MS IAS.

The problem, which was traced to the RADIUS exchange not completing, was resolved by upgrading our NRPS Radiator software from v 3.13 to 3.17.1. It is likely that if you are running older versions of Radiator on your ORPS and you get a visitor from a site that utilises EAP-TLS then similar problems will be encountered.

We specifically recommend that if you are still running older versions of Radiator, you should upgrade as soon as possible to the latest version. (Radiator 4.3.1 is the latest version, last modified 29 July 2008).

In addition to the above, a compounding problem was that the ipf firewall software configurations on our NRPS were set to discard UDP fragments. The script was therefore changed to pass fragments using the keep frag keyword. If you employ the ipf filewall on your ORPS, you should check this.

 

Are there any example configurations for Radiator available?

We currently don't have any direct cut'n'paste for Radiator that is clearly available for any site due to the uniqueness of each site requirement (backend authentication and such).

However, OSC (the publisher of Radiator) supplies many example configuration file snippets and templates on the www.open.com.au/radiator website. eg. ntlm_eap_multi.cfg which is a simple config which handles Radius PAP, CHAP, MSCHAP and MSCHAPV2 and also handles the outer and inner requests for TTLS and PEAP. In this case, the <AuthBy NTLM> sub-handler is doing the work. Of course this is only suitable for Active Directory. If sites are using passwords or eDirectory etc then the requirements will be different.

Resources:

Also appendix A.2 of the Geant2 Roaming Infrastructure Service and Support Cookbook provides useful information on configuring the ORPS server software.

Are there any example configurations for FreeRADIUS available?

We don't have any direct cut'n'paste configurations for FreeRADIUS that would be suitable for all sites due to the uniqueness of each site requirement (backend authentication etc).

However there are some hints and tips on the JRS Support web site and there is some useful information in the following case study, which is a practical description of how University of Bristol implemented and complies with the JANET Roaming Technical Specification using FreeRADIUS in an AD environment: A Case Study in Complying with the JANET Roaming Service Technical Specification (pdf)

Resources:

Also appendix A.2 of the Geant2 Roaming Infrastructure Service and Support Cookbook provides Roaming Technology - FAQsuseful information on configuring the ORPS server software.

FreeRadius website

What's the Difference between MS IAS and NPS?

Here's what msdn says - Internet Authentication Service vs Network Policy Server

Microsoft IAS Implementation

• Microsoft IAS website documentation
• Deployment of IEEE 802.1x for Wired Networks Using Microsoft Windows
• Deploying MS IAS with VLANs
• MS IAS Operations Guide
• Techrepublic article - Installing MS IAS

Troubleshooting Microsoft IAS as a RADIUS server and as a RADIUS proxy

This link to the MS TechNet site should be useful:

Microsoft TechNet IAS Troubleshooting

What Attribute filtering should I allow?

The following is the minimum set of attributes required to support JANET Roaming. These must not be filtered out:

RADIUS Access-Request or Access-Challenge message attributes:

1.   User-Name

18. Reply-Message
24. State
25. Class

80. Message-Authenticator

31. Calling-Station-ID

33. Proxy-State
79. EAP-Message
     MS-MPPE-Send-Key
     MS-MPPE-Recv-Key

RADIUS Accounting messages:

1.   User-Name

40. Acct-Status-Type

44. Acct-Session-ID

25. Class

33. Proxy-State

This list has been determined following a small number of incidents involving Roaming users being unable to connect at certain institutions (both here in the UK and elsewhere) owing to over-restrictive attribute filtering. Please note that implementation of the list is likely to become a mandatory feature of JANET Roaming.

If you are aware of any other attributes then please contact JANET Roaming Support.

For more information on this topic see:

List of RADIUS Attributes

RADIUS Attributes

Attribute Screening for Access Requests on Cisco Network Access Server

How do I change the IP address of our ORPS? (Is there a procedure we need to go through?)

