1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
|
<pre>Independent Submission K. Wierenga
Request for Comments: 7593 Cisco Systems
Category: Informational S. Winter
ISSN: 2070-1721 RESTENA
T. Wolniewicz
Nicolaus Copernicus University
September 2015
<span class="h1">The eduroam Architecture for Network Roaming</span>
Abstract
This document describes the architecture of the eduroam service for
federated (wireless) network access in academia. The combination of
IEEE 802.1X, the Extensible Authentication Protocol (EAP), and RADIUS
that is used in eduroam provides a secure, scalable, and deployable
service for roaming network access. The successful deployment of
eduroam over the last decade in the educational sector may serve as
an example for other sectors, hence this document. In particular,
the initial architectural choices and selection of standards are
described, along with the changes that were prompted by operational
experience.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any other
RFC stream. The RFC Editor has chosen to publish this document at
its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not a candidate for any level of Internet
Standard; see <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc7593">http://www.rfc-editor.org/info/rfc7593</a>.
<span class="grey">Wierenga, et al. Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
<a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-1.1">1.1</a>. Terminology . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-1.2">1.2</a>. Notational Conventions . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-1.3">1.3</a>. Design Goals . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-1.4">1.4</a>. Solutions That Were Considered . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-2">2</a>. Classic Architecture . . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-2.1">2.1</a>. Authentication . . . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-2.1.1">2.1.1</a>. IEEE 802.1X . . . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-2.1.2">2.1.2</a>. EAP . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-2.2">2.2</a>. Federation Trust Fabric . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-2.2.1">2.2.1</a>. RADIUS . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-3">3</a>. Issues with Initial Trust Fabric . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-3.1">3.1</a>. Server Failure Handling . . . . . . . . . . . . . . . . . <a href="#page-12">12</a>
<a href="#section-3.2">3.2</a>. No Signaling of Error Conditions . . . . . . . . . . . . <a href="#page-13">13</a>
<a href="#section-3.3">3.3</a>. Routing Table Complexity . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-3.4">3.4</a>. UDP Issues . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-15">15</a>
3.5. Insufficient Payload Encryption and EAP Server Validation 16
<a href="#section-4">4</a>. New Trust Fabric . . . . . . . . . . . . . . . . . . . . . . <a href="#page-17">17</a>
<a href="#section-4.1">4.1</a>. RADIUS with TLS . . . . . . . . . . . . . . . . . . . . . <a href="#page-18">18</a>
<a href="#section-4.2">4.2</a>. Dynamic Discovery . . . . . . . . . . . . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-4.2.1">4.2.1</a>. Discovery of Responsible Server . . . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-4.2.2">4.2.2</a>. Verifying Server Authorization . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-4.2.3">4.2.3</a>. Operational Experience . . . . . . . . . . . . . . . <a href="#page-21">21</a>
<a href="#section-4.2.4">4.2.4</a>. Possible Alternatives . . . . . . . . . . . . . . . . <a href="#page-21">21</a>
<a href="#section-5">5</a>. Abuse Prevention and Incident Handling . . . . . . . . . . . <a href="#page-22">22</a>
<a href="#section-5.1">5.1</a>. Incident Handling . . . . . . . . . . . . . . . . . . . . <a href="#page-22">22</a>
<a href="#section-5.1.1">5.1.1</a>. Blocking Users on the SP Side . . . . . . . . . . . . <a href="#page-23">23</a>
<a href="#section-5.1.2">5.1.2</a>. Blocking Users on the IdP Side . . . . . . . . . . . <a href="#page-24">24</a>
<a href="#section-5.1.3">5.1.3</a>. Communicating Account Blocking to the End User . . . <a href="#page-25">25</a>
<a href="#section-5.2">5.2</a>. Operator Name . . . . . . . . . . . . . . . . . . . . . . <a href="#page-26">26</a>
<a href="#section-5.3">5.3</a>. Chargeable User Identity . . . . . . . . . . . . . . . . <a href="#page-27">27</a>
<a href="#section-6">6</a>. Privacy Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-28">28</a>
<a href="#section-6.1">6.1</a>. Collusion of Service Providers . . . . . . . . . . . . . <a href="#page-28">28</a>
<a href="#section-6.2">6.2</a>. Exposing User Credentials . . . . . . . . . . . . . . . . <a href="#page-28">28</a>
<span class="grey">Wierenga, et al. Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
<a href="#section-6.3">6.3</a>. Track Location of Users . . . . . . . . . . . . . . . . . <a href="#page-28">28</a>
<a href="#section-7">7</a>. Security Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-29">29</a>
<a href="#section-7.1">7.1</a>. Man-in-the-Middle and Tunneling Attacks . . . . . . . . . <a href="#page-29">29</a>
<a href="#section-7.1.1">7.1.1</a>. Verification of Server Name Not Supported . . . . . . <a href="#page-29">29</a>
7.1.2. Neither Specification of CA nor Server Name Checks
during Bootstrap . . . . . . . . . . . . . . . . . . <a href="#page-29">29</a>
<a href="#section-7.1.3">7.1.3</a>. User Does Not Configure CA or Server Name Checks . . <a href="#page-30">30</a>
7.1.4. Tunneling Authentication Traffic to Obfuscate User
Origin . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-30">30</a>
<a href="#section-7.2">7.2</a>. Denial-of-Service Attacks . . . . . . . . . . . . . . . . <a href="#page-31">31</a>
<a href="#section-7.2.1">7.2.1</a>. Intentional DoS by Malign Individuals . . . . . . . . <a href="#page-31">31</a>
<a href="#section-7.2.2">7.2.2</a>. DoS as a Side-Effect of Expired Credentials . . . . . <a href="#page-32">32</a>
<a href="#section-8">8</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-33">33</a>
<a href="#section-8.1">8.1</a>. Normative References . . . . . . . . . . . . . . . . . . <a href="#page-33">33</a>
<a href="#section-8.2">8.2</a>. Informative References . . . . . . . . . . . . . . . . . <a href="#page-34">34</a>
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-36">36</a>
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-37">37</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
In 2002, the European Research and Education community set out to
create a network roaming service for students and employees in
academia [<a href="#ref-eduroam-start">eduroam-start</a>]. Now, over 10 years later, this service has
grown to more than 10,000 service locations, serving millions of
users on all continents with the exception of Antarctica.
This memo serves to explain the considerations for the design of
eduroam as well as to document operational experience and resulting
changes that led to IETF specifications such as RADIUS over TCP
[<a href="./rfc6613" title=""RADIUS over TCP"">RFC6613</a>] and RADIUS with TLS [<a href="./rfc6614" title=""Transport Layer Security (TLS) Encryption for RADIUS"">RFC6614</a>] and that promoted alternative
uses of RADIUS like in Application Bridging for Federated Access
Beyond web (ABFAB) [<a href="#ref-ABFAB-ARCH">ABFAB-ARCH</a>]. Whereas the eduroam service is
limited to academia, the eduroam architecture can easily be reused in
other environments.
First, this memo describes the original architecture of eduroam
[<a href="#ref-eduroam-homepage">eduroam-homepage</a>]. Then, a number of operational problems are
presented that surfaced when eduroam gained wide-scale deployment.
Lastly, enhancements to the eduroam architecture that mitigate the
aforementioned issues are discussed.
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Terminology</span>
This document uses identity management and privacy terminology from
[<a href="./rfc6973" title=""Privacy Considerations for Internet Protocols"">RFC6973</a>]. In particular, this document uses the terms "Identity
Provider", "Service Provider", and "identity management".
<span class="grey">Wierenga, et al. Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
<span class="h3"><a class="selflink" id="section-1.2" href="#section-1.2">1.2</a>. Notational Conventions</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <a href="./rfc2119">RFC 2119</a> [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
Note: Also, the policy to which eduroam participants subscribe
expresses the requirements for participation in <a href="./rfc2119">RFC 2119</a> language.
<span class="h3"><a class="selflink" id="section-1.3" href="#section-1.3">1.3</a>. Design Goals</span>
The guiding design considerations for eduroam were as follows:
- Unique identification of users at the edge of the network
The access Service Provider (SP) needs to be able to determine
whether a user is authorized to use the network resources.
Furthermore, in case of abuse of the resources, there is a
requirement to be able to identify the user uniquely (with the
cooperation of the user's Identity Provider (IdP) operator).
- Enable (trusted) guest use
In order to enable roaming, it should be possible for users of
participating institutions to get seamless access to the networks
of other institutions.
Note: Traffic separation between guest users and normal users is
possible (for example, through the use of VLANs), and indeed
widely used in eduroam.
- Scalable
The infrastructure that is created should scale to a large number
of users and organizations without requiring a lot of coordination
and other administrative procedures (possibly with the exception
of an initial setup). Specifically, it should not be necessary
for a user that visits another organization to go through an
administrative process.
- Easy to install and use
It should be easy for both organizations and users to participate
in the roaming infrastructure; otherwise, it may inhibit wide-
scale adoption. In particular, there should be no client
installation (or it should be easy) and only one-time
configuration.
<span class="grey">Wierenga, et al. Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
- Secure
An important design criterion has been that there needs to be a
security association between the end user and their Identity
Provider, eliminating the possibility of credential theft. The
minimal requirements for security are specified in the eduroam
policy and subject to change over time. As an additional
protection against user errors and negligence, it should be
possible for participating Identity Providers to add their own
requirements for the quality of authentication of their own users
without the need for the infrastructure as a whole to implement
the same requirements.
- Privacy preserving
The design of the system should provide for user anonymization,
i.e., a possibility to hide the user's identity from any third
parties, including Service Providers.
- Standards based
In an infrastructure in which many thousands of organizations
participate, it is obvious that it should be possible to use
equipment from different vendors; therefore, it is important to
build the infrastructure using open standards.
