May 2016 - 10/05/2016

This advisory applies to any member organisation that operates an ORPS that is configured to send RADIUS accounting packets to the NRPS.

Originator: Edward Wincott

Scope

The eduroam(UK) Technical Specification v1.4 will be released shortly and will contain the requirement that all member organisations ensure that their ORPSs SHOULD NOT send RADIUS accounting packets to the NRPS. Configuration of the wide range of RADIUS servers that can be used to support eduroam, to not send Accounting-Requests is outside of the scope of this advisory, however if necessary the alternation of configuration should be a simple matter. System administrators should plan to check their ORPS and make any necessary changes as soon as possible but certainly no later than 31st July 2016, which is the end of the transition period.

Background

Historically, the intended purposes of RADIUS accounting were to facilitate billing of users of modem based services, for statistics gathering and for general network monitoring. Inter-organisation RADIUS accounting for billing or any other purpose is not employed within eduroam and there are now far better network and specifically RADIUS monitoring tools available. The handling of accounting packets at the NRPS consumes processing resources that in the current environment of ever growing authentication traffic is undesirably wasteful.

Accounting packets are generated by clients which are configured to use RADIUS accounting. Such clients generate Accounting-Request (acct_status_type = start) packets until they receive an acknowledgement in an Accounting-Response from an accounting server.

The European Service Definition recommends that in dealing with their member organisations’ RADIUS servers (ORPSs), the national RADIUS proxy servers (NRPSs) of National Roaming Operators (such as eduroam(UK)) should be able to receive accounting packets, and in instances where the destination of those accounting packets is outside the national federation, MUST acknowledge the packet but MUST NOT forward the packet to the European top level proxy servers or anywhere else outside the national federation. At the present time, the UK NRPSs behave as above in respect of both packets with destinations outside the UK and also for packets with UK destinations.

So the NRPS currently accept accounting packets and send acknowledgements which means that clients do not re-send further Accounting-Requests. By not forwarding accounting packets, the NRPS avoid having processes tied up waiting for accounting responses from UK ORPS that might not be accounting-enabled. And by not sending (accounting) packets to the European Top Level RADIUS servers, wastage of processing resources on those servers is avoided. There are nevertheless significant processing resources still being devoted by the NRPS to handling incoming accounting from the UK ORPSs. Those resources could be employed more effectively in handling authentication packets.

Notice

The decision has now been made to extend the no-accounting zone to the ORPS-NRPS border. Member organisations will shortly be required to NOT send any accounting packets to the NRPS and will be relieved of the requirement to log accounting requests exchanged with the NRPS. Of course organisations may continue to use accounting within their own networks and should continue with local handling of RADIUS accounting packets arising from local clients – logging of authentication and accounting requests is necessary for problem resolution and the tracking of network abuse.

Benefits: by eliminating forwarding of accounting packets to the NRPS, member organisations benefit through a simplification of the configuration of their ORPS and a gain in performance. The eduroam(UK) NRPS infrastructure will also benefit through a reduction in the processing overhead imposed by having to accept and respond to accounting packets.

Timeline: the NRPS will continue to receive Accounting-Requests and to send responses for a limited period of months during which time continued forwarding of such packets by ORPS will be monitored. At the end of this transition phase, the sending of accounting responses will be turned off. The effect of this on any ORPS that is still sending accounting packets will be that your ORPS will mark the NRPSs as dead and you will effectively disable the eduroam service at your organisation.

This initiative is for the benefit of the UK eduroam service and the whole community, so organisations that continue to send Accounting-Requests during and after the transition phase will be individually contacted and the issue will be escalated.