You need simply to use the https://support.roaming.ja.net JRS support site. Go to your ORPS configuration page and select your ORPS, change the name of the RADIUS server and press [Update RPS]. Check that the passphrase does not change (it should not). The final step is to remove the old ORPS entry and add the new one. The passphrase will be different then. The changes are propagated to the NRPS on the hour.

Top of page

Server Certificates for ORPS

Can I use a self-signed certificate for my RADIUS server?

Yes. The RADIUS server certificates required by certain EAP methods may be derived from a self-signed certificate authority (CA) / private certificate authority or they can be purchased from a commercial public CA.

EAP methods that use transport layer security (TLS), such as EAP-TLS, EAP-PEAP and EAP-TTLS, require the use of a server certificate to authenticate the RADIUS server to the supplicants. In addition EAP-TLS requires client certificates too in order for the clients to be validated by the RADIUS servers. These client certificates can be can also be self-signed, ie. generated by your private CA software.

The advantages and drawbacks of both using private and public CAs are listed below.

Using a certificate from a self-signed private CA

Benefits:

• No need to purchase a certificate from a commercial vendor.
• Provides a slight security benefit by making it harder for a user to misconfigure their supplicant in an insecure way. (The use of a certificate from a commercial CA combined with a failure by the supplicant to validate the CN of the certificate makes a MITM attack feasible, where the attacker simply acquires a certificate from the same CA).

Drawback:

• you will generally have to install or get the laptop user to install the server ‘root certificate’ from your self-signed Certificate Authority on each client before it will recognise a private server certificate - but this is not a difficult procedure.

Using a certificate from a commercial CA

Benefit:

• No need to distribute the CA's root certificate to each client since public CA certificate will generally be recognised by any client.

Drawback:

• Cost - you usually have to pay an annual fee for each certificate.

Note: some RADIUS implementations, such as Radiator and FreeRADIUS, provide a certificate from a self-signed CA for testing purposes. Under no circumstanances should this certificate be used in a production environment. 

Resources:

TechRepublic paper - Self-sign a RADIUS server for secure PEAP or EAP-TTLS authentication

Microsoft technical article - Certificate requirements when Using EAP-TLS or PEAP with EAP-TLS

Private certificate authority software eg. CATool from Open System Consultants http://www.open.com.au/catool

Can I use the JANET Server Certificate Service to provide certificates for my RADIUS servers?

Yes - the JANET Server Certificate Service (JANET SCS) works fine with the most popular RADIUS servers; FreeRADIUS, Radiator and Cisco ACS and will provide you with server certificates free of charge - suitable for use with EAP-PEAP and EAP-TTLS methods. However if you intend to use Microsoft Internet Authentication Service (IAS) with JANET SCS, skilful configuration will be required. A draft guidance tech guide sheet is available on request.

The difficulties with MS Internet Authentication Service stem from the fact that it does not send the full certificate chain during EAP-PEAP negotiation. Consequently, in order to use IAS with JANET SCS certificates (or any other certificate not issued directly from a certification authority (CA) known by the supplicant), it is essential to:

1. Ensure that you include the correct extensions in the certificate

2. Configure IAS to include the certificate in its list of known certificates.

This issue came to light through problems experienced in attempting to use certificates issued by the JANET SCS with the Windows XP supplicant. All certificates issued by the JANET SCS are signed as from an intermediate CA; but any 802.1x supplicant, including the one native to XP, will not be able to validate certificate chains derived from intermediate CAs from Microsoft IAS because IAS does not send the full chain in the ServerHello during the TLS handshake in Phase 1 of EAP-PEAP.

So if you intend to use Microsoft IAS, your options are:

1. The certificate you acquire from a vendor must be one that will 'chain directly' to a root CA 'known' by your supplicants.

2. Be very careful and thorough in your configuration of IAS. Anyone considering use of SCS certificates should contact JANET Roaming Support, pending a suitable write-up. The write-up is likely to take some time, as it's rather complex.

3. Manage your own private CA.

How do I get and install a commercial server certificate for use with MS IAS?

