Released: 10th May 2022

This advisory is important and relevant to all eduroam(UK) service organisations.

• Summary
• Background and scope
• Phase 1 - DNS, firewall and RADIUS server changes
• Phase 2 - firewall and RADIUS server changes
• During the migration phase
• Supplementary information

SUMMARY

Roaming1 is moving to a new platform.

On 31st May 2022 the IP address for roaming1.ja.net will change so you must reconfigure your firewall and RADIUS servers as described below.

On 14th June 2022 you must remove the old IP addresses for Roaming1/interim hostname from your configurations.

The new host for Roaming1 will come into service on 31st May but the current host will remain active during the migration period which ends on 14th June to ensure a smooth transition.

BACKGROUND AND SCOPE

The eduroam(UK) team is in the process of migrating all national roaming proxy servers (NRPS) to Jisc shared infrastructure. This migration has taken some time, not helped by the pandemic, but it is now at the point where we would like all eduroam service administrators at member organisations to prepare for the migration of roaming1.ja.net.

The move to the new platform involves a necessary IP address change - this enables us to better manage our IP address space and provides for future development of the service.

The existing shared secrets for roaming1 will not change and are displayed for administrators via the RADIUS servers configuration panel on the eduroam(UK) Support Server (ESS) portal.

The necessary IP address change for roaming1.ja.net is as below:

Old IPv4 Address: 194.83.56.233

Old IPv6 Address: 2001:630:1:12a::233

New IPv4 Address: 193.63.195.34

New IPv6 Address: 2001:630:1:132::34

Phased migration: To ensure minimal risk to existing service levels, this migration will be taking place in two phases in rapid succession:

Firewall and DNS switch using interim hostname on 31st May 2022 and phasing out of obsolete roaming1.ja.net host and IP addresses on 14th June 2022.

We recognise that the above timeframe is tight, especially for organisations which may have lengthy change control processes to follow; it is for this reason that we give several weeks’ notice for you to gain approval.

We are also aware that the annual University Clearing process starts on 5th July 2022, and therefore we have shortened the period between the switch date and the phase-out date to accommodate this and ensure that service levels are close to normal by 5th July 2022.

The new host for roaming1.ja.net is already in place and is accepting RADIUS traffic on the new IP addresses. Until 31st May 2022 you MUST ONLY send visitor test authentications to the new host/IP addresses. From 31st May you MUST start sending production authentication requests. We intend to decommission the old host (and IP addresses) on 14th June.

Basic updating instructions: Instructions for the most commonly used RADIUS server products in the UK are included as supplemental information at the end of this advisory.

Customers of Jisc Trust & Identity Group’s retained expertise consulting services: We will work with our colleagues in the Trust & Identity group to have you switched over on schedule.

Roaming0.ja.net: Roaming0 remains in service, unchanged. The migration of Roaming2 and Roaming1 were the most urgent of the infrastructure upgrades. Migration of Roaming0 will take place in due course after the current moves are complete and we’ll be making an announcement in the future.

Queries/comments: The eduroam clinic on 7th June 2022 will be dedicated to this transition process, with the eduroam(UK) team on hand to discuss any problems you may encounter, and you can also lodge a support ticket with our help desk by e-mailing help@jisc.ac.uk with your query, or by using the support form at https://www.jisc.ac.uk/forms/eduroam-support-request.

PHASE 1 - DNS, FIREWALL AND RADIUS SERVER CHANGES

This work must be commenced ON (or shortly after) 31st May 2022, NOT BEFORE. It is applicable to ALL MEMBERS.

The IP addresses for roaming1.ja.net will change from the set ending in .233 to the set ending in .34 at approximately 7 AM British Summer Time (6 AM UTC). The TTL for the DNS entry for roaming1.ja.net will be shortened starting approximately 24 hours before the switch and will return to the default TTL approximately 6 hours after.

An interim hostname, roaming1.eduroam.uk, is already configured to resolve to the current roaming1 IP addresses ending in .233 during the migration period, which ends on 14th June 2022.

