...
- initiated by the eduroam OT
- NRO admins fill in the web form (monitor.eduroam.org/audit)
- OT provides data via manual audit or monitoring tools
- OT publishes final results (only final mark per NRO is publicly available
3a. Requirements and recommendations (NRO, from eduroam policy)
| # | Name | Description | Status | Tools | Review comments | who | how | 
|---|---|---|---|---|---|---|---|
| 1 | policy (Ch 6) | NRO has signed the appropriate version of the policy | MUST | OT checks in official archive (OT manually) | ot | M | |
| 2 | policy | 
| ( | 
| Ch 6) | 
| Establish the necessary infrastructure for eduroam (set-up FLRS and exchage traffic in expeced manner) | MUST | Check RADIUS server basic configuration (OT automatically) | ot | A | 
| 3 | policy ( | 
| Ch 6) | 
| Ensure that eduroam servers and services are maintained according to the specified best practices for server build, configuration and security, with the purpose of maintaining a generally high level of security, and thereby trust in the eduroam Confederation. | MUST | Check RADIUS server version number (OT automatically/manually) OT interviews NRO (OT manually) or NRO self-assessment (NRO self | 
| ) | |||
| 4 | policy ( | 
This is not really possible to check. But if eduroam OT learns of this kind of violation of the policy, NRO should loose many audit points, in order to courage NROs to report this to eduroam OT.
| Ch 6) | 
Scheduled maintenance work performed by the NRO within the respective federation should be announced two (2) days in advance through the SG mailing list. For unscheduled maintenance the announcement should preferably be made 24 hours in advance. Policy says 24 working hours but 24 working hours is more than 2 days !?! A ticket on TTS should be opened by the respective NRO representative, and closed with a short comment on the performed action.
| Provide trustworthy and secure transport of all private authentication credentials (i.e.passwords) that are traversing the eduroam infrastructure. In other words, ensure that user credentials stay securely encrypted end-to-end between the user’s personal device and the identity provider when traversing the eduroam infrastructure. A rationale for this requirement can be found in Appendix A of the eduroam policy. | MUST | Check authentication flows to ensure that EAP is used (OT automatic) | |||||
| 5 | policy (Ch 6) | Servers SHOULD be highly available, for example, by deploying multiple separate servers in a failover configuration in different IP subnets on different physical locations. | RECOMMENDED (MAY) | Check number of servers (OT automatic), check location and configuration (NRO self) | ot | M | |
| 6 | policy (Ch 6) | AAA server: RADIUS datagram processing to and from the ETLRS, as per RFC2865 or any other of the recommended transports (e.g. RADIUS/TLS). The server MUST be able to proxy RADIUS datagrams to other servers based on contents of the User-Name attribute. | REQUIRED/MUST | Check authentication flow through ETLRS (OT automatic), check server configuration (NRO self) | ot | A | |
| 7 | policy (Ch 6) | AAA server: RFC3580 (EAP over RADIUS). The server MUST proxy EAP-Message attributes unmodified, in the same order as it received them, towards the appropriate destination. | REQUIRED/MUST | Check server configuration (NRO self) | ot | A | |
| 8 | policy (Ch 6) | AAA server: The server MUST generate F-Ticks and send them to the monitoring infrastructure. | REQUIRED/MUST | Check received F-ticks (OT automatic) and/or server configuration (NRO self) | ot | A | |
| 9 | policy (Ch 6) | If dynamic RADIUS routing (see eduroam policy Section 2.1.1.2) is used by the individual SPs, then it is the responsibility of the respective NRO to ensure that appropriate F-Ticks are sent to the monitoring infrastructure, either by enforcing that the SPs send them to the monitoring infrastructure themselves, or by collecting information of the authentication events and sending these on to the monitoring infrastructure on the SP’s behalf. | REQUIRED/MUST | Check issued certificates for dynamic routing and F-Ticks from corresponding SPs (OT automatic) | ot | ? | |
| 10 | policy (Ch 6) | The server(s) MUST be setup to allow monitoring requests from the monitoring service | MUST | Check server configuration and monitoring results (OT automatic) | ot | A | |
| 11 | policy (Ch 6) | The server(s) MUST respond to ICMP/ICMPv6 Echo Requests sent by the confederation infrastructure and confederation monitoring service | MUST | Check monitoring results (OT automatic) | ot | A | |
| 12 | policy (not Ch 6) | NROs should appoint at least one representative to the eduroam SG | SHOULD (MUST) | Check mailing list membership and meeting participation (OT automatic, manually if not possible) | OT | M | |
| 13 | policy (Ch 6) | Participate in the work of the SG (ask for reply from SG member's e-mail) | MUST (SHOULD) | 
| Check mailing list membership and meeting participation (OT automatic, manually if not possible) | OT | A | 
| 14 | policy (Ch 6) | 
| NRO MUST set up a web server in order to publish information about the eduroam service, including information with respect to the participating institutions, as well as practical information on how to use eduroam. | MUST | Check | 
| if website is present (OT | 
| manual) | 
| OT | M | |
| 15 | policy (Ch 6) | 
Check if web site exists (OT automatic)
Note from MOL: have encountered many organisations that are prevented by policy from registering a TLD-level domain, but they can always do tld/eduroam...
