...
| Name | Description | Status | Tools | ||||||
|---|---|---|---|---|---|---|---|---|---|
| 1 | Firewall | A layer 4 firewall MUST separate the internet-facing RADIUS server and the internal network. Access must be controlled and monitored. | MUST | ||||||
| 2 | Firewall ICMP | Firewalls MUST permit ICMP to allow centralised monitoring of RADIUS servers | MUST | ||||||
| 3 | Admin access | System administration (RADIUS and aassociated associated systems) MUST be preformed over a private internal network ONLY. | MUST | ||||||
| 34 | DMZ connectivity | 4 | All protocols permitted access to the servers MUST be risk-assessed (e.g. SMB and RDP may present security risks) | MUST | |||||
| 5 | External port access | A deny-all policy MUST be applied, permitting only the minimum ports necessary for authentication (e.g. UDP 1812, Status-Server 18121, TCP 2083 if RadSec is used). UDP 1645 MUST NOT be used. | MUST | ||||||
| 6 | Internal port access | A deny-all policy MUST be applied, permitting only the minimum ports necessary for administration functions (e.g. TCP 3389 for RDP or TCP 22 for SSH) | MUST | ||||||
| 7 | RadSec | If RadSec is used, X.509 certificates must be used to identify RADIUS servers | MUST (optional) | ||||||
| 8 | Network segmentation | Network segmentation SHOULD be considered, placing roaming users into a separate segment to local organisation users. | SHOULD | ||||||
| 9 | VLAN spoofing countermeasures | the visitor network design should prevent devices from mailiciously placing themselves into unauthorised VLANs | SHOULD | ||||||
| 10 | Penetration testing | NROs SHOULD regularly conduct vulnerability assessment of internet-facing eduroam infrastructure. | SHOULD | ||||||
| 11 | |||||||||
| 12 | |||||||||
| 13 | |||||||||
| 14 | |||||||||
| 15 | 5 | 6 | 7 | 8 | 9
4. References
eduroam Compliance Statement https://www.eduroam.org/support/eduroam_Compliance_Statement.pdf
...