Firewall Configuration

For members using hostnames-based firewall and NAT rules:

• Configure your firewall to accept/send traffic (UDP/1812) and accept ICMP from the hostname roaming1.eduroam.uk, which resolves to the current IP addresses of roaming1.ja.net (ending in .233) until approximately 7am BST on 31st May
• You must ensure that any NAT rules are updated accordingly.
• DO NOT REMOVE the hostname roaming1.ja.net from your configuration. Its IP addresses will change at approximately 7 AM BST on 31st May to the new IP addresses (ending in .34).

For members using IP-address-based firewall and NAT rules:

• Configure your firewall to accept/send traffic (UDP/1812) and accept ICMP from the new IP addresses (ending in .34) for roaming1.ja.net
• You must ensure that any NAT rules are updated accordingly.
• DO NOT REMOVE the old IP addresses (ending in .233) for roaming1.ja.net.

RADIUS Server Configuration

For members using hostnames-based configuration of their RADIUS servers:

• You MUST add roaming1.eduroam.uk as a RADIUS client and remote RADIUS server to your RADIUS server configuration with the same secret as roaming1.ja.net, so that RADIUS traffic exchanges with other members who have not yet applied their configuration changes will still be supported(*).
• DO NOT REMOVE the hostname roaming1.ja.net from your RADIUS configuration since this will be handling live traffic via the new IP address.
• You MUST RESTART your RADIUS server to force it to refresh its DNS information for the existing and new clients and servers. FreeRADIUS and Microsoft NPS in particular only refresh their DNS information on start-up, and a restart for either is REQUIRED. This may also be the case for Aruba ClearPass Policy Manager (which is based on FreeRADIUS).

(*) Nb. You must cease sending users’ RADIUS traffic to the old server roaming1.eduroam.uk on 14th June by following the actions described for Phase 2 below.

For members using IP-address-based configuration of their RADIUS servers:

• You MUST add the new IP addresses (ending in .34) as a client and remote RADIUS server to your RADIUS server configuration with the same secret as roaming1.ja.net, so that your RADIUS server will exchange inbound and outbound authentications with the new host.
• DO NOT REMOVE the old IP addresses (ending in .233) of old Roaming1 from your existing RADIUS clients and remote RADIUS servers configurations. If applicable, rename any templates, friendly names etc to e.g. ‘old Roaming1’. This is to ensure that RADIUS exchanges with other members who have not yet applied their configuration changes will still be supported(*).
• You SHOULD RESTART your RADIUS server to refresh its configuration for the existing and new clients and servers. FreeRADIUS in particular only refreshes its configuration on start-up, so a restart for FreeRADIUS is REQUIRED. This may also be the case for Aruba ClearPass Policy Manager (which is based on FreeRADIUS).

(*) Nb. You must cease sending users’ RADIUS traffic to the old IP addresses (ending in .233) on 14th June 2022 by following the actions described for Phase 2 below.

For ALL members

• You MUST SUCCESSFULLY complete troubleshooting at https://support.eduroam.uk/troubleshoot/ by attempting a certificate check or an authentication check. An ICMP check is INSUFFICIENT. Select ‘roaming1’ from the dropdown list on the blue Tests panel top line to test your connection from the new IP address (ending in .34). Acceptable authentication or certificate check responses are OK, Warn, Reject or Fail.

If authentication requests arising from your roaming users are sent via the new IP addresses of roaming1.ja.net but your ORPS is not reachable or does not respond, the request will not complete, the user authentication will fail and the following message will appear in your ESS portal Radius errors log on the Troubleshoot page:

roaming1 : No working hosts in AuthBy for Identifier <your realm>, sending reject to clear backlog

PHASE 2 - FIREWALL AND RADIUS SERVER CHANGES

This work MUST BE COMPLETED ON 14th June 2022. This deadline is fixed; any organisations who DO NOT COMPLETE the work on this date WILL RISK DEGRADATION of their eduroam service. It is applicable to ALL MEMBERS.