The NRO must provide the following data to the eduroam OT:
Estimated coverage inside themember federationAAA server: RFC2866 (RADIUS Accounting). The server SHOULD be able to receive RADIUS Accounting packets if a service provider opts to send that data.
| The address of the web server with information about the eduroam service SHOULD be www.eduroam.<tld>. (combine with 14) | SHOULD | Check if web site exists (OT automatic) Note from MOL: have encountered many organisations that are prevented by policy from registering a TLD-level domain, but they can always do tld/eduroam... | OT | M | |||
| 16 | policy (Ch 6) | The national eduroam website should be available in English | SHOULD | Check if website is present (OT manual - there is no specified URL to the English version, e.g. www.eduroam.tld/en/) | OT | M | |
| 17 | policy (Ch 6) | An NRO’s web server MUST provide data in XML format, based on the specification defined by the SG, and available at http://monitor.eduroam.org/database | MUST (soon outdated xml → json) web page → https://monitor.eduroam.org/fact_eduroam_db.php | Check eduroam database (OT automatic) | OT | A | |
| 18 | policy ( Ch 5.7) | The NRO must provide the estimated coverage inside themember federation to the eduroam OT. | MUST | Check when the eduroam database data for the NRO has been updated (OT automatic) | |||
| 19 | policy (not Ch 6) | The use of RADIUS/TLS is recommended | RECOMMENDED (SHOULD) | Check server configuration and issued certificates (OT automatic) | OT | A | |
| 20 | policy (Ch 6) | Provide a RADIUS/TLS endpoint open for connections from all other eduroam participants to enable the receiving end of RADIUS/TLS dynamic discovery. | RECOMMENDED | Check issued certificates and server configuration (OT automatic?) | |||
| 21 | policy (Ch 6) | Provide a DNS-based discovery module for outgoing RADIUS/TLS dynamic discovery. | RECOMMENDED | Check issued certificates and server configuration (OT automatic?) | |||
| 22 | policy (not Ch 6) | Scheduled maintenance work performed by the NRO within the respective federation should be announced two (2) days in advance through the SG mailing list. For unscheduled maintenance the announcement should preferably be made 24 hours in advance. Policy says 24 working hours but 24 working hours is more than 2 days !?! A ticket on TTS should be opened by the respective NRO representative, and closed with a short comment on the performed action. | SHOULD | OT lists outages from the monitoring systems (OT automatic), then checks SG mailing list archive and TTS (OT manually). No unscheduled maintenance should have taken place since last audit (or during the last 12 months). | |||
| 23 | policy (not Ch 6) | NROs should regularly report to the OT about the number and type of security incidents | SHOULD | OT cross-checks its archives with other security incident archives (help needed from the CERT teams?) since last audit or from the last 12 months (OT manually) | This sounds like we expect them. | N | S | 
| 24 | policy (not Ch 6) | Malfunction in a member federation should be announced to the eduroam OT and optionally through the SG mailing list. A ticket on the TTS should be opened by the respective NRO representative and closed with a short comment on the performed action | SHOULD | OT lists outages from the monitoring systems (OT automatic) and checks from TTS and the SG mailing list archive if malfunction has been reported (OT manually). Time period: Since last audit or the last 12 months. | So if there are never issues, people don't score? | N | S | 
| 25 | policy (not Ch 6) | Participating federations are encouraged to check sent VLAN attributes (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID) , and to investigate whether the sender is sending these attributes inadvertently or not, and then take appropriate action. | SHOULD (encouraged) | Check sent VLAN attributes (OT automatic) Contact institutions directy to check if sending is intentional (OT semi-automatic - contact info in eduroam database). Check also at federation TLRs (NRO self) | An NRO may also decice to drop everything, right, if agreed by members. | OT | A | 
| 26 | policy (Ch 6) | Violation of the Policy declaration MUST be reported to the OT, and MUST be presented to the SG and escalated to the NREN PC in serious cases. | MUST | This is not really possible to check. But if eduroam OT learns of this kind of violation of the policy, NRO should loose many audit points, in order to courage NROs to report this to eduroam OT. | Tools are rather passive again. If people never report anything, they score? Or they fail? | N | S | 
