Service Provider (SP) Deployment

The deployment stage will mostly be on the institution side. That's all the work of setting up DHCP (Dynamic Host Configuration Protocol) pools, VLANs (Virtual Local Area Networks), firewall rules, all the basics of standing up an enterprise SSID (Server Set Identifier).

We will send you a REANNZ test account, which you can configure on your device. Then, assuming you're on site, you can roll out eduroam to a test subset of access points (AP), and check that all of the plumbing works and check the lived experience. If it's all good, then you can roll it out wider. You can also bake that test account into your monitoring system.

You’ll want to set up a traffic flow for eduroam authentication traffic something like this

Only forward eduroam traffic
Discard invalid traffic on site
Route traffic for local realms to local IdP servers
Then forward non local eduroam traffic to REANNZ

As part of the deployment, we would also like your SP to filter invalid requests from being sent to REANNZ. These are connection attempts that can never succeed, so should be dropped at source, keeping logs clear for real problems. Some examples are;

jane <--- no realm, can't succeed

xxxxxxxxxxxxxx@wlan.mnc001.mcc460.3gppnetwork.org <--- valid syntax, but not part of the eduroam network

If you are using FreeRADIUS, here's a block of statements to drop into your proxy.conf file.

CODE

# Defaults and blackholes 
# Everything should have a realm, reject unqualified users 

realm NULL { 

        virtual_server = auth-reject 

       nostrip 

} 

  Reject known bad realms. 

# Intel Pro/Wireless defaults to myabc.com 

realm myabc.com { 

        virtual_server = auth-reject 

        nostrip 

} 

# 3gppnetwork.org is cellphones trying to do calling over wifi 

# mcc530 = NZ; mnc001 = Vodafone, mnc005 = Spark, mnc024 = 2degrees, mnc052 and mnc240 = ??? 

realm 3gppnetwork.org { 

        virtual_server = auth-reject 

        nostrip 

}

As an additional part of your deployment, where possible, you should consider filtering incoming RADIUS attributes from IdPs that may cause hard to debug connectivity issues for guests.

Example : jane@example.ac.nz is visiting your site.

Her IdP sends an ACCEPT confirming that she is a valid user, and also VENDOR_VLAN_ID=600 which is the right VLAN assignment at her home institution, but is not an appropriate VLAN on your site.

Where there are situations where your Wi-Fi coverage could overlap with another eduroam SP, please reach out to us and we will help find a pragmatic solution to avoid poor coverage.