This includes your wireless, or wired infrastructure, any passive (inline) firewalls, IPS, or IDS, and your upstream connection. This attribute should be set to, or slightly less than, the MTU of all hardware which will be passing your EAP traffic. Configure your RADIUS server to include the Framed-MTU attribute.Forcing all local users to include their realm means less debugging later. Often schools will allow simply "user" without a realm for their local users, but when those users travel they cannot join since their configuration does not conform with the eduroam standard. Configure your eduroam SSID such that only usernames of the form are accepted.This can be troublesome for users attempting to test their own forwarding if they are unaware of the filter. This is to prevent routing loops and generally is the result of a misconfiguration. – or requests to your main domain, to the TLRS as the request will be dropped. Be sure not to forward sub-domains – i.e.Make your client specification as specific as possible and avoid wildcard handlers so that only TLRSs can forward requests to your server with the shared secret.Since these will change somewhat infrequently and are only typed when first created or changed the extra complexity should not burden the administrators. RADIUS secrets should be of the same complexity as strong passwords and greater than 12 characters.
This will ease configuration of user devices. Examples include Comodo, Thawte, and Verisign. RADIUS server certificates should be signed by a Certificate Authority with signing certificates already in the trusted store of most operating systems.Configure RADIUS servers by DNS name rather than IP to facilitate changes in infrastructure without reconfiguration of local or top-level servers.These are meant to be guidelines which will enable members of eduroam-US to stay up-to-date and secure with little extra work by RADIUS administrators. For more information please see Firewall Configuration Guidelines on the Non-Radius Configurations section of the Administrator Guide.Īfter you have configured your RADIUS server please read the section on testing your connection to eduroam-US.īelow is a compliation of best-practices for eduroam-US participating institutions. Note: After, or preferably before, configuring your RADIUS server, make sure your network and host firewalls are configured to pass RADIUS traffic unhindered to your servers. This certificate is used for connecting with accounts. The current, and temporary, eduroam-US CA certificate can be found farther down this page. The eduroam-US top level RADIUS servers are and. We also have configurations for Microsoft NPS and Juniper's Steel-Belted RADIUS.Īnother good source of eduroam configuration information is the documentation at the. At this time Radiator and FreeRADIUS are the two RADIUS server generally used in eduroam-US. We intend to include information for as many RADIUS servers as possible. Here you will find many example configurations for institutions joining eduroam-US.