| 27 | policy (Ch 6) | Establish user-support service for its end users, as explained in Section 5.1 in the eduroam policy, “User Support Processes” | MUST | NRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | N | S | |
| 28 | 
 | Skip this | 
| Note from MOL: accounting packets may include GDPR-sensitive data. On govroam we have elected to NOT accept accounting packets... | I don't agree: well, we for instance accept the requests right away and discard. | 
| 29 | policy (Ch 6) | AAA server: RFC2866 (RADIUS Accounting). If RADIUS Accounting is supported, RADIUS Accounting packets with a destination outside the federation MUST NOT be forwarded outside the federation, and MUST be acknowledged by the FLRS. | MUST | Check server configuration (NRO self) | 
| OT | A | |
| 30 | policy | 
| (Ch 6) | 
| All relevant logs MUST be created with synchronisation to a reliable time source (GPS or in its absence NTP/SNTP) | MUST | Check server configuration (NRO self) | N | S | |
| 31 | 
| policy (Ch 6) | 
| Logs of all authentication requests and responses MUST be kept. The minimum log retention time is six months, unless national regulations require otherwise. These logs may constitute personal data and MUST be managed in a GDPR-compliant way. The information in the requests and responses | 
| MUST as a minimum include: The time the authentication request was exchanged. The value of the User-Name attribute in the request ('outerEAP-identity'). The value of the Calling-Station-Id attribute in authentication requests. The result of the authentication. The value of Chargeable-User-Identity (if present in Access-Accept message). | 
3b. Secondary Requirements and recommendations (MOL)
| MUST (in policy as SHOULD) | NRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | N | S | ||||
| 32 | policy (Ch 6) | Communicate to all IdPs and SPs the obligations put on them in policy Chapters 6.3.2. and 6.3.3. (included in 3c & 3d) | MUST | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | N | S | |
| 33 | policy (Ch 6) | Audit IdPs and SPs according to the obligations put on them in policy Chapters 6.3.2. and 6.3.3. (included in 3c & 3d) | SHOULD | Show documentation of audit (OT manual) | N | S | 
3b. Secondary requirements and recommendations (NRO)
| # | Name | Description | Status | Tools | ||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Manage shared secrets | RADIUS shared secrets MUST have sufficient entropy (16+ characters), and MUST NOT be | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| # | Name | Description | Status | Tools | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| 1 | Use the right SSID | NROs MUST ensure all members only deploy the service under the 'eduroam' SSID. Non-compliant networks MUST NOT be labelled 'eduroam' or anything similar to avoid confusion for visitors. The eduroam SSID MUST NOT be shared with other network services. | MUST | 2 | Permit 802.11 only | NROs MUST ensure members offer eduroam ONLY on 802.11-based wireless media (i.e. NOT over bluetooth etc). | MUST | 3 | Maintain an audit trail | NROs MUST ensure that they and their members retain authentication and DHCP logs for <period defined in central policy?> to enable the cooperative resolution of identity in the event of abuse of eduroam | MUST | 4 | Prevent credential sharing | NROs MUST ensure that all their members enforce the policy that credentials SHOULD NOT be shared between users (or devices where device authentication is used). Automated monitoring of high numbers of simultaneous logins may help with this. | MUST | 5 | Standardise end-user access | NROs MUST ensure all members offer eduroam users access to the minimum standard ports and protocols <specified in ???>, such that the baseline services (web email and VPN) are consistently available. | MUST | 6 | Ensure physical security | NROs must advise their members that WiFi APs and cabling SHOULD be be secured as much as possible (e.g. to restrict opportunities to introduce network taps or other tampering). All servers MUST be hosted in a secure environment. | MUST | 7 | Manage shared secrets | RADIUS shared secrets MUST have sufficient entropy (16+ characters), and MUST NOT be reused (each RADIUS server must have a unique shared secret for each trust relationship it participates in) | MUST | |||||||||||||||||||||||||||||
