Versions Compared

Old Version 6

changes.mady.by.user Unknown User (swinter)

Saved on

compared with

New Version Current

changes.mady.by.user Wenche Backman-Kamila

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Set up of Dynamic Discovery (in federations which have RADIUS/TLS enabled)

What is Dynamic Discovery?

...

This is all! This entry says, paraphrased, "The eduroam authentication for the realm greatidp.aq works over RADIUS with TLS encryption and is handled by the service target "_radsec._tcp.eduroam.aq". Note that this does not replace your normal RADIUS uplink to your national server; this is only an additional hint to streamline international roaming.

Don't worry, RADIUS software knows how to interpret this further (smile) If you are curious though, the next section explains what all these entries mean.

...

So let's take a look at the parts of the above entry:

EntryMeaning
greatidp.aq.This is the zone name (label) for which the NAPTR entry is defined
43200DNS caching lifetime of the entry (just like any other DNS resource record)
INThis entry is meant for consumption in the INternet (just like any other DNS resource record)
NAPTR

This entry is a Network Authority PoinTeR

100

Order: if multiple NAPTR entries are defined for the label, prefer lower order number over higher ones

(Note: since eduroam requires only one single entry, any number is fine here, unless your national federation operator instructs you otherwise)

10

Preference: if multiple NAPTR entries with the same Order are defined for this label, alternate between all those entries when resolving names

(Note: since eduroam requires only one single entry, any number is fine here, unless your national federation operator instructs you otherwise)

"s"

This NAPTR entry should be resolved to hostnames by doing a subsequent SRV lookup on the target label

(Note: eduroam only works with "s" labels; it is a configuration error to use "a" or "u" targets)

"x-eduroam:radius.tls"

This is the service; only resolve the later target name if you want to use the service - otherwise ignore the NAPTR response

(Note: this string is fixed in eduroam, as the roaming service with Dynamic Discovery is exclusively defined for RADIUS/TLS)

""

Regular Expression: some very advanced uses of NAPTR records allow transformation of target names according to regular expressions.

(Note: eduroam does not make use of this feature. The regular expression field MUST be the empty string; it is a configuration error to speciffy anything else)

_radsec._tcp.eduroam.aqThe target: please contact this server (after resolving its IP addresses and port numbers) if you want to use the "x-eduroam" service

...


At this point you may wonder: so how does this eventually yield an IP address of my national authentication server?

...

_radsec._tcp.eduroam.aq. 43200  IN      SRV     10 0 2083 tld2.eduroam.luaq.                                                                                                                                                       
_radsec._tcp.eduroam.aq. 43200  IN      SRV     0 0 2083 tld1.eduroam.luaq.

As you see, this reply contains two hostnames of the national eduroam servers, and also the port number to connect to (2083).

Finally, the querying server will then either ask for A or AAAA records to get to the IP address of the responsible server - and the discovery process is complete.