The interim hostname roaming1.eduroam.uk will be withdrawn on this date, and any RADIUS traffic to the IP addresses ending in .233 will actively be rejected.

Firewall Configuration

For members using hostnames-based firewall and NAT rules:

• Configure your firewall and NAT rules to remove roaming1.eduroam.uk from your configuration. That hostname will cease to proxy RADIUS traffic after 14th June 2022 and will cease to exist soon after.

For members using IP-address-based firewall and NAT rules:

• Configure your firewall and NAT rules to remove the old IP addresses for roaming1.ja.net (ending with .233). The server at the old IP address will cease to proxy RADIUS traffic after 14th June 2022 and will be decommissioned soon after.

RADIUS Server Configuration

For members using hostnames-based configuration of their RADIUS servers:

• You must remove roaming1.eduroam.uk as a client and a remote RADIUS server from your RADIUS server configuration.   
• You MUST restart your RADIUS server to ensure roaming1.eduroam.uk is no longer a server or client.

For members using IP-address-based configuration of their RADIUS servers:

• You must remove the old IP addresses for roaming1.ja.net (ending with .233) from your clients and remote RADIUS servers in your RADIUS server configuration.
• You SHOULD restart your RADIUS server to ensure that your RADIUS server no longer accepts traffic from or sends traffic to the old IP addresses (ending in .233).

DURING THE MIGRATION PHASE

eduroam(UK) will perform checks from both the new (IP addresses ending in .34) and the obsolete (IP addresses ending in .233) instances of roaming1.ja.net on a 2-hourly basis to ensure that the team can accurately inform Jisc account managers and eduroam admins of members of the migration status. These checks are automatic. Jisc account managers will be requested to engage with your organisation's IT management to ensure that migration completes on time.

Home organisation checks will use the test account credentials you provided in your eduroam realm configuration at https://support.eduroam.uk/configure/ - Please check that the credentials(s) provided are accurate and active.

Visited organisation checks will depend on the traffic your organisation sends to the obsolete and new instances of roaming1.ja.net.

SUPPLEMENTARY INFORMATION

Microsoft NPS

Follow the Jisc NPS Guide in Section 11 and Section 14 to add a new RADIUS client and a new RADIUS server with the above information. 

See https://support.eduroam.uk/files/eduroam(UK)%20Microsoft%20NPS%20Configuration%20Guide.pdf.

Restart NPS by right clicking the top entry (with the globe), choosing ‘Stop Service’, and then, after 15-30 seconds, repeating the action and choosing ‘Start Service’.

FreeRADIUS

In FreeRADIUS, you must amend your existing clients.conf file (on RedHat/CentOS in /etc/raddb/, on Debian in /etc/freeradius, on Ubuntu in /etc/freeradius/3.0/) to add the new hostname or IP address as a client. Duplicate the existing ‘client’ stanza for roaming1.ja.net and amend it accordingly. You must also amend proxy.conf in the same location as clients.conf. In proxy.conf, duplicate the existing ‘home_server’ stanza for roaming1.ja.net and amend it accordingly. You must also add an entry for the newly added stanza into the ‘server_pool’ stanza that includes roaming0.ja.net and roaming2.ja.net.

Then restart your instance of FreeRADIUS for changes to take effect.

Cisco ISE

You must add a new Network Device in ISE for the new host by going to Network Resources, Network Devices. You must also define a new external RADIUS server. Go to Administration, Network Resources, External RADIUS Servers, and then Add your entry. Also go to RADIUS Server Sequences and adjust the priorities accordingly.

Aruba ClearPass

You must add a new Network Device in ClearPass Policy Manager to accept traffic from the new IP addresses. Go to Configuration, Network, Devices. Follow your systems administration guide’s instructions. You must also add a new external authentication source. Go to Configuration, Authentication, Auth Servers. Click on the + and fill in the new details. You should follow the recommended guidance as per the Aruba manual to adjust timeouts.