| 8 | Provide physical signage | NRO advises member organisations to deploy physical signage in areas where eduroam is available (e.g. to assist visitors with medical prosthetics) | SHOULD | Evidence: copy of documentation/web page | 9 | Publish locations | NRO ensures all member venue location data is added to the eduroam database (for use in maps etc.) | SHOULD | ||||||||||||||||||||||||||||||||||||||||||||||||
| Check server configuration (NRO self) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 2 | Suppress Accounting | RADIUS accounting messages MUST NOT be forwarded to the eduroam international RADIUS Proxies. They may contain potentially sensitive information and therefore GDPR compliance duties. NB: conflicts with existing policy, which states it SHOULD be supported. | MUST NOT | Check accounting messages towards the TLRs (OT automatic) | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| 3 | Set eduroam-SP-Country | Advise NROs to set eduroam-SP-Country attribute in particular for RADIUS/TLS (RadSec) | SHOULD | NRO verifies that this is the case (NRO self) | (etlr also does it, but not for RadSec) | |||||||||||||||||||||||||||||||||||||||||||||||||||
| 4 | Deploy dedicated servers | NRO-level RADIUS servers SHOULD be dedicated to the task, not supporting other local or national services, in order to reduce their attack surface. | SHOULD (MUST?) | NRO verifies that this is the case with the FTLRs (NRO self) | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| 5 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 10 | Offer a web presence | NRO and members SHOULD publish a site at (tld)/eduroam documenting eduroam activities and locations in their NREN. NB differs from policy, which mandates www.eduroam.tld | SHOULD | Evidence: URL/screenshots | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| 11 | Ensure you are contactable | NRO has arranged 365 cover of all named contact points (mail and phone redirects for leave etc) | SHOULD | Randomly check quality of info in the eduroam database (OT automatic) | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| 6 | Conduct external penetration testing | NROs SHOULD regularly conduct vulnerability assessment of internet-facing eduroam infrastructure. | SHOULD | To be carried out by the NRO in cooperation with the national CERT team (NRO self) | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| 7 | Conduct internal vulnerability testing | NROs SHOULD regularly conduct vulnerability testing from within the internal network of eduroam infrastructure. | SHOULD | To be carried out by the NRO in cooperation with the national CERT team (NRO self) | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| 8 | 12 | Use the CAT | NRO SHOULD maintain a CAT adminstrator/config for its own staff and also recommend CAT usage to all members. Wherever possible, CAT SHOULD be used to assist with client deployments. | SHOULD | 13 | Provide administrator training | NRO SHOULD provide eduroam training to member organisations (either directly or through a third party) | SHOULD | 14 | Provide end-user education | NRO and members SHOULD implement training for end users on the expected legitimate behaviours of eduroam systems. Many attacks rely on incorrect user responses to inappropriate service behaviours such as password requests, certificate mismatch warnings etc. | SHOULD | 15 | Ensure clarity | NRO members SHOULD act to minimise any possibility of confusion between eduroam and other guest services they may offer (e.g. to prevent credentials being inappropriately presented) | SHOULD | 16 | Select a certificate type | NRO and members SHOULD undertake a risk-based selection of private vs. public CAs for their RADIUS infrastructure. Private is usually preferrable. | SHOULD | 17 | Select an EAP Type | NRO should advise members that they SHOULD use at least one of TLS, TTLS, EAP-FAST or PEAP (see reference 9) | SHOULD | 18 | Use anonymous outer identities | Where supported by the EAP type and the supplicant, it is strongly recommended that anonymous outer identities SHOULD be used. (see reference 10) | SHOULD | 19 | Enable CUI | Chargeable User Identity (CUI) SHOULD be implemented to enhance accountability of end user bahaviour by pseudonymous means. | SHOULD | 20 | Implement certificate revocation | If an EAP type which uses client side certificates is used (e.g. EAP-TLS), a robust revocation process SHOULD be in place to cover loss, theft or compromise of devices. | SHOULD | 21 | Implement rogue AP detection | Where available, NRO and members SHOULD monitor for rogue access points. IF possible, automated suppression of rogues SHOULD be implemented. | SHOULD | 22 | Implement