<span class="h3"><a class="selflink" id="section-1.4" href="#section-1.4">1.4</a>. Solutions That Were Considered</span>
Three architectures were trialed: one based on the use of VPN
technology (deemed secure but not scalable), one based on Web
captive-portals (scalable but not secure), and one based on IEEE
802.1X, the latter being the basis of what is now the eduroam
architecture. An overview of the candidate architectures and their
relative merits can be found in [<a href="#ref-nrenroaming-select">nrenroaming-select</a>].
The chosen architecture is based on:
o IEEE 802.1X [<a href="#ref-IEEE.802.1X">IEEE.802.1X</a>] as the port-based authentication
framework using
o EAP [<a href="./rfc3748" title=""Extensible Authentication Protocol (EAP)"">RFC3748</a>] for integrity-protected and confidential transport
of credentials and
o a RADIUS [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] hierarchy as the trust fabric.
<span class="grey">Wierenga, et al. Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Classic Architecture</span>
Federations, like eduroam, implement essentially two types of direct
trust relations (and one indirect). The trust relation between an
end user and the IdP (operated by the home organization of the user)
and between the IdP and the SP (in eduroam, the operator of the
network at the visited location). In eduroam, the trust relation
between the user and IdP is through mutual authentication. IdPs and
the SP establish trust through the use of a RADIUS hierarchy.
These two forms of trust relations in turn provide the transitive
trust relation that makes the SP trust the user to use its network
resources.
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Authentication</span>
Authentication in eduroam is achieved by using a combination of IEEE
802.1X [<a href="#ref-IEEE.802.1X">IEEE.802.1X</a>] and EAP [<a href="./rfc4372" title=""Chargeable User Identity"">RFC4372</a>] (the latter carried over
RADIUS for guest access; see <a href="#section-2.2">Section 2.2</a>).
<span class="h4"><a class="selflink" id="section-2.1.1" href="#section-2.1.1">2.1.1</a>. IEEE 802.1X</span>
By using the IEEE 802.1X [<a href="#ref-IEEE.802.1X">IEEE.802.1X</a>] framework for port-based
network authentication, organizations that offer network access (SPs)
for visiting (and local) eduroam users can make sure that only
authorized users get access. The user (or rather the user's
supplicant) sends an access request to the authenticator (Wi-Fi
Access Point or switch) at the SP, the authenticator forwards the
access request to the authentication server of the SP, that in turn
proxies the request through the RADIUS hierarchy to the
authentication server of the user's home organization (the IdP).
Note: The security of the connections between local wireless
infrastructure and local RADIUS servers is a part of the local
network of each SP; therefore, it is out of scope for this document.
For completeness, it should be stated that security between access
points and their controllers is vendor specific, and security between
controllers (or standalone access points) and local RADIUS servers is
based on the typical RADIUS shared secret mechanism.
In order for users to be aware of the availability of the eduroam
service, an SP that offers wireless network access MUST broadcast the
Service Set Identifier (SSID) 'eduroam', unless that conflicts with
the SSID of another eduroam SP, in which case, an SSID starting with
"eduroam-" MAY be used. The downside of the latter is that clients
will not automatically connect to that SSID, thus losing the seamless
connection experience.
<span class="grey">Wierenga, et al. Informational [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
Note: A direct implication of the common eduroam SSID is that the
users cannot distinguish between a connection to the home network and
a guest network at another eduroam institution (IEEE 802.11-2012 does
have the so-called "Interworking" to make that distinction, but it is
not widely implemented yet). Furthermore, without proper server
verification, users may even be tricked into joining a rogue eduroam
network. Therefore, users should be made aware that they should not
assume data confidentiality in the eduroam infrastructure.
To protect over-the-air confidentiality of user data, IEEE 802.11
wireless networks of eduroam SPs MUST deploy WPA2+AES, and they MAY
additionally support Wi-Fi Protected Access with the Temporal Key
Integrity Protocol (WPA/TKIP) as a courtesy to users of legacy
hardware.
<span class="h4"><a class="selflink" id="section-2.1.2" href="#section-2.1.2">2.1.2</a>. EAP</span>
The use of the Extensible Authentication Protocol (EAP) [<a href="./rfc4372" title=""Chargeable User Identity"">RFC4372</a>]
serves two purposes. In the first place, a properly chosen EAP
method allows for integrity-protected and confidential transport of
the user credentials to the home organization. Secondly, by having
all RADIUS servers transparently proxy access requests, regardless of
the EAP method inside the RADIUS packet, the choice of EAP method is
between the 'home' organization of the user and the user. In other
words, in principle, every authentication form that can be carried
inside EAP can be used in eduroam, as long as they adhere to minimal
requirements as set forth in the eduroam Policy Service Definition
[<a href="#ref-eduroam-service-definition">eduroam-service-definition</a>].
<span class="grey">Wierenga, et al. Informational [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
+-----+
/ \
/ \
/ \
/ \
,----------\ | | ,---------\
| SP | | eduroam | | IdP |
| +----+ trust fabric +---+ |
`------+---' | | '-----+---'
| | | |
| \ / |
| \ / |
| \ / |
| \ / |
+----+ +-----+ +----+
| |
| |
+---+--+ +--+---+
| | | |
+-+------+-+ ___________________________ | |
| | O__________________________ ) +------+
+----------+
Host (supplicant) EAP tunnel Authentication server
Figure 1: Tunneled EAP
Proxying of access requests is based on the outer identity in the
EAP-Message. Those outer identities MUST be a valid user identifier
with a mandatory realm as per [<a href="./rfc7542" title=""The Network Access Identifier"">RFC7542</a>], i.e., be of the form
something@realm or just @realm, where the realm part is the domain
name of the institution that the IdP belongs to. In order to
preserve credential protection, participating organizations MUST
deploy EAP methods that provide mutual authentication. For EAP
methods that support outer identity, anonymous outer identities are
recommended. Most commonly used in eduroam are the so-called
tunneled EAP methods that first create a server-authenticated TLS
[<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>] tunnel through which the user credentials are transmitted.
As depicted in Figure 1, the use of a tunneled EAP method creates a
direct logical connection between the supplicant and the
authentication server, even though the actual traffic flows through
the RADIUS hierarchy.
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Federation Trust Fabric</span>
The eduroam federation trust fabric is based on RADIUS. RADIUS trust
is based on shared secrets between RADIUS peers. In eduroam, any
RADIUS message originating from a trusted peer is implicitly assumed
to originate from a member of the roaming consortium.
<span class="grey">Wierenga, et al. Informational [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
Note: See also the security considerations for a discussion on RADIUS
security that motivated the work on RADIUS with TLS [<a href="./rfc6614" title=""Transport Layer Security (TLS) Encryption for RADIUS"">RFC6614</a>].
<span class="h4"><a class="selflink" id="section-2.2.1" href="#section-2.2.1">2.2.1</a>. RADIUS</span>
The eduroam trust fabric consists of a proxy hierarchy of RADIUS
servers (organizational, national, global) that is loosely based on
the DNS hierarchy. That is, typically an organizational RADIUS
server agrees on a shared secret with a national server, and the
national server in turn agrees on a shared secret with the root
server. Access requests are routed through a chain of RADIUS proxies
towards the Identity Provider of the user, and the access accept (or
reject) follows the same path back.
Note: In some circumstances, there are more levels of RADIUS servers
(for example, regional or continental servers), but that doesn't
change the general model. Also, the packet exchange that is
described below requires, in reality, several round-trips.
<span class="grey">Wierenga, et al. Informational [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
+-------+
| |
| . |
| |
+---+---+
/ | \
+----------------/ | \---------------------+
| | |
| | |
| | |
+--+---+ +--+--+ +----+---+
| | | | | |
| .edu | . . . | .nl | . . . | .ac.uk |
| | | | | |
+--+---+ +--+--+ +----+---+
/ | \ | \ |
/ | \ | \ |
/ | \ | \ |
+-----+ | +-----+ | +------+ |
| | | | | |
| | | | | |
+---+---+ +----+---+ +----+---+ +--+---+ +-----+----+ +-----+-----+
| | | | | | | | | | | |
|utk.edu| |utah.edu| |case.edu| |hva.nl| |surfnet.nl| |soton.ac.uk|
| | | | | | | | | | | |
+----+--+ +--------+ +--------+ +------+ +----+-----+ +-----------+
| |
| |
+--+--+ +--+--+
| | | |
+-+-----+-+ | |
| | +-----+
+---------+
user: paul@surfnet.nl surfnet.nl Authentication server
Figure 2: eduroam RADIUS Hierarchy
Routing of access requests to the home IdP is done based on the realm
part of the outer identity. For example (as in Figure 2), when user
paul@surfnet.nl of SURFnet (surfnet.nl) tries to gain wireless
network access at the University of Tennessee at Knoxville (utk.edu)
the following happens:
o Paul's supplicant transmits an EAP access request to the Access
Point (Authenticator) at UTK with outer identity of
anonymous@surfnet.nl.
<span class="grey">Wierenga, et al. Informational [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
o The Access Point forwards the EAP message to its Authentication
Server (the UTK RADIUS server).
o The UTK RADIUS server checks the realm to see if it is a local
realm; since it isn't, the request is proxied to the .edu RADIUS
server.
o The .edu RADIUS server verifies the realm; since it is not in a
.edu subdomain, it proxies the request to the root server.
o The root RADIUS server proxies the request to the .nl RADIUS
server, since the ".nl" domain is known to the root server.
o The .nl RADIUS server proxies the request to the surfnet.nl
server, since it knows the SURFnet server.
o The surfnet.nl RADIUS server decapsulates the EAP message and
verifies the user credentials, since the user is known to SURFnet.
o The surfnet.nl RADIUS server informs the utk.edu server of the
outcome of the authentication request (Access-Accept or Access-
Reject) by proxying the outcome through the RADIUS hierarchy in
reverse order.
o The UTK RADIUS server instructs the UTK Access Point to either
accept or reject access based on the outcome of the
authentication.
Note: The depiction of the root RADIUS server is a simplification.