MS IAS - obtaining and installing a VeriSign WLAN Server Certificate for EAP-PEAP (MSCHAPv2)

Top of page

Integration of RADIUS server with back end user database

Is it possible to authenticate EAP-PEAP against Novell Directory Services?

While it is not possible to authenticate EAP-PEAP against the default non-reversible hash used in NDS, it is now possible to configure a "Universal Password" in NDS which stores users' passwords in a reversibly encrypted format. This will permit the authentication of EAP-PEAP against NDS through RADIUS servers such as FreeRADIUS and Radiator.

How do you configure FreeRADIUS against Novell eDirectory?

Novell has produced documentation on configuring FreeRADIUS against eDirectory:

http://www.novell.com/documentation/edir_radius/index.html

FreeRADIUS integration with Active Directory

The received way of setting up FreeRADIUS to authenticate users against Active Directory is to use Samba/winbind/ntlm_auth:

FreeRADIUS Active Directory Integration Howto - from FreeRADIUS Wiki

University of Bristol implemented FreeRADIUS in an AD environment, the following case study contains useful information: A Case Study in Complying with the JANET Roaming Service Technical Specification (pdf)

Top of page

RADIUS server log keeping and interpretation / JRS Support Test System

Can you clarify the JANET Roaming Policy/Tech Spec on vistor logging?

Clarification of JANET Roaming Policy and Tech Spec Wording - Visitor Activity Logging (Word)

Clarification of JANET Roaming Policy and Tech Spec Wording - Visitor Activity Logging (pdf)

Using the Test facility on JANET Roaming Support web site for EAP-TTLS with PAP inner authentication results in errors in our FreeRadius log due to use of null value outer user name by the JANET Roaming Test. Why is this and what's the solution?

The log error is due to the JANET Roaming Support server using an outer user name comprising just the realm name for the Test. This conforms to the correct RFC format for anonymous outer identity, in accordance with RFC 4282:

"Omitting the username part is RECOMMENDED over using a fixed username
part, such as "anonymous", since it provides an unambiguous way to
determine whether the username is intended to uniquely identify a
single user."

The JANET Roaming test used to use anonymous@realm, however feedback from several organisations lead us to adopt the correct RFC format.

ORPS shouldn't be acting on the outer identity unless you really need to - this value is easily set to be whatever value you want and therefore must not be used to authorise. The solution is to add a simple addition to the sql.conf which remove this from logging etc. the inner ID should still be accounted and logged.

The NRPS are only testing one of our ORPSs using the test account configured on the Support server, why is this?

JANET Roaming has set up a system to monitor the RADIUS request handling status of Home organisations, ie. that an ORPS is operational. This is done using the test user account that participating organisations set up on the JANET Roaming Support server.

In your RADIUS logs you are seeing a single NRPS using the JANET Roaming Support test account to check the service status on just one of your ORPS. The reason for this is that the RADIUS check is being launched from the support site and goes via the NRPS. So a NRPS that can handle the request will only pass the request through to the first working ORPS at your site. This validates that your site is currently able to handle JRS RADIUS requests but does not check that ALL of your ORPS are alive.

The servers can be checked for network connectivity by PING but the only way to check RADIUS would be to allow a direct Support Server to ORPS RADIUS link. This is deemed unacceptable and would invalidate the JANET Roaming check - as we really need to monitor how the NRPS see the ORPS. Monitoring of the status of the ORPS system (be they load balanced, failover or round-robin constructed) is down to the individual organisations.

Having just made changes to our config on the JRS Support web site, errors are being recorded in our logs every five minutes - why?

Any changes to the test username/password and realm made on the JRS Support web site are instantly put into the JRS database. The on-demand tests on your test page on the JRS web site are therefore instantly accessible.