wireless IPS | Where available, NRO and members SHOULD implement Wi-Fi Intrusion Prevention Systems (IPS) to detect AP spoofing, malicious broadcasts etc. | SHOULD | 23 | Operate to default deny | NROs SHOULD advise all members to operate a default deny policy on all firewalls and access control lists, only granting specific traffic types that are required and have been risk assessed to pass. | SHOULD | 24 | Deprecate manual configuration | Where CAT-assisted end user device configuration is not possible, it SHOULD NOT be undertaken by the end user. Administration staff should undertake such configuration to ensure it is correctly completed. Manual configuration is not recommended. | SHOULD NOT | 25 | Provide maps | Websites MAY includes graphical maps of accessible locations, noting additional services such as charging points | MAY | 
| 26 | Maximize eduroam coverage | NROs SHOULD/MAY provide an eduroam proxy RADIUS server to enable interested SPs outside the community to offer eduroam in their network. | SHOULD/MAY | (Added by WBK) | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| 27 | Enable collaboration | NROs SHOULD/MAY enable collaboration between the eduroam-enabled institutions by the use of conferences, email lists and/or Slack channels | SHOULD/MAY | (Added by WBK) | 
3c. Technical requirements and recommendations (MOL)
| Check NRO course/training schedules (NRO self) | |||||
| 9 | Maximize eduroam coverage | NROs SHOULD/MAY provide an eduroam proxy RADIUS server to enable interested SPs outside the community to offer eduroam in their network. | SHOULD/MAY | NRO verifies (NRO self) (Added by WBK) | |
| 10 | Enable collaboration | NROs SHOULD/MAY enable collaboration between the eduroam-enabled institutions by the use of conferences, email lists and/or Slack channels | SHOULD/MAY | NRO verifies (NRO self) Conference material available at https://wiki.geant.org/x/5KbTC (Added by WBK) | 
3c. Requirements and recommendations - IdP & SP (both policy and non-policy)
| # | Name | Description | Status | Tools | |
|---|---|---|---|---|---|
| 1 | Verify IdP functionality (policy) | Verify that the authentication is performed according to the policy by checking authentication flow through the FTLRs or by checking authentication of an issued test account. | MUST (IdP only) | NRO verifies by checking the FTLRs or by checking authentication of a test account (NRO self) | |
| 2 | Verify SP functionality | Verify that the authentication is performed according to the policy by checking authentication flow through the FTLRs or by checking authentication of a known account eligible for eduroam. Check presence of Calling-Station-Id. | MUST (SP only) | NRO verifies by checking the FTLRs or by checking authentication of a test account (NRO self) | |
| 3 | Use the right SSID (policy) | NROs MUST ensure all members only deploy the service under the 'eduroam' SSID unless there is more than one eduroam SP at the same physical location and the signal overlap would create operational problems,in which case an SSID starting with "eduroam-" MAY be used. Non-compliant networks MUST NOT be labelled 'eduroam' or anything similar to avoid confusion for visitors. The eduroam SSID MUST NOT be shared with other network services. | MUST | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 4 | Adopt AES (policy) | eduroam wi-fi services MUST implement WPA2 Enterprise with the use of the CCMP (AES) algorithm | MUST | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 5 | Disable WPA-TKIP (policy) | The WPA specification MUST NOT be supported and the TKIP algorithm MUST NOT be employed in eduroam services | MUST NOT | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 6 | Separate non-eduroam guests | NRO and its members may offer a public guest Wi-Fi service for those unable to access eduroam; such users SHOULD be provisioned onto a separate network from eduroam visitors, with its own authentication, monitoring, and anti-circumvention measures. | SHOULD | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 7 | Ensure clarity | NRO members SHOULD act to minimise any possibility of confusion between eduroam and other guest services they may offer (e.g. to prevent credentials being inappropriately presented) | SHOULD | Check info on web pages and other information sources (OT manual) | |