In reality, the root server is distributed over three continents and
each maintains a list of the top-level realms that a specific root
server is responsible for. This also means that, for
intercontinental roaming, there is an extra proxy step from one root
server to the other. Also, the physical distribution of nodes
doesn't need to mirror the logical distribution of nodes. This helps
with stability and scalability.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Issues with Initial Trust Fabric</span>
While the hierarchical RADIUS architecture described in the previous
section has served as the basis for eduroam operations for an entire
decade, the exponential growth of authentications is expected to lead
to, and has in fact in some cases already led to, performance and
operations bottlenecks on the aggregation proxies. The following
sections describe some of the shortcomings and the resulting
remedies.
<span class="grey">Wierenga, et al. Informational [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Server Failure Handling</span>
In eduroam, authentication requests for roaming users are statically
routed through preconfigured proxies. The number of proxies varies:
in a national roaming case, the number of proxies is typically 1 or 2
(some countries deploy regional proxies, which are in turn aggregated
by a national proxy); in international roaming, 3 or 4 proxy servers
are typically involved (the number may be higher along some routes).
<a href="./rfc2865">RFC 2865</a> [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] does not define a failover algorithm. In
particular, the failure of a server needs to be deduced from the
absence of a reply. Operational experience has shown that this has
detrimental effects on the infrastructure and end-user experience:
1. Authentication failure: the first user whose authentication path
is along a newly failed server will experience a long delay and
possibly timeout
2. Wrongly deduced states: since the proxy chain is longer than one
hop, a failure further along in the authentication path is
indistinguishable from a failure in the next hop.
3. Inability to determine recovery of a server: only a "live"
authentication request sent to a server that is believed to be
inoperable can lead to the discovery that the server is in
working order again. This issue has been resolved with <a href="./rfc5997">RFC 5997</a>
[<a href="./rfc5997" title=""Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol"">RFC5997</a>].
The second point can have significant impact on the operational state
of the system in a worst-case scenario: imagine one realm's home
server being inoperable. A user from that realm is trying to roam
internationally and tries to authenticate. The RADIUS server on the
hotspot location may assume its own national proxy is down because it
does not reply. That national server, being perfectly alive, in turn
will assume that the international aggregation proxy is down, which
in turn will believe the home country proxy national server is down.
None of these assumptions are true. Worse yet: in case of failover
to a back-up next-hop RADIUS server, also that server will be marked
as being defunct, since through that server no reply will be received
from the defunct home server either. Within a short time, all
redundant aggregation proxies might be considered defunct by their
preceding hop.
In the absence of proper next-hop state derivation, some interesting
concepts have been introduced by eduroam participants -- the most
noteworthy being a failover logic that considers up/down states not
per next-hop RADIUS peer, but instead per realm (See [<a href="#ref-dead-realm">dead-realm</a>] for
details). Recently, implementations of <a href="./rfc5997">RFC 5997</a> [<a href="./rfc5997" title=""Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol"">RFC5997</a>] and
<span class="grey">Wierenga, et al. Informational [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
cautious failover parameters make false "downs" unlikely to happen,
as long as every hop implements <a href="./rfc5997">RFC 5997</a>. In that case, dead realm
detection serves mainly to prevent proxying of large numbers of
requests to known dead realms.
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. No Signaling of Error Conditions</span>
The RADIUS protocol lacks signaling of error conditions, and the IEEE
802.1X standard does not allow conveying of extended failure reasons
to the end user's device. For eduroam, this creates two issues:
o The home server may have an operational problem, for example, its
authentication decisions may depend on an external data source
such as a SQL server or Microsoft's Active Directory, and the
external data source is unavailable. If the RADIUS interface is
still functional, there are two options for how to reply to an
Access-Request that can't be serviced due to such error
conditions:
1. Do Not Reply: The inability to reach a conclusion can be
handled by not replying to the request. The upside of this
approach is that the end user's software doesn't come to wrong
conclusions and won't give unhelpful hints such as "maybe your
password is wrong". The downside is that intermediate proxies
may come to wrong conclusions because their downstream RADIUS
server isn't responding.
2. Reply with Reject: In this option, the inability to reach a
conclusion is treated like an authentication failure. The
upside of this approach is that intermediate proxies maintain
a correct view on the reachability state of their RADIUS peer.
The downside is that EAP supplicants on end-user devices often
react with either false advice ("your password is wrong") or
even trigger permanent configuration changes (e.g., the
Windows built-in supplicant will delete the credential set
from its registry, prompting the user for their password on
the next connection attempt). The latter case of Windows is a
source of significant help-desk activity; users may have
forgotten their password after initially storing it but are
suddenly prompted again.
There have been epic discussions in the eduroam community as well as
in the IETF RADEXT Working Group as to which of the two approaches is
more appropriate, but they were not conclusive.
Similar considerations apply when an intermediate proxy does not
receive a reply from a downstream RADIUS server. The proxy may
either choose not to reply to the original request, leading to
<span class="grey">Wierenga, et al. Informational [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
retries and its upstream peers coming to wrong conclusions about its
own availability; or, it may decide to reply with Access-Reject to
indicate its own liveliness, but again with implications for the end
user.
The ability to send Status-Server watchdog requests is only of use
after the fact, in case a downstream server doesn't reply (or hasn't
been contacted in a long while, so that its previous working state is
stale). The active link-state monitoring of the TCP connection with,
e.g., RADIUS/TLS (see <a href="#section-4.1">Section 4.1</a>), gives a clearer indication
whether there is an alive RADIUS peer, but it does not solve the
defunct back-end problem. An explicit ability to send Error-Replies,
on the RADIUS level (for other RADIUS peer information) and EAP level
(for end-user supplicant information), would alleviate these problems
but is currently not available.
<span class="h3"><a class="selflink" id="section-3.3" href="#section-3.3">3.3</a>. Routing Table Complexity</span>
The aggregation of RADIUS requests based on the structure of the
user's realm implies that realms ending with the same top-level
domain are routed to the same server, i.e., to a common
administrative domain. While this is true for country code Top-Level
Domains (ccTLDs), which map into national eduroam federations, it is
not true for realms residing in generic Top-Level Domains (gTLDs).
Realms in gTLDs were historically discouraged because the automatic
mapping "realm ending" -> "eduroam federation's server" could not be
applied. However, with growing demand from eduroam realm
administrators, it became necessary to create exception entries in
the forwarding rules; such realms need to be mapped on a realm-by-
realm basis to their eduroam federations. Example: "kit.edu"
(Karlsruher Institut fuer Technologie) needs to be routed to the
German federation server, whereas "iu.edu" (Indiana University) needs
to be routed to the USA federation server.
While the ccTLDs occupy only approximately 50 routing entries in
total (and have an upper bound of approximately 200), the potential
size of the routing table becomes virtually unlimited if it needs to
accommodate all individual entries in .edu, .org, etc.
In addition to that, all these routes need to be synchronized between
three international root servers, and the updates need to be applied
manually to RADIUS server configuration files. The frequency of the
required updates makes this approach fragile and error-prone as the
number of entries grows.
<span class="grey">Wierenga, et al. Informational [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
<span class="h3"><a class="selflink" id="section-3.4" href="#section-3.4">3.4</a>. UDP Issues</span>
RADIUS is based on UDP, which was a reasonable choice when its main
use was with simple Password Authentication Protocol (PAP) requests
that required only exactly one packet exchange in each direction.
When transporting EAP over RADIUS, the EAP conversations require
multiple round-trips; depending on the total payload size, 8-10
round-trips are not uncommon. The loss of a single UDP packet will
lead to user-visible delays and might result in servers being marked
as dead due to the absence of a reply. The proxy path in eduroam
consists of several proxies, all of which introduce a very small
packet loss probability; that is, the more proxies needed, the higher
the failure rate is going to be.
For some EAP types, depending on the exact payload size they carry,
RADIUS servers and/or supplicants may choose to put as much EAP data
into a single RADIUS packet as the supplicant's Layer 2 medium allows
-- typically 1500 bytes. In that case, the RADIUS encapsulation
around the EAP-Message will add more bytes to the overall RADIUS
payload size and in the end exceed the 1500-byte limit, leading to
fragmentation of the UDP datagram on the IP layer. While in theory
this is not a problem, in practice there is evidence of misbehaving
firewalls that erroneously discard non-first UDP fragments; this
ultimately leads to a denial of service for users with such EAP types
and that specific configuration.
One EAP type proved to be particularly problematic: EAP-TLS. While
it is possible to configure the EAP server to send smaller chunks of
EAP payload to the supplicant (e.g., 1200 bytes, to allow for another
300 bytes of RADIUS overhead without fragmentation), very often the
supplicants that send the client certificate do not expose such a
configuration detail to the user. Consequently, when the client
certificate is over 1500 bytes in size, the EAP-Message will always
make use of the maximum possible Layer 2 chunk size, and this
introduces fragmentation on the path from EAP peer to EAP server.
Both of the previously mentioned sources of errors (packet loss and
fragment discard) lead to significant frustration for the affected
users. Operational experience of eduroam shows that such cases are
hard to debug since they require coordinated cooperation of all
eduroam administrators on the authentication path. For that reason,
the eduroam community is developing monitoring tools that help to
locate fragmentation problems.
Note: For more detailed discussion of these issues, please refer to
<a href="./rfc6613#section-1.1">Section 1.1 of [RFC6613]</a>.
<span class="grey">Wierenga, et al. Informational [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
<span class="h3"><a class="selflink" id="section-3.5" href="#section-3.5">3.5</a>. Insufficient Payload Encryption and EAP Server Validation</span>
The RADIUS protocol's design foresaw only the encryption of select
RADIUS attributes, most notably User-Password. With EAP methods
conforming to the requirements of [<a href="./rfc4017" title=""Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs"">RFC4017</a>], the user's credential is
not transmitted using the User-Password attribute, and stronger
encryption than the one for RADIUS User-Password is in use (typically
TLS).
