• Created by Unknown User (swinter), last modified on Mar 15, 2013

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

What is Dynamic Discovery?

eduroam has traditionally used a hierarchy of RADIUS servers. All national roaming authentication traffic was aggregated into a national proxy server; all international roaming traffic was aggregated into a set of international proxy servers.

While this works quite well under most circumstances, there are some drawbacks in efficiency, and a rather unpleasant inflexibility when it comes to routing realms which do not fit into the national aggregations model because they do not use the national .TLD ending of their federation (e.g. realms in ".net", ".org", etc.).

Dynamic Discovery places routing hints towards the responsible authentication server or national proxy into DNS, making routing more efficient.

As an IdP, you do not have to know much about the mechanics behind this - the only required step to make your realm dynamically discoverable is by adding a single resource record into your domain's DNS zone.

While adding this DNS record is optional, it has advantages for you in that it reduces the time it takes to authenticate your users when roaming internationally, so eduroam Operations RECOMMENDS to add these records if your national federation supports dynamic discovery.

For realms in generic top-level domains like .net, .org, .com etc. it is also RECOMMENDED to add these entries; and it may become mandatory at a later point in time.

Adding Dynamic Discovery hints to the IdP's DNS zone

To add Dynamic Discovery hints to your zone, you must first contact your national eduroam operator to determine which target name they have set up on the national proxy server; because you need to enter that discovery target in your DNS entry. In this documentation example, let's assume your national operator told you that the target name in your federation "Antarctica" is "_radsec._tcp.eduroam.aq". Let's further assume that your realm for eduroam and DNS domain is "greatidp.aq".

The DNS entry is of resource record type Network Authority PoinTeR (NAPTR). These records look quite complex, but eduroam's deployment profile of the NAPTR is making it simple to understand. The full entry as required for eduroam dynamic discovery in your DNS zone is:

greatidp.aq.           43200   IN      NAPTR   100 10 "s" "x-eduroam:radius.tls" "" _radsec._tcp.eduroam.aq.

This is all! This entry says, paraphrased, "The eduroam authentication for the realm greatidp.aq works over RADIUS with TLS encryption and is handled by the service target "_radsec._tcp.eduroam.aq".

Don't worry, RADIUS software knows how to interpret this further (smile) If you are curious though, the next section explains what all these entries mean.

NAPTR explained

 

 

 

 

  • No labels