| 8 | Adopt encrypted comms | NRO SHOULD recommend to members that they use a VPN to protect communications between Access Points and the RADIUS server. (Usually there is a controller here?!? Is VPN really needed?) | SHOULD | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 9 | Permit 802.11 only | NROs MUST ensure members offer eduroam ONLY on 802.11-based wireless media (i.e. NOT over bluetooth etc). | MUST | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 10 | Well-managed identity system (policy) | Ensure a well-managed identity management backend system. | MUST (IdP only) | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 11 | Maintain an audit trail (policy) | NROs MUST ensure that they and their members retain authentication and DHCP logs for six months, unless national regulations require otherwise, to enable the cooperative resolution of identity in the event of abuse of eduroam. All relevant logs MUST be created with synchronisation to a reliable time source (GPS or in its absence NTP/SNTP) | MUST | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 12 | Logs (policy) | Logs of all authentication requests and responses MUST be kept. The minimum log retention time is six months, unless national regulations require otherwise. These logs may constitute personal data and MUST be managed in a GDPR-compliant way. The information in the requests and responses MUST as a minimum include: The time the authentication request was exchanged. The value of the User-Name attribute in the request ('outerEAP-identity'). The value of the Calling-Station-Id attribute in authentication requests. The result of the authentication. The value of Chargeable-User-Identity (if present in Access-Accept message). | MUST | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 13 | Standardise end-user access (policy) | NROs MUST ensure all members offer eduroam users access to the minimum standard ports and protocols, which are specified in the eduroam policy, such that the baseline services (web email and VPN) are consistently available. | MUST | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | N / S | 
| 14 | Filtered protocols (policy) | Network access to roaming visitors SHOULD not be port-restricted at all (i.e. in additionto the minimum list of open ports from above, allow all outgoing communication). Where this is not possible, the number of filtered protocols SHOULD be kept as low as possible. | SHOULD | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 15 | NAT (policy) | The use of NAT SHOULD be avoided | SHOULD | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 16 | IPV6 (policy) | IPv6 connectivity SHOULD be supplied. | SHOULD | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 17 | Application & interception proxies (policy) | Service providers SHOULD NOT deploy application or interception proxies. Service providers deploying application or interception proxiesMUST NOT use the proxy to require users to submit personal information before gainingaccess to the Internet,and MUST publish information aboutthese proxies on their eduroam website. If an application proxy is nottransparent, the service provider MUST also provide documentation on theconfiguration of applications to use the proxy. | SHOULD NOT / MUST (NOT) | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 18 | Ensure physical security | NROs must advise their members that WiFi APs and cabling SHOULD be be secured as much as possible (e.g. to restrict opportunities to introduce network taps or other tampering). All servers MUST be hosted in a secure environment. | MUST | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 19 | Implement rogue AP detection | Where available, NRO and members SHOULD monitor for rogue access points. IF possible, automated suppression of rogues SHOULD be implemented. | SHOULD | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 20 | Implement wireless IPS | Where available, NRO and members SHOULD implement Wi-Fi Intrusion Prevention Systems (IPS) to detect AP spoofing, malicious broadcasts etc. | SHOULD | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 21 | Provide physical signage | NRO advises member organisations to deploy physical signage in areas where eduroam is available (e.g. to assist visitors with medical prosthetics) (What does this mean in practice?(WBK)) | SHOULD | Evidence: copy of documentation/web page | |
| 22 | Configuration instructions (policy) | An IdP MUST provide sufficient configuration instructions for their end users so that a unique identification of the IdP is possible for the end user at all times. | MUST | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 23 | Use the CAT | NRO SHOULD maintain a CAT adminstrator/config for its own staff and also recommend CAT usage to all members. Wherever possible, CAT SHOULD be used to assist with client deployments. | SHOULD | Check CAT (OT automatic), NRO verifies that CAT has been strongly recommended to eduroam IdPs/SPs (NRO self) | OT/A | 