Still, the use of EAP does not encrypt all personally identifiable
details of the user session, as some are carried inside cleartext
RADIUS attributes. In particular, the user's device can be
identified by inspecting the Calling-Station-ID attribute; and the
user's location may be derived from observing NAS-IP-Address, NAS-
Identifier, or Operator-Name attributes. Since these attributes are
not encrypted, even IP-layer third parties can harvest the
corresponding data. In a worst-case scenario, this enables the
creation of mobility profiles. Pervasive passive surveillance using
this connection metadata such as the recently uncovered incidents in
the US National Security Agency (NSA) and the UK Government
Communications Headquarters (GCHQ) becomes possible by tapping RADIUS
traffic from an IP hop near a RADIUS aggregation proxy. While this
is possible, the authors are not aware whether this has actually been
done.
These profiles are not necessarily linkable to an actual user because
EAP allows for the use of anonymous outer identities and protected
credential exchanges. However, practical experience has shown that
many users neglect to configure their supplicants in a privacy-
preserving way or their supplicants don't support that. In
particular, for EAP-TLS users, the use of EAP-TLS identity protection
is not usually implemented and cannot be used. In eduroam, concerned
individuals and IdPs that use EAP-TLS are using pseudonymous client
certificates to provide for better privacy.
One way out, at least for EAP types involving a username, is to
pursue the creation and deployment of preconfigured supplicant
configurations that make all the required settings in user devices
prior to their first connection attempt; this depends heavily on the
remote configuration possibilities of the supplicants though.
A further threat involves the verification of the EAP server's
identity. Even though the cryptographic foundation, TLS tunnels, is
sound, there is a weakness in the supplicant configuration: many
users do not understand or are not willing to invest time into the
inspection of server certificates or the installation of a trusted
certification authority (CA). As a result, users may easily be
<span class="grey">Wierenga, et al. Informational [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
tricked into connecting to an unauthorized EAP server, ultimately
leading to a leak of their credentials to that unauthorized third
party.
Again, one way out of this particular threat is to pursue the
creation and deployment of preconfigured supplicant configurations
that make all the required settings in user devices prior to their
first connection attempt.
Note: There are many different and vendor-proprietary ways to
preconfigure a device with the necessary EAP parameters (examples
include Apple, Inc.'s "mobileconfig" and Microsoft's "EAPHost" XML
schema). Some manufacturers even completely lack any means to
distribute EAP configuration data. We believe there is value in
defining a common EAP configuration metadata format that could be
used across manufacturers, ideally leading to a situation where IEEE
802.1X network end users merely need to apply this configuration file
to configure any of their devices securely with the required
connection properties.
Another possible privacy threat involves transport of user-specific
attributes in a Reply-Message. If, for example, a RADIUS server
sends back a hypothetical RADIUS Vendor-Specific-Attribute "User-Role
= Student of Computer Science" (e.g., for consumption of an SP RADIUS
server and subsequent assignment into a "student" VLAN), this
information would also be visible for third parties and could be
added to the mobility profile.
The only way to mitigate all information leakage to third parties is
by protecting the entire RADIUS packet payload so that IP-layer third
parties cannot extract privacy-relevant information. RADIUS as
specified in <a href="./rfc2865">RFC 2865</a> does not offer this possibility though. This
motivated [<a href="./rfc6614" title=""Transport Layer Security (TLS) Encryption for RADIUS"">RFC6614</a>]; see <a href="#section-4.1">Section 4.1</a>.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. New Trust Fabric</span>
The operational difficulties with an ever-increasing number of
participants (as documented in the previous section) have led to a
number of changes to the eduroam architecture that in turn have led
to IETF specifications (as mentioned in the introduction).
Note: The enhanced architecture components are fully backwards
compatible with the existing installed base and are, in fact,
gradually replacing those parts of it where problems may arise.
Whereas the user authentication using IEEE 802.1X and EAP has
remained unchanged (i.e., no need for end users to change any
configurations), the issues as reported in <a href="#section-3">Section 3</a> have resulted in
<span class="grey">Wierenga, et al. Informational [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
a major overhaul of the way EAP messages are transported from the
RADIUS server of the SP to that of the IdP and back. The two
fundamental changes are the use of TCP instead of UDP and reliance on
TLS instead of shared secrets between RADIUS peers, as outlined in
[<a href="#ref-radsec-whitepaper">radsec-whitepaper</a>].
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. RADIUS with TLS</span>
The deficiencies of RADIUS over UDP as described in <a href="#section-3.4">Section 3.4</a>
warranted a search for a replacement of <a href="./rfc2865">RFC 2865</a> [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] for the
transport of EAP. By the time this need was understood, the
designated successor protocol to RADIUS, Diameter, was already
specified by the IETF in its intial version [<a href="./rfc3588" title=""Diameter Base Protocol"">RFC3588</a>]. However,
within the operational constraints of eduroam (listed below), no
single combination of software could be found (and that is believed
to still be true, more than ten years and one revision of Diameter
[<a href="./rfc6733" title=""Diameter Base Protocol"">RFC6733</a>] later). The constraints are:
o reasonably cheap to deploy on many administrative domains
o supporting the application of Network Access Server Requirements
(NASREQ)
o supporting EAP application
o supporting Diameter Redirect
o supporting validation of authentication requests of the most
popular EAP types (EAP Tunneled Transport Layer Security
(EAP-TTLS), Protected EAP (PEAP), and EAP-TLS)
o possibility to retrieve these credentials from popular back-ends
such as MySQL or Microsoft's Active Directory.
In addition, no Wi-Fi Access Points at the disposal of eduroam
participants supported Diameter, nor did any of the manufacturers
have a roadmap towards Diameter support (and that is believed to
still be true, more than 10 years later). This led to the open
question of lossless translation from RADIUS to Diameter and vice
versa -- a question not satisfactorily answered by NASREQ.
After monitoring the Diameter implementation landscape for a while,
it became clear that a solution with better compatibility and a
plausible upgrade path from the existing RADIUS hierarchy was needed.
The eduroam community actively engaged in the IETF towards the
specification of several enhancements to RADIUS to overcome the
limitations mentioned in <a href="#section-3">Section 3</a>. The outcome of this process was
[<a href="./rfc6614" title=""Transport Layer Security (TLS) Encryption for RADIUS"">RFC6614</a>] and [<a href="#ref-DYN-DISC" title=""NAI-based Dynamic Peer Discovery for RADIUS/TLS and RADIUS/DTLS"">DYN-DISC</a>].
<span class="grey">Wierenga, et al. Informational [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
With its use of TCP instead of UDP, and with its full packet
encryption, while maintaining full packet format compatibility with
RADIUS/UDP, RADIUS/TLS [<a href="./rfc6614" title=""Transport Layer Security (TLS) Encryption for RADIUS"">RFC6614</a>] allows any given RADIUS link in
eduroam to be upgraded without the need of a "flag day".
In a first upgrade phase, the classic eduroam hierarchy (forwarding
decision made by inspecting the realm) remains intact. That way,
RADIUS/TLS merely enhances the underlying transport of the RADIUS
datagrams. But, this already provides some key advantages:
o explicit peer reachability detection using long-lived TCP sessions
o protection of user credentials and all privacy-relevant RADIUS
attributes
RADIUS/TLS connections for the static hierarchy could be realized
with the TLS-PSK [<a href="./rfc4279" title=""Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)"">RFC4279</a>] operation mode (which effectively provides
a 1:1 replacement for RADIUS/UDP's "shared secrets"), but since this
operation mode is not widely supported as of yet, all RADIUS/TLS
links in eduroam are secured by TLS with X.509 certificates from a
set of accredited CAs.
This first deployment phase does not yet solve the routing table
complexity problem (see <a href="#section-3.3">Section 3.3</a>); this aspect is covered by
introducing dynamic discovery for RADIUS/TLS servers.
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Dynamic Discovery</span>
When introducing peer discovery, two separate issues had to be
addressed:
1. how to find the network address of a responsible RADIUS server
for a given realm
2. how to verify that this realm is an authorized eduroam
participant
<span class="h4"><a class="selflink" id="section-4.2.1" href="#section-4.2.1">4.2.1</a>. Discovery of Responsible Server</span>
Issue 1 can relatively simply be addressed by putting eduroam-
specific service discovery information into the global DNS tree. In
eduroam, this is done by using NAPTR records as per the S-NAPTR
specification [<a href="./rfc3958" title=""Domain-Based Application Service Location Using SRV RRs and the Dynamic Delegation Discovery Service (DDDS)"">RFC3958</a>] with a private-use NAPTR service tag
("x-eduroam:radius.tls"). The usage profile of that NAPTR resource
record is that exclusively "S" type delegations are allowed and that
no regular expressions are allowed.
<span class="grey">Wierenga, et al. Informational [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
A subsequent lookup of the resulting SRV records will eventually
yield hostnames and IP addresses of the authoritative server(s) of a
given realm.
Example (wrapped for readability):
> dig -t naptr education.example.
;; ANSWER SECTION:
education.example. 43200 IN NAPTR 100 10 "s"
"x-eduroam:radius.tls" ""
_radsec._tcp.eduroam.example.
> dig -t srv _radsec._tcp.eduroam.example.
;; ANSWER SECTION:
_radsec._tcp.eduroam.example. 43200 IN SRV 0 0 2083
tld1.eduroam.example.
> dig -t aaaa tld1.eduroam.example.
;; ANSWER SECTION:
tld1.eduroam.example. 21751 IN AAAA 2001:db8:1::2
Figure 3: SRV Record Lookup
From the operational experience with this mode of operation, eduroam
is pursuing standardization of this approach for generic AAA use
cases. The current RADEXT working group document for this is
[<a href="#ref-DYN-DISC" title=""NAI-based Dynamic Peer Discovery for RADIUS/TLS and RADIUS/DTLS"">DYN-DISC</a>].
Note: It is worth mentioning that this move to a more complex,
flexible system may make the system as a whole more fragile, as
compared to the static set up.
<span class="h4"><a class="selflink" id="section-4.2.2" href="#section-4.2.2">4.2.2</a>. Verifying Server Authorization</span>
Any organization can put "x-eduroam" NAPTR entries into their Domain
Name Server, pretending to be the eduroam Identity Provider for the
corresponding realm. Since eduroam is a service for a heterogeneous,
but closed, user group, additional sources of information need to be
consulted to verify that a realm with its discovered server is
actually an eduroam participant.