There is however a background service availability monitor test powered by NAGIOS that is run from the JRS Support server via one of the NRPS (usually roaming1). This runs a test authentication using the test account you have created in your user database and configured on the JRS Support site. The NAGIOS probe configuration is however NOT updated/generated instantly and therefore there may a short period when test proble authentications fail and errors are logged on your ORPS. Once any config. changes have filtered through to the NAGIOS system, the test will run successfully and log error entires will cease.

Top of page

 

Upgrading FreeRADIUS from v 1.1.x to v2.0.x

Do you have any guidance for upgrading our system to FreeRADIUS v 2.0.x?

Whilst the upgrade to FreeRADIUS may at first seem daunting due to the change of structure and the new features, it is actually a very short task to migrate a live 1.1.x systems across to 2.0.x.

FreeRADIUS 2.0.x is a great improvement over 1.1.x and it is well worth making the effort to upgrade. 2.0.4 and upwards featured an 'inner-tunnel' method which means that eg EAP only hits your LDAP or SQL once...not the 3 or 4 times experienced previously. The current release is now 2.0.5 which has a lot of stats available via a simple query to the server and there will be new features going into 2.0.6 that will make it even more desirable, not least of which will be working SNMP and highly configurable logging capabilities.

Recommended approach to upgrading:

1) Examine the 1.x config to see what you have configured

2) Take the vanilla 2.0.x configuration and then edit it to add in the bits you did in 1.x this should be involve just the following:

a) edit sites-enabled/DEFAULT to match your authen/author/account fromt he old radiusd.conf

b) edit clients.conf and proxy.conf - exactly like 1.x initially

c) check out the other sites-available/* file to see what new functionality you want and then enable those modules (eg inner-tunnel) by copying or softlinking them like the DEFAULT file entry (rename DEFAULT to 'university_of_foo' or whatever if you want)
- if you want to enable inner-tunnel, then edit eap.conf to use the inner-tunnel virtual server (highly recommended!)

d) after some local rad_check stuff, use the JRS support server to ensure remote and home access is working.

We would then recommend setting up a proper proxy JRS pool using the unlang (contact us for more advice etc on this aspect..some of it is covered on the support site FAQ)

 

Firewall Configuration

Why do I get only "Re-sending Access-Request" when testing authentication?

Ensure that your firewall is configured to permit UDP ports 1812 and 1813. RADIUS does not use TCP!

You should also check that your firewall is not discarding UDP fragments. If it is then the configuration should be changed to allow UDP fragments to pass. [Specifically for ipf firewall users, (to be found on Solaris systems) the config script can be changed to PASS fragments using the keep frag keyword].

Rationale - with certain EAP communications, eg EAP-TLS, the RADIUS packet sizes can get much bigger than the usual MTU of 1500. This means that the RADIUS packets get fragmented in transit. Many firewalls are configured to drop UDP fragments (as security against DoS attacks), however this will, of course, break such RADIUS communications. If your firewall is doing such dropping then it will need to be configured to ALLOW such traffic from NRPS<->ORPS. This will affect more sites as people migrate to full 802.1x implementations and use eg EAP-TLS or other EAP methods which use larger packets.

Top of page

Shibboleth

What's the difference between JANET Roaming and Shibboleth?

Shibboleth and JANET Roaming are complementary technologies that provide solutions to two different objectives.

The JANET Roaming/eduroam infrastructure provides the network access technology to make it easier for users with valid accounts at JANET connected organisations to log on to networks (both at home and) when visiting participating organisation sites. Before authentication, a user will typically have no access to the network or Internet. Once logged in using the JANET Roaming infrastructure, a user will have access to the network and the Internet.

After having logged on to the network Shibboleth then facilitates admission to online resources that are subject to access control. The Shibboleth architecture defines a streamlined way of exchanging information between an individual and providers of digital data resources to authorise the user's access to the resources. It has been designed to protect both the security of access to the data and the privacy of the individual viewing it (since authentication and authorisation is controlled by the home organisation).