| 24 | Deprecate manual configuration | Where CAT-assisted end user device configuration is not possible, it SHOULD NOT be undertaken by the end user. Administration staff should undertake such configuration to ensure it is correctly completed. Manual configuration is not recommended. | SHOULD NOT | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 25 | Provide end-user education | NRO and members SHOULD implement training for end users on the expected legitimate behaviours of eduroam systems. Many attacks rely on incorrect user responses to inappropriate service behaviours such as password requests, certificate mismatch warnings etc. | SHOULD | NRO verifies that this has been communicated to eduroam IdPs/SPs and that NRO has offered to help with training implementation (NRO self) | |
| 26 | Prevent credential sharing | NROs MUST ensure that all their members enforce the policy that credentials SHOULD NOT be shared between users (or devices where device authentication is used). Automated monitoring of high numbers of simultaneous logins may help with this. | MUST | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) Automated monitoring (OT automatic or NRO automatic) | |
| 27 | Select a certificate type | NRO and members SHOULD undertake a risk-based selection of private vs. public CAs for their RADIUS infrastructure. Private is usually preferrable. | SHOULD | NRO verifies that this has been communicated to eduroam IdPs/SPs and that NROs have offered help and advice (NRO self) | |
| 28 | Deploy secure CA servers | CA servers MUST be hosted on a dedicated, locked-down server in a secure location, configured for minimum user access. Such servers SHOULD have a fully qualified domain name, although this MAY not be published through DNS. | MUST | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 29 | Select an EAP Type | NRO should advise members that they SHOULD use at least one of TLS, TTLS, EAP-FAST or PEAP (see reference 9) | SHOULD | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 30 | Implement certificate revocation | If an EAP type which uses client side certificates is used (e.g. EAP-TLS), a robust revocation process SHOULD be in place to cover loss, theft or compromise of devices. | SHOULD | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self). NRO checks authentication flows through the FLTRs, identifies the organisations utilizing client certs and shows evidence that a robust revocation process is in place (NRO self) | |
| 31 | Disable PAP | Password Authentication Protocol MUST NOT be used between access points and RADIUS servers | MUST NOT | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 32 | DIsable SPAP | Shiva Password Authentication Protocol MUST NOT be used, as their encryption is reversible (see reference 7) | MUST NOT | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 33 | Disable MS-CHAPv1 | Challenge Handshake Authentication Protocol is considered weak and MUST NOT be used. | MUST NOT | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 34 | Use anonymous outer identities | Where supported by the EAP type and the supplicant, it is strongly recommended that anonymous outer identities SHOULD be used. (see reference 10) | SHOULD | NRO verifies that this has been communicated to eduroam IdPs/SPs and checks FTLR logs (NRO self) | |
| 35 | Set Operator-Name (policy) | Where possible, NRO and members SHOULD ensure all Access-Request packets proxied to the NRPS (FTLRs) contain the Operator-Name attribute correctly set to the relevant realm. | SHOULD | NRO checks authentication flow through the FTLRs (NRO self) | |
| 36 | Operator-Name functionality (policy) | The appearance of the Operator-Name attribute (RFC5580) in Access-Requests MUST NOT cause these requests to be treated as invalid | MUST NOT | NRO verifies that this has been communicated to eduroam IdPs/SPs and checks FTLR logs (if possible) (NRO self) | |
| 37 | Enable CUI (policy) | Chargeable User Identity (CUI) SHOULD be implemented to enhance accountability of end user behaviour by pseudonymous means. | SHOULD | NRO verifies that this has been communicated to eduroam IdPs/SPs and checks FTLR logs (NRO self) | |
| 38 | UDP fragmentation | Make sure UDP fragmentation works | MUST | Test this once a year with eduroam managed IdP - one account per organisation, verify results (OT automatic) Can be checked by peers. | |