The eduroam consortium has chosen to deploy a separate PKI that
issues certificates only to authorized eduroam Identity Providers and
eduroam Service Providers. Since certificates are needed for RADIUS/
<span class="grey">Wierenga, et al. Informational [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
TLS anyway, it was a straightforward solution to reuse the PKI for
that. The PKI fabric allows multiple CAs as trust roots (overseen by
a Policy Management Authority) and requires that certificates that
were issued to verified eduroam participants are marked with
corresponding "X509v3 Policy OID" fields; eduroam RADIUS servers and
clients need to verify the existence of these OIDs in the incoming
certificates.
The policies and OIDs can be retrieved from the "eduPKI Trust Profile
for eduroam Certificates" [<a href="#ref-eduPKI" title=""eduPKI Trust Profiles"">eduPKI</a>].
<span class="h4"><a class="selflink" id="section-4.2.3" href="#section-4.2.3">4.2.3</a>. Operational Experience</span>
The discovery model is currently deployed in approximately 10
countries that participate in eduroam, making more than 100 realms
discoverable via their NAPTR records. Experience has shown that the
model works and scales as expected, the only drawback being that the
additional burden of operating a PKI that is not local to the
national eduroam administrators creates significant administrative
complexities. Also, the presence of multiple CAs and regular updates
of Certificate Revocation Lists makes the operation of RADIUS servers
more complex.
<span class="h4"><a class="selflink" id="section-4.2.4" href="#section-4.2.4">4.2.4</a>. Possible Alternatives</span>
There are two alternatives to this approach to dynamic server
discovery that are monitored by the eduroam community:
1. DNSSEC + DNS-Based Authentication of Named Entities (DANE) TLSA
records
2. ABFAB Trust Router
For DNSSEC+DANE TLSA, the biggest advantage is that the certificate
data itself can be stored in the DNS -- possibly obsoleting the PKI
infrastructure *if* a new place for the server authorization checks
can be found. Its most significant downside is that the DANE
specifications only include client-to-server certificate checks,
while RADIUS/TLS requires also server-to-client verification.
For the ABFAB Trust Router, the biggest advantage is that it would
work without certificates altogether (by negotiating TLS-PSK keys ad
hoc). The downside is that it is currently not formally specified
and not as thoroughly understood as any of the other solutions.
<span class="grey">Wierenga, et al. Informational [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Abuse Prevention and Incident Handling</span>
Since the eduroam service is a confederation of autonomous networks,
there is little justification for transferring accounting information
from the Service Provider to any other (in general) or to the
Identity Provider of the user (in particular). Accounting in eduroam
is therefore considered to be a local matter of the Service Provider.
The eduroam compliance statement [<a href="#ref-eduroam-compliance">eduroam-compliance</a>] in fact
specifies that accounting traffic [<a href="./rfc5280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC5280</a>] SHOULD NOT be forwarded.
The static routing infrastructure of eduroam acts as a filtering
system blocking accounting traffic from misconfigured local RADIUS
servers. Proxy servers are configured to terminate accounting
request traffic by answering to Accounting-Requests with an
Accounting-Response in order to prevent the retransmission of
orphaned Accounting-Request messages. With dynamic discovery,
Identity Providers that are discoverable via DNS will need to apply
these filtering measures themselves. This is an increase in
complexity of the Identity Provider RADIUS configuration.
Roaming creates accountability problems, as identified by [<a href="./rfc4372" title=""Chargeable User Identity"">RFC4372</a>]
(Chargeable User Identity). Since the NAS can only see the (likely
anonymous) outer identity of the user, it is impossible to correlate
usage with a specific user (who may use multiple devices). A NAS
that supports [<a href="./rfc4372" title=""Chargeable User Identity"">RFC4372</a>] can request the Chargeable-User-Identity and,
if supplied by the authenticating RADIUS server in the Access-Accept
message, add this value to corresponding Access-Request packets.
While eduroam does not have any charging mechanisms, it may still be
desirable to identify traffic originating from one particular user.
One of the reasons is to prevent abuse of guest access by users
living near university campuses. Chargeable User Identity (see
<a href="#section-5.3">Section 5.3</a>) supplies the perfect answer to this problem; however, at
the time of writing, to our knowledge, only one hardware vendor (Meru
Networks) implements <a href="./rfc4372">RFC 4372</a> on their access points. For all other
vendors, requesting the Chargeable-User-Identity attribute needs to
happen on the RADIUS server to which the access point is connected
to. FreeRADIUS supports this ability in the latest distribution, and
Radiator can be retrofitted to do the same.
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Incident Handling</span>
10 years of experience with eduroam have not exposed any serious
incident. This may be taken as evidence for proper security design
as well as suggest that users' awareness that they are identifiable
acts as an effective deterrent. It could of course also mean that
eduroam operations lack the proper tools or insight into the actual
use and potential abuse of the service. In any case, many of the
<span class="grey">Wierenga, et al. Informational [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
attack vectors that exist in open networks or networks where access
control is based on shared secrets are not present, arguably leading
to a much more secure system.
Below is a discussion of countermeasures that are taken in eduroam.
The European eduroam Policy Service Definition
[<a href="#ref-eduroam-service-definition">eduroam-service-definition</a>], as an example, describes incident
scenarios and actions to be taken; in this document, we present the
relevant technical issues.
The initial implementation has been lacking reliable tools for an SP
to make its own decision or for an IdP to introduce a conditional
rule applying only to a given SP. The introduction of support for
Operator-Name and Chargeable-User-Identity (see <a href="#section-5.3">Section 5.3</a>) to
eduroam makes both of these scenarios possible.
<span class="h4"><a class="selflink" id="section-5.1.1" href="#section-5.1.1">5.1.1</a>. Blocking Users on the SP Side</span>
The first action in the case of an incident is to block the user's
access to eduroam at the Service Provider. Since the roaming user's
true identity is likely hidden behind an anonymous/fake outer
identity, the Service Provider can only rely on the realm of the user
and his MAC address; if the Identity Provider has already sent a
Chargeable-User-Identity (see <a href="#section-5.3">Section 5.3</a> for details), then this
extra information can be used to identify the user more reliably.
A first attempt at the SP side may be to block based on the MAC
address or outer identity. This blocking can be executed before the
EAP authentication occurs -- typically in the first datagram, acting
on the RADIUS attributes EAP-Message/EAP-Response/Identity and
Calling-Station-ID. The datagram can either be dropped (supplicant
notices a time-out) or replied to with a RADIUS Access-Reject
containing an EAP-Failure. Since malicious users can change both
their MAC addresses and the local part of their outer identity
between connection attempts, this first attempt is not sufficient to
lock out a determined user.
As a second measure, the SP can let the EAP authentication proceed as
normal, and verify whether the final Access-Accept response from the
RADIUS server contains a Chargeable-User-Identity (CUI). If so, the
SP RADIUS server can be configured to turn all future Access-Accepts
for this CUI into an Access-Reject/EAP-Failure. This measure is
effective and efficient: it locks out exactly the one user that is
supposed to be locked out, and it has no side-effects on other users,
even from the same realm.
<span class="grey">Wierenga, et al. Informational [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
If the EAP authentication does not reveal a CUI, the SP cannot
reliably determine the user in question. The only reliable
information to act upon is then the realm portion of the outer
identity of the user. The SP will need to resort to blocking the
entire realm that the offending user belongs to. This is effective,
but not efficient: it locks out the user in question, but has a DoS
side-effect on all other visiting users from the same realm.
In the absence of a CUI handle, SPs that are not willing to take the
drastic step of blocking an entire realm will be forced to contact
the Identity Provider in question and demand that the user be blocked
at the IdP side. This involves human interaction between SP and IdP
and is not possible in real-time.
<span class="h4"><a class="selflink" id="section-5.1.2" href="#section-5.1.2">5.1.2</a>. Blocking Users on the IdP Side</span>
The IdP has the power to disable a user account altogether, thus
blocking this user from accessing eduroam in all sites. If blocking
the user is done due a request of an SP (as per the previous
section), there may be a more fine-grained possibility to block
access to a specific SP -- if the SP in question sends the Operator-
Name attribute along with his Access-Requests (see <a href="#section-5.2">Section 5.2</a> for
details).
If the IdP decides to block the user globally, this is typically done
by treating the login attempt as if the credentials were wrong: the
entire EAP conversation needs to be executed to the point where the
true inner identity is revealed (before that, the IdP does not know
yet which user is attempting to authenticate). This typically
coincides with the point in time where credentials are exchanged.
Instead of, or in addition to, checking the credential for validity,
the Identity Provider also checks whether the user's account is
(still) eligible for eduroam use and will return an Access-Reject/
EAP-Failure if not.
There may well be cases where opinions between the SP desiring a user
lockout and the IdP of the user differ. For example, an SP might
consider massive amounts of up-/downloads with file sharing protocols
unacceptable as per local policy, and desire blocking of users that
create too much traffic -- but the IdP does not take offense on such
actions and would not want to lock his user out of eduroam globally
because of this one SP's opinion.
In the absence of the Operator-Name attribute, there is no way to
apply a login restriction only for a given SP and not eduroam as a
whole; eduroam eligibility is an all-or-nothing decision for the IdP.
<span class="grey">Wierenga, et al. Informational [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
If the Operator-Name attribute is present, the IdP can use this
information to fail the authentication attempt only if the attempt
originated from SPs that desire such blocking. Even though the
Operator-Name attribute is available from the first RADIUS Access-
Request datagram onwards, the EAP authentication needs to be carried
out until the true inner identity is known just as in the global
blocking case above. The Operator-Name is simply an additional piece
of information that the IdP can use to make its decision.