Therefore, once a user has logged in using the JANET Roaming infrastructure and gained access to the Internet, Shibboleth could then be used to provide authentication and authorisation to access controlled online resources, such as journals and media content. http://www.ja.net/development/middleware/uk-federation.html

There has been a JISC-funded project, LICHEN, aimed at extending the usage of JANET Roaming in the Shibbolith arena. The main goal of LICHEN was to demonstrate that the JANET Roaming architecture can be extended to embrace supporting access control and authentication for virtual organisations of collaborating users on a variety of applications that may themselves authenticate through RADIUS. The secondary aim was to investigate methods to have such authentication interoperate with Shibboleth.

Currently there is work being done at a European level to further explore the possibilities. See:  Geant2 unified Single Sign-On (uSSO)

Top of page

Wired Networks

How do you configure a Cisco Catalyst switch to operate with 802.1x?

Information on Cisco configuration can be found within the technical paper:

Configuring 802.1X Port-Based Authentication

Top of page

Wireless Networks

How do you configure a Cisco 1200 Series Wireless Access Point for eduroam SSID?

Details of the precise (largely web-based) steps used to configure the eduroam SSID on a Cisco® 1200 series WAP can be found in Appendix 2 of the case study -

Complying with the JANET Roaming Service Technical Specification (pdf)

Is it imperative that an institution broadcasts the eduroam SSID, as opposed to having it hidden? And would failure to broadcast eduroam exclude an institution from joining JANET Roaming?

Yes to both questions. Broadcasting the eduroam SSID is required by eduroam confederation policy and is a JANET Roaming technical requirement. This is because firstly, it's a way of advertising the presence of the service. Secondly, the native WinXP SP2 supplicant cannot do 802.1x against a hidden SSID (see below).

Can Cisco fat WAPs be used with multiple broadcast SSIDs and dynamic VLANs?

There is a known problem with Cisco 'fat' WAPs with regard to multiple BSSIDs and dynamic VLAN assignment (RADIUS-assigned VLANs) which unfortunately affects a lot of institutions. The problem was that Cisco 'fat' IOS driven APs until recently only supported a single primary (guest) SSID broadcast in the beacons (the BSSID). Furthermore, it was not possible to achieve assignment of VLANs via RADIUS. This limitation does not apply to Cisco's 'thin' architecture, so the problem could hitherto only be circumvented by adopting this technology.

This issue only affected the autonomous Cisco APs. There never was any difficulty with lightweight APs (including upgraded autonomous ones) in supporting RADIUS-assigned VLANs and multiple broadcast SSIDs. (Certainly 1131 and 1232 APs in non-autonomous LWAPP thin client mode with WiSM controllers have always worked fine).

With release 12.3.8-JEC(GD) of the Cisco IOS firmware, this issue has been resolved - certainly multiple BSSIDs with RADIUS assigned VLANs have been successfully setup with AP1231 and other 1200 series access points.

Although the issue has been resolved in the IOS, you may find that some AP radios do not support multiple BSSIDs. To find out if a particular radio will support multiple BSSIDs:

Run a 'show controllers' radio_interface command to check how many BSSIDs an AP will support.
Look for the line which states - "Number of supported simultaneous BSSID on Dot11Radio0: 8"

or something similar.

To setup multiple BSSIDs on the AP you can log into the web interface and select Security > SSID Manager. The page displayed will show the current VLANs configured and indicate which are being broadcast.

Alternatively from the IOS command line, enter SSID configuration interface and use the command mbssid. You'll also have to use mbssid from the configuration terminal interface to enable multiple basic SSIDs on an access point radio interface. This command was introduced in IOS release 12.3(4)JA.

See: Cisco IOS mbssid command

[NB. The validity of following advice with regard to latest release of IOS is unknown - it certainly applied to pre-12.3.8 releases]. The Cisco WAP beacon can by default advertise only one broadcast SSID, nevertheless it is possible to alert client devices of additional SSIDs although this did not remove the limitation that RADIUS-assignment of VLAN was not possible. You can achieve client alerting of multiple SSIDs as follows; use the SSID list information elements (SSIDL IEs) in the access point beacon to alert client devices of additional SSIDs on the access point. When you designate an SSID to be included in an SSIDL IE, client devices detect that the SSID is available, and they also detect the security settings required to associate using that SSID.

See: Cisco AP Configuration Guide - Configuring Multiple SSIDs.

The AP configuration needs to use the command: information-element ssidl [advertisement] [wps] (Microsoft Wireless Provisioning Services) in the radio interface configuration / specific SSID configuration section.

For WinXP users the following download must be installed. This update enhances Windows XP support for Wi-Fi Protected Access 2 (WPA2) options in Wireless Group Policy (WGP), and helps prevent the Windows wireless client from advertising the wireless networks in its preferred networks list.

WinXP Update:

http://www.microsoft.com/downloads/details.aspx?familyid=2726F32F-D52B-4F84-ACE8-F7FC20195769&displaylang=en

http://support.microsoft.com/kb/917021

Using this update, the 'hidden' SSIDs become visible in a Cisco 'fat' AP environment - the subsequent SSIDs use the extension made available through 802.11i.

Can you expand on what is necessary to convert 'fat' Cisco WAPs into 'thin' ones? (Is it just an IOS upgrade and does it cost anything? What device(s) do you use to control them? Do you lose any functionality in converting to thin?)

Changing to thin is a straighforward job. Either use the IOS command line (archive download-sw tftp://.........), the windows-based upgrade tool or a WLSE (Wireless LAN Solution Engine). The upgrade tool and software image can be downloaded free from Cisco, and the tool pushes the image to the APs you tell it to, which converts them to lightweight. They then get their configuration from the controller rather than it being stored locally.

To control these thin APs you need a central controller, which incurs a cost. Lightweight wireless means all the clever stuff (authentication, key management, channel and power management) is done by a central box. This could be the Wireless Services Module (WiSM) for the Cisco Catalyst 6500 switch (controls upto 300 APs), the standalone Wireless Control System (WCS) or the Catalyst 3750G Integrated Wireless LAN Controller (can only control about 32 APs). There's a fair amount of configuration to do so the controller knows about your VLANs, SSIDs, RADIUS servers etc.

You gain a great deal of functionality and management facilities - such as reporting, accounting, configuring WLANs, mobility etc. You manage the APs bia a web interface on either the controller or a PC running Cisco's WCS software, which co-ordinates multiple controllers and does RF planning etc. Adding a new access point is a straightfoward task of connecting it to a switch and then using the software to put the switch port in the right VLAN.

Summary:

• WAPs must have IOS 12.3(7)JA or higher
• Thin IOS must then be loaded via WinXP program (available on Cisco web) or via CLI
• The WAPs must be 1240AG/1130AG/1200 series [1210,1220,1230,1235]
• (1200 series radios must be one of following models only: MP21G/MP31G/RM21A/RM22A)
• Wireless controller module (WiSM) of some description necessary [WiSM for Catalyst 6500 (will need a free slot), WCS or Catalyst 3750G IWLC]
• Catalyst 6500 requirements: free slot for WiSM, Supervisor Engine 720 WS-SUP720 needed and to run a SUP720 you need the higher rated PSU
• For large deployments of three or more WiSM, a WCS is recommended

There is a guide to the process on the Cisco web site: Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

To get the upgrade tool and Cisco IOS release:

• Browse to the wireless downloads page:http://tools.cisco.com/support/downloads/pub/MDFTree.x?butype=wireless
• Click Access Points.
• Click the type of access point that you want to upgrade.  When you click the access point type, the access point folder expands.
• Click the access point that you want to upgrade in the expanded list. The Select a Software Type list appears.
• For the upgrade tool, click the Autonomous to Lightweight Mode Upgrade Tool link.
• For the software image, click the Autonomous to Lightweight Mode Upgrade Image link.

Top of page

Any problems, comments or suggestions regarding this page, please e-mail the JRS service manager.