<span class="h4"><a class="selflink" id="section-5.1.3" href="#section-5.1.3">5.1.3</a>. Communicating Account Blocking to the End User</span>
The measures described in Sections <a href="#section-5.1.1">5.1.1</a> and <a href="#section-5.1.2">5.1.2</a> alter the EAP
conversation. They either create a premature rejection or timeout at
the start of the conversation or change the outcome of the
authentication attempt at the very end of the conversation.
On the supplicant side, these alterations are indistinguishable from
an infrastructure failure: a premature rejection or timeout could be
due to a RADIUS server being unresponsive, and a rejection at the end
of the conversation could be either user error (wrong password) or
server error (credential lookup failed). For the supplicant, it is
thus difficult to communicate a meaningful error to the user. The
newly specified EAP type TEAP, Tunnel Extensible Authentication
Protocol [<a href="./rfc7170" title=""Tunnel Extensible Authentication Protocol (TEAP) Version 1"">RFC7170</a>], has a means to transport fine-grained error
reason codes to the supplicant; this has the potential to improve the
situation in the future.
The EAP protocol foresees one mechanism to provide such user-
interactive communication: the EAP state machine contains states that
allow user-visible communication. An extra round of EAP-Request/
Notification and the corresponding acknowledgement can be injected
before the final EAP-Failure.
However, anecdotal evidence suggests that supplicants typically do
not implement this part of the EAP state machine at all. One
supplicant is reported to support it, but only logs the contents of
the notification in a log file -- which is not at all helpful for the
end user.
The discovery of reasons and scope of account blocking are thus left
as an out-of-band action. The eduroam user support process requires
that users with authentication problems contact their Identity
Provider as a first measure (via unspecified means, e.g., they could
phone their IdP or send an email via a 3G backup link). If the
Identity Provider is the one that blocked their access, the user will
immediately be informed by them. If the reason for blocking is at
the SP side, the Identity Provider will instead inform the user that
<span class="grey">Wierenga, et al. Informational [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
the account is in working order and that the user needs to contact
the SP IT support to get further insight. In that case, that SP-side
IT support will notify the users about the reasons for blocking.
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Operator Name</span>
The Operator-Name attribute is defined in [<a href="./rfc5580" title=""Carrying Location Objects in RADIUS and Diameter"">RFC5580</a>] as a means of
unique identification of the access site.
The Proxy infrastructure of eduroam makes it impossible for home
sites to tell where their users roam. While this may be seen as a
positive aspect enhancing user's privacy, it also makes user support,
roaming statistics, and blocking offending user's access to eduroam
significantly harder.
Sites participating in eduroam are encouraged to add the Operator-
Name attribute using the REALM namespace, i.e., sending a realm name
under control of the given site.
The introduction of Operator-Name in eduroam has led to the
identification of one operational problem -- the identifier 126
assigned to this attribute has been previously used by some vendors
for their specific purposes and has been included in attribute
dictionaries of several RADIUS server distributions. Since the
syntax of this hijacked attribute had been set to Integer, this
introduces a syntax clash with the RFC definition (which defines it
as Text). Operational tests in eduroam have shown that servers using
the Integer syntax for attribute 126 may either truncate the value to
4 octets or even drop the entire RADIUS packet (thus making
authentication impossible). The eduroam monitoring and eduroam test
tools try to locate problematic sites. <a href="./rfc6929#section-2.8">Section 2.8 of [RFC6929]</a>
clarifies the handling of these packets.
When a Service Provider sends its Operator-Name value, it creates a
possibility for the home sites to set up conditional blocking rules,
depriving certain users of access to selected sites. Such action
will cause much less concern than blocking users from all of eduroam.
In eduroam, the Operator Name is also used for the generation of
Chargeable User Identity values.
The addition of Operator-Name is a straightforward configuration of
the RADIUS server and may be easily introduced on a large scale.
<span class="grey">Wierenga, et al. Informational [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
<span class="h3"><a class="selflink" id="section-5.3" href="#section-5.3">5.3</a>. Chargeable User Identity</span>
The Chargeable-User-Identity (CUI) attribute is defined by <a href="./rfc4372">RFC 4372</a>
[<a href="./rfc4372" title=""Chargeable User Identity"">RFC4372</a>] as an answer to accounting problems caused by the use of
anonymous identity in some EAP methods. In eduroam, the primary use
of CUI is in incident handling, but it can also enhance local
accounting.
The eduroam policy requires that a given user's CUI generated for
requests originating from different sites should be different (to
prevent collusion attacks). The eduroam policy thus mandates that a
CUI request be accompanied by the Operator-Name attribute, which is
used as one of the inputs for the CUI generation algorithm. The
Operator-Name requirement is considered to be the "business
requirement" described in <a href="./rfc4372#section-2.1">Section 2.1 of RFC 4372</a> [<a href="./rfc4372" title=""Chargeable User Identity"">RFC4372</a>] and hence
conforms to the RFC.
When eduroam started considering using CUI, there were no NAS
implementations; therefore, the only solution was moving all CUI
support to the RADIUS server.
CUI request generation requires only the addition of NUL CUI
attributes to outgoing Access-Requests; however, the real strength of
CUI comes with accounting. Implementation of CUI-based accounting in
the server requires that the authentication and accounting RADIUS
servers used directly by the NAS are actually the same or at least
have access to a common source of information. Upon processing of an
Access-Accept, the authenticating RADIUS server must store the
received CUI value together with the device's Calling-Station-Id in a
temporary database. Upon receipt of an Accounting-Request, the
server needs to update the packet with the CUI value read from the
database.
A wide introduction of CUI support in eduroam will significantly
simplify incident handling at Service Providers. Introducing local,
per-user access restriction will be possible. Visited sites will
also be able to notify the home site about the introduction of such a
restriction, pointing to the CUI value and thus making it possible
for the home site to identify the user. When the user reports the
problem at his home support, the reason will be already known.
<span class="grey">Wierenga, et al. Informational [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Privacy Considerations</span>
The eduroam architecture has been designed with protection of user
credentials in mind, as may be clear from reading this far. However,
operational experience has revealed some more subtle points with
regards to privacy.
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Collusion of Service Providers</span>
If users use anonymous outer identities, SPs cannot easily collude by
linking outer identities to users that are visiting their campus.
However, this poses problems with remediation of abuse or
misconfiguration. It is impossible to find the user that exhibits
unwanted behaviour or whose system has been compromised.
For that reason, the Chargeable-User-Identity has been introduced in
eduroam, constructed so that only the IdP of the user can uniquely
identify the user. In order to prevent collusion attacks, that CUI
is required to be unique per user and per Service Provider.
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Exposing User Credentials</span>
Through the use of EAP, user credentials are not visible to anyone
but the IdP of the user. That is, if a sufficiently secure EAP
method is chosen and EAP is not terminated prematurely.
There is one privacy sensitive user attribute that is necessarily
exposed to third parties and that is the realm the user belongs to.
Routing in eduroam is based on the realm part of the user identifier,
so even though the outer identity in a tunneled EAP method may be set
to an anonymous identifier, it MUST contain the realm of the user,
and may thus lead to identifying the user if the realm in question
contains few users. This is considered a reasonable trade-off
between user privacy and usability.
<span class="h3"><a class="selflink" id="section-6.3" href="#section-6.3">6.3</a>. Track Location of Users</span>
Due to the fact that access requests (potentially) travel through a
number of proxy RADIUS servers, the home IdP of the user typically
cannot tell where a user roams.
However, the introduction of Operator-Name and dynamic lookups (i.e.,
direct connections between IdP and SP) gives the home IdP insight
into the location of the user.
<span class="grey">Wierenga, et al. Informational [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Security Considerations</span>
This section addresses only security considerations associated with
the use of eduroam. For considerations relating to IEEE 802.1X,
RADIUS, and EAP in general, the reader is referred to the respective
specification and to other literature.
<span class="h3"><a class="selflink" id="section-7.1" href="#section-7.1">7.1</a>. Man-in-the-Middle and Tunneling Attacks</span>
The security of user credentials in eduroam ultimately lies within
the EAP server verification during the EAP conversation. Therefore,
the eduroam policy mandates that only EAP types capable of mutual
authentication are allowed in the infrastructure, and requires that
IdPs publish all information that is required to uniquely identify
the server (i.e., usually the EAP server's CA certificate and its
Common Name or subjectAltName:dNSName).
While in principle this makes man-in-the-middle attacks impossible,
in practice several attack vectors exist nonetheless. Most of these
deficiencies are due to implementation shortcomings in EAP
supplicants. Examples:
<span class="h4"><a class="selflink" id="section-7.1.1" href="#section-7.1.1">7.1.1</a>. Verification of Server Name Not Supported</span>
Some supplicants only allow specifying which CA issues the EAP server
certificate; its name is not checked. As a result, any entity that
is able to get a server certificate from the same CA can create its
own EAP server and trick the end user to submit his credentials to
that fake server.
As a mitigation to that problem, eduroam Operations suggests the use
of a private CA that exclusively issues certificates to the
organization's EAP servers. In that case, no other entity will get a
certificate from the CA and this supplicant shortcoming does not
present a security threat any more.
<span class="h4"><a class="selflink" id="section-7.1.2" href="#section-7.1.2">7.1.2</a>. Neither Specification of CA nor Server Name Checks during</span>
<span class="h4"> Bootstrap</span>
Some supplicants allow for insecure bootstrapping in that they allow
the simple selection of a network the acceptance of the incoming
server certificate, identified by its fingerprint. The certificate
is then saved as trusted for later reconnection attempts. If users
are near a fake hotspot during initial provisioning, they may be
tricked to submit their credentials to a fake server; furthermore,
they will be branded to trust only that fake server in the future.
<span class="grey">Wierenga, et al. Informational [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
eduroam Identity Providers are advised to provide their users with
complete documentation for setup of their supplicants without the
shortcut of insecure bootstrapping. In addition, eduroam Operations
has created a tool that makes correct, complete, and secure settings
on many supplicants: eduroam CAT [<a href="#ref-eduroam-CAT">eduroam-CAT</a>].
<span class="h4"><a class="selflink" id="section-7.1.3" href="#section-7.1.3">7.1.3</a>. User Does Not Configure CA or Server Name Checks</span>
Unless automatic provisioning tools such as eduroam CAT are used, it
is cumbersome for users to initially configure an EAP supplicant
securely. User interfaces of supplicants often invite the users to
take shortcuts ("Don't check server certificate") that are easier to
set up or hide important security settings in badly accessible sub-
menus. Such shortcuts or security parameter omissions make the user
subject to man-in-the-middle attacks.
eduroam IdPs are advised to educate their users regarding the
necessary steps towards a secure setup. eduroam Research and
Development is in touch with supplicant developers to improve their
user interfaces.
<span class="h4"><a class="selflink" id="section-7.1.4" href="#section-7.1.4">7.1.4</a>. Tunneling Authentication Traffic to Obfuscate User Origin</span>
There is no link between the EAP outer ("anonymous") identity and the
EAP inner ("real") identity. In particular, they can both contain a
realm name, and the realms need not be identical. It is possible to
craft packets with an outer identity of user@RealmB, and an inner
identity of user@realmA. With the eduroam request routing, a Service
Provider would assume that the user is from realmB and send the
request there. The server at realmB inspects the inner user name,
and if proxying is not explicitly disabled for tunneled request
content, may decide to send the tunneled EAP payload to realmA, where
the user authenticates. A CUI value would likely be generated by the
server at realmB, even though this is not its user.
Users can craft such packets to make their identification harder;
usually, the eduroam SP would assume that the troublesome user
originates from realmB and demand there that the user be blocked.
However, the operator of realmB has no control over the user and can
only trace back the user to his real origin if logging of proxied
requests is also enabled for EAP tunnel data.
eduroam Identity Providers are advised to explicitly disable proxying
on the parts of their RADIUS server configuration that process EAP
tunnel data.
<span class="grey">Wierenga, et al. Informational [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
<span class="h3"><a class="selflink" id="section-7.2" href="#section-7.2">7.2</a>. Denial-of-Service Attacks</span>
Since eduroam's roaming infrastructure is based on IP and RADIUS, it
suffers from the usual DoS attack vectors that apply to these
protocols.
The eduroam hotspots are susceptible to typical attacks on edge
networks, such as rogue Router Advertisements (RAs), rogue DHCP
servers, and others. Notably, eduroam hotspots are more robust
against malign users' DHCP pool exhaustion than typical open or
"captive portal" hotspots, because a DHCP address is only leased
after a successful authentication, thereby reducing the pool of
possible attackers to eduroam account holders (as opposed to the
general public). Furthermore, attacks involving ARP spoofing or ARP
flooding are also reduced to authenticated users, because an attacker
needs to be in possession of a valid WPA2 session key to be able to
send traffic on the network.
This section does not discuss standard threats to edge networks and
IP networks in general. The following sections describe attack
vectors specific to eduroam.
<span class="h4"><a class="selflink" id="section-7.2.1" href="#section-7.2.1">7.2.1</a>. Intentional DoS by Malign Individuals</span>
The eduroam infrastructure is more robust against Distributed DoS
attacks than typical services that are reachable on the Internet
because triggering authentication traffic can only be done when
physically in proximity of an eduroam hotspot (be it a wired socket
that is IEEE 802.1X enabled or a Wi-Fi Access Point).
However, when in the vicinity, an attacker can easily craft
authentication attempts that traverse the entire international
eduroam infrastructure; an attacker merely needs to choose a realm
from another world region than his physical location to trigger
Access-Requests that need to be processed by the SP, then SP-side
national, then world region, then target world region, then target
national, then target IdP server. So long as the realm actually
exists, this will be followed by an entire EAP conversation on that
path. Not having actual credentials, the request will ultimately be
rejected, but it consumed processing power and bandwidth across the
entire infrastructure, possibly affecting all international
authentication traffic.
EAP is a lock-step protocol. A single attacker at an eduroam hotspot
can only execute one EAP conversation after another and is thus rate-
limited by round-trip times of the RADIUS chain.
<span class="grey">Wierenga, et al. Informational [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
Currently, eduroam processes several hundred thousands of successful
international roaming authentications per day (and, incidentally,
approximately 1.5 times as many Access-Rejects). With the
requirement of physical proximity, and the rate-limiting induced by
EAP's lock-step nature, it requires a significant amount of attackers
and a time-coordinated attack to produce significant load. So far,
eduroam Operations has not yet observed critical load conditions that
could reasonably be attributed to such an attack.
The introduction of dynamic discovery further eases this problem, as
authentications will then not traverse all infrastructure servers,
removing the world-region aggregation servers as obvious bottlenecks.
Any attack would then be limited between an SP and IdP directly.
<span class="h4"><a class="selflink" id="section-7.2.2" href="#section-7.2.2">7.2.2</a>. DoS as a Side-Effect of Expired Credentials</span>
In eduroam Operations, it is observed that a significant portion of
(failed) eduroam authentications is due to user accounts that were
once valid but have in the meantime been de-provisioned (e.g., if a
student has left the university after graduation). Configured
eduroam accounts are often retained on the user devices, and when in
the vicinity of an eduroam hotspot, the user device's operating
system will attempt to connect to this network.
As operation of eduroam continues, the amount of devices with
leftover configurations is growing, effectively creating a pool of
devices that produce unwanted network traffic whenever they can.
Until recently, this problem did not emerge with much prominence,
because there is also a natural shrinking of that pool of devices due
to users finally decommissioning their old computing hardware.
Recently, smartphones are programmed to make use of cloud storage and
online backup mechanisms that save most, or all, configuration
details of the device with a third party. When renewing their
personal computing hardware, users can restore the old settings onto
the new device. It has been observed that expired eduroam accounts
can survive perpetually on user devices that way. If this trend
continues, it can be pictured that an always-growing pool of devices
will clog up eduroam infrastructure with doomed-to-fail
authentication requests.
<span class="grey">Wierenga, et al. Informational [Page 32]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-33" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
There is not currently a useful remedy to this problem, other than
instructing users to manually delete their configuration in due time.
Possible approaches to this problem are:
o Creating a culture of device provisioning where the provisioning
profile contains a "ValidUntil" property, after which the
configuration needs to be re-validated or disabled. This requires
a data format for provisioning as well as implementation support.
o Improvements to supplicant software so that it maintains state
over failed authentications. For example, if a previously known
working configuration failed to authenticate consistently for 30
calendar days, it should be considered stale and be disabled.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. References</span>
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Normative References</span>
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>,
DOI 10.17487/RFC2119, March 1997,
<<a href="http://www.rfc-editor.org/info/rfc2119">http://www.rfc-editor.org/info/rfc2119</a>>.
[<a id="ref-RFC2865">RFC2865</a>] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
<a href="./rfc2865">RFC 2865</a>, DOI 10.17487/RFC2865, June 2000,
<<a href="http://www.rfc-editor.org/info/rfc2865">http://www.rfc-editor.org/info/rfc2865</a>>.
[<a id="ref-RFC3748">RFC3748</a>] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and
H. Levkowetz, Ed., "Extensible Authentication Protocol
(EAP)", <a href="./rfc3748">RFC 3748</a>, DOI 10.17487/RFC3748, June 2004,
<<a href="http://www.rfc-editor.org/info/rfc3748">http://www.rfc-editor.org/info/rfc3748</a>>.
[<a id="ref-RFC4279">RFC4279</a>] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key
Ciphersuites for Transport Layer Security (TLS)",
<a href="./rfc4279">RFC 4279</a>, DOI 10.17487/RFC4279, December 2005,
<<a href="http://www.rfc-editor.org/info/rfc4279">http://www.rfc-editor.org/info/rfc4279</a>>.
[<a id="ref-RFC4372">RFC4372</a>] Adrangi, F., Lior, A., Korhonen, J., and J. Loughney,
"Chargeable User Identity", <a href="./rfc4372">RFC 4372</a>,
DOI 10.17487/RFC4372, January 2006,
<<a href="http://www.rfc-editor.org/info/rfc4372">http://www.rfc-editor.org/info/rfc4372</a>>.
[<a id="ref-RFC5246">RFC5246</a>] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", <a href="./rfc5246">RFC 5246</a>,
DOI 10.17487/RFC5246, August 2008,
<<a href="http://www.rfc-editor.org/info/rfc5246">http://www.rfc-editor.org/info/rfc5246</a>>.
<span class="grey">Wierenga, et al. Informational [Page 33]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-34" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
[<a id="ref-RFC5280">RFC5280</a>] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", <a href="./rfc5280">RFC 5280</a>, DOI 10.17487/RFC5280, May 2008,
<<a href="http://www.rfc-editor.org/info/rfc5280">http://www.rfc-editor.org/info/rfc5280</a>>.
[<a id="ref-RFC5580">RFC5580</a>] Tschofenig, H., Ed., Adrangi, F., Jones, M., Lior, A., and
B. Aboba, "Carrying Location Objects in RADIUS and
Diameter", <a href="./rfc5580">RFC 5580</a>, DOI 10.17487/RFC5580, August 2009,
<<a href="http://www.rfc-editor.org/info/rfc5580">http://www.rfc-editor.org/info/rfc5580</a>>.
[<a id="ref-RFC5997">RFC5997</a>] DeKok, A., "Use of Status-Server Packets in the Remote
Authentication Dial In User Service (RADIUS) Protocol",
<a href="./rfc5997">RFC 5997</a>, DOI 10.17487/RFC5997, August 2010,
<<a href="http://www.rfc-editor.org/info/rfc5997">http://www.rfc-editor.org/info/rfc5997</a>>.
[<a id="ref-RFC6613">RFC6613</a>] DeKok, A., "RADIUS over TCP", <a href="./rfc6613">RFC 6613</a>,
DOI 10.17487/RFC6613, May 2012,
<<a href="http://www.rfc-editor.org/info/rfc6613">http://www.rfc-editor.org/info/rfc6613</a>>.
[<a id="ref-RFC6614">RFC6614</a>] Winter, S., McCauley, M., Venaas, S., and K. Wierenga,
"Transport Layer Security (TLS) Encryption for RADIUS",
<a href="./rfc6614">RFC 6614</a>, DOI 10.17487/RFC6614, May 2012,
<<a href="http://www.rfc-editor.org/info/rfc6614">http://www.rfc-editor.org/info/rfc6614</a>>.
[<a id="ref-RFC6973">RFC6973</a>] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", <a href="./rfc6973">RFC 6973</a>,
DOI 10.17487/RFC6973, July 2013,
<<a href="http://www.rfc-editor.org/info/rfc6973">http://www.rfc-editor.org/info/rfc6973</a>>.
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Informative References</span>
[<a id="ref-ABFAB-ARCH">ABFAB-ARCH</a>]
Howlett, J., Hartman, S., Tschofenig, H., Lear, E., and
J. Schaad, "Application Bridging for Federated Access
Beyond Web (ABFAB) Architecture", Work in Progress,
<a href="./draft-ietf-abfab-arch-13">draft-ietf-abfab-arch-13</a>, July 2014.
[<a id="ref-dead-realm">dead-realm</a>]
Tomasek, J., "Dead-realm marking feature for Radiator
RADIUS servers", 2006,
<<a href="http://www.eduroam.cz/dead-realm/docs/dead-realm.html">http://www.eduroam.cz/dead-realm/docs/dead-realm.html</a>>.
[<a id="ref-DYN-DISC">DYN-DISC</a>] Winter, S. and M. McCauley, "NAI-based Dynamic Peer
Discovery for RADIUS/TLS and RADIUS/DTLS", Work in
Progress, <a href="./draft-ietf-radext-dynamic-discovery-15">draft-ietf-radext-dynamic-discovery-15</a>, April
2015.
<span class="grey">Wierenga, et al. Informational [Page 34]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-35" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
[<a id="ref-eduPKI">eduPKI</a>] Delivery of Advanced Network Technology to Europe, "eduPKI
Trust Profiles", 2012, <<a href="https://www.edupki.org/edupki-pma/edupki-trust-profiles/">https://www.edupki.org/edupki-pma/</a>
<a href="https://www.edupki.org/edupki-pma/edupki-trust-profiles/">edupki-trust-profiles/</a>>.
[<a id="ref-eduroam-CAT">eduroam-CAT</a>]
Delivery of Advanced Network Technology to Europe,
"eduroam CAT", 2012, <<a href="https://cat.eduroam.org">https://cat.eduroam.org</a>>.
[<a id="ref-eduroam-compliance">eduroam-compliance</a>]
Trans-European Research and Education Networking
Association, "eduroam Compliance Statement", October 2011,
<<a href="http://www.eduroam.org/downloads/docs/eduroam_Compliance_Statement_v1_0.pdf">http://www.eduroam.org/downloads/docs/</a>
<a href="http://www.eduroam.org/downloads/docs/eduroam_Compliance_Statement_v1_0.pdf">eduroam_Compliance_Statement_v1_0.pdf</a>>.
[<a id="ref-eduroam-homepage">eduroam-homepage</a>]
Trans-European Research and Education Networking
Association, "eduroam Homepage", 2007,
<<a href="http://www.eduroam.org/">http://www.eduroam.org/</a>>.
[<a id="ref-eduroam-service-definition">eduroam-service-definition</a>]
GEANT, "eduroam Policy Service Definition", Version 2.8,
July 2012, <<a href="https://www.eduroam.org/downloads/docs/GN3-12-192_eduroam-policy-service-definition_ver28_26072012.pdf">https://www.eduroam.org/downloads/docs/GN3-12-</a>
<a href="https://www.eduroam.org/downloads/docs/GN3-12-192_eduroam-policy-service-definition_ver28_26072012.pdf">192_eduroam-policy-service-definition_ver28_26072012.pdf</a>>.
[<a id="ref-eduroam-start">eduroam-start</a>]
Wierenga, K., "Subject: proposal for inter NREN roaming",
message to the mobility@terena.nl mailing list, initial
proposal for what is now called eduroam, 30 May 2002,
<<a href="http://www.terena.org/activities/tf-mobility/start-of-eduroam.pdf">http://www.terena.org/activities/tf-mobility/</a>
<a href="http://www.terena.org/activities/tf-mobility/start-of-eduroam.pdf">start-of-eduroam.pdf</a>>.
[<a id="ref-IEEE.802.1X">IEEE.802.1X</a>]
IEEE, "IEEE Standard for Local and metropolitan area
networks - Port-Based Network Access Control", IEEE
802.1X-2010, DOI 10.1109/ieeestd.2010.5409813,
<<a href="http://ieeexplore.ieee.org/servlet/opac?punumber=5409757">http://ieeexplore.ieee.org/servlet/</a>
<a href="http://ieeexplore.ieee.org/servlet/opac?punumber=5409757">opac?punumber=5409757</a>>.
[<a id="ref-nrenroaming-select">nrenroaming-select</a>]
Trans-European Research and Education Networking
Association, "Preliminary selection for inter-NREN
roaming", December 2003,
<<a href="http://www.terena.org/activities/tf-mobility/deliverables/delG/DelG-final.pdf">http://www.terena.org/activities/tf-mobility/</a>
<a href="http://www.terena.org/activities/tf-mobility/deliverables/delG/DelG-final.pdf">deliverables/delG/DelG-final.pdf</a>>.
<span class="grey">Wierenga, et al. Informational [Page 35]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-36" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
[<a id="ref-radsec-whitepaper">radsec-whitepaper</a>]
Open System Consultants, "RadSec: a secure, reliable
RADIUS Protocol", October 2012,
<<a href="http://www.open.com.au/radiator/radsec-whitepaper.pdf">http://www.open.com.au/radiator/radsec-whitepaper.pdf</a>>.
[<a id="ref-RFC3588">RFC3588</a>] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and
J. Arkko, "Diameter Base Protocol", <a href="./rfc3588">RFC 3588</a>,
DOI 10.17487/RFC3588, September 2003,
<<a href="http://www.rfc-editor.org/info/rfc3588">http://www.rfc-editor.org/info/rfc3588</a>>.
[<a id="ref-RFC3958">RFC3958</a>] Daigle, L. and A. Newton, "Domain-Based Application
Service Location Using SRV RRs and the Dynamic Delegation
Discovery Service (DDDS)", <a href="./rfc3958">RFC 3958</a>, DOI 10.17487/RFC3958,
January 2005, <<a href="http://www.rfc-editor.org/info/rfc3958">http://www.rfc-editor.org/info/rfc3958</a>>.
[<a id="ref-RFC4017">RFC4017</a>] Stanley, D., Walker, J., and B. Aboba, "Extensible
Authentication Protocol (EAP) Method Requirements for
Wireless LANs", <a href="./rfc4017">RFC 4017</a>, DOI 10.17487/RFC4017, March
2005, <<a href="http://www.rfc-editor.org/info/rfc4017">http://www.rfc-editor.org/info/rfc4017</a>>.
[<a id="ref-RFC6733">RFC6733</a>] Fajardo, V., Ed., Arkko, J., Loughney, J., and G. Zorn,
Ed., "Diameter Base Protocol", <a href="./rfc6733">RFC 6733</a>,
DOI 10.17487/RFC6733, October 2012,
<<a href="http://www.rfc-editor.org/info/rfc6733">http://www.rfc-editor.org/info/rfc6733</a>>.
[<a id="ref-RFC6929">RFC6929</a>] DeKok, A. and A. Lior, "Remote Authentication Dial In User
Service (RADIUS) Protocol Extensions", <a href="./rfc6929">RFC 6929</a>,
DOI 10.17487/RFC6929, April 2013,
<<a href="http://www.rfc-editor.org/info/rfc6929">http://www.rfc-editor.org/info/rfc6929</a>>.
[<a id="ref-RFC7170">RFC7170</a>] Zhou, H., Cam-Winget, N., Salowey, J., and S. Hanna,
"Tunnel Extensible Authentication Protocol (TEAP) Version
1", <a href="./rfc7170">RFC 7170</a>, DOI 10.17487/RFC7170, May 2014,
<<a href="http://www.rfc-editor.org/info/rfc7170">http://www.rfc-editor.org/info/rfc7170</a>>.
[<a id="ref-RFC7542">RFC7542</a>] DeKok, A., "The Network Access Identifier", <a href="./rfc7542">RFC 7542</a>,
DOI 10.17487/RFC7542, May 2015,
<<a href="http://www.rfc-editor.org/info/rfc7542">http://www.rfc-editor.org/info/rfc7542</a>>.
Acknowledgments
The authors would like to thank the participants in the Geant
Association Task Force on Mobility and Network Middleware as well as
the Geant project for their reviews and contributions. Special
thanks go to Jim Schaad for doing an excellent review of the first
version and to him and Alan DeKok for additional reviews.
The eduroam trademark is registered by TERENA.
<span class="grey">Wierenga, et al. Informational [Page 36]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-37" ></span>
<span class="grey"><a href="./rfc7593">RFC 7593</a> eduroam September 2015</span>
Authors' Addresses
Klaas Wierenga
Cisco Systems
Haarlerbergweg 13-17
Amsterdam 1101 CH
The Netherlands
Phone: +31 20 357 1752
Email: klaas@cisco.com
Stefan Winter
Fondation RESTENA
Maison du Savoir
2, avenue de l'Universite
L-4365 Esch-sur-Alzette
Luxembourg
Phone: +352 424409 1
Fax: +352 422473
Email: stefan.winter@restena.lu
URI: <a href="http://www.restena.lu">http://www.restena.lu</a>.
Tomasz Wolniewicz
Nicolaus Copernicus University
pl. Rapackiego 1
Torun
Poland
Phone: +48-56-611-2750
Fax: +48-56-622-1850
Email: twoln@umk.pl
URI: <a href="http://www.home.umk.pl/~twoln/">http://www.home.umk.pl/~twoln/</a>
Wierenga, et al. Informational [Page 37]
</pre>
|