| 39 | Operate to default deny | NROs SHOULD advise all members to operate a default deny policy on all firewalls and access control lists, only granting specific traffic types that are required and have been risk assessed to pass. | SHOULD | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 40 | Adopt network segmentation | Network segmentation SHOULD be considered, placing roaming users into a separate segment to local organisation users. | SHOULD | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 41 | Deploy VLAN spoofing countermeasures | the visitor network design SHOULD prevent devices from mailiciously placing themselves into unauthorised VLANs | SHOULD | NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | |
| 42 | Provide maps | Websites MAY includes graphical maps of accessible locations, noting additional services such as charging points | MAY | Check information on web site (OT manual) | 
3d. Technical requirements and recommendations NRO, IdP and SP (non-policy) (MOL)
| # | Name | Description | Status | Tools | Review Comments | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Deploy a Firewall | A layer 4 firewall MUST separate all internet-facing RADIUS servers and the internal network. Access must be controlled and monitored. | MUST | NRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 2 | Limit admin access | System administration (RADIUS and associated systems) MUST be preformed over a private internal network ONLY. | MUST | NRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 3 | Assess connectivity risks | All protocols permitted access to the servers MUST be risk-assessed (e.g. SMB and RDP may present security risks) | MUST | Carry out assessment (NRO self) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 4 | Regulate external port access | A deny-all policy MUST be applied, permitting only the minimum ports necessary for authentication (e.g. UDP 1812, Status-Server 18121, TCP 2083 if RadSec is used). | MUST | NRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | Why do we care about not running 1645. (Or even random other ports, like the hosted SP may do.) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 5 | Regulate Internal port access | A deny-all policy MUST be applied, permitting only the minimum ports necessary for administration functions (e.g. TCP 3389 for RDP or TCP 22 for SSH) | MUST | NRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 6 | Undertake patch management | All server operating systems and applications MUST be kept fully patched and up to date (SysAdmins must apply risk assessment criteria to deciding whether to deploy early patches against zero-day exploits or to follow stable releases) | MUST | NRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 7 | Make back-ups | All servers and configuration files MUST be regularly backed up (as a minimum after every configuration change) | MUST | NRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 8 | Conduct monitoring | Servers MUST be configured to detect and log rogue behaviour such as password brute forcing. Where automated defence is possible, it SHOULD be deployed (e.g. increasing authentication back-off times) | MUST | NRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 9 | Enable Alerts | Servers MUST be configured to send alerts (with copies of logs) to SysAdmins so that incidents can be detected and responded to in real time. Alert systems should be regularly tested for effectiveness. | MUST | NRO checks that this is the case with the FTLRs (show test results) & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 10 | EAP requests always carry it | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 11 | Don't intercept traffic | NROs and members MUST NOT deploy interception technology or otherwise monitor the content of visitor or roaming traffic (e.g. do not use TLS or SSL interception proxies) | MUST NOT (policy says SHOULD NOT, check Application & interception proxies) | NRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 12 | Secure RADIUS/TLS (RadSec) server identities | If RADIUS/TLS (RadSec) is used, X.509 certificates must be used to identify RADIUS servers | MUST (optional) | Check FTLR server configuration (NRO self), check TLR configuration (OT automatic | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| # | Name | Description | Status | Tools | Review Comments | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 1 | Deploy a Firewall | A layer 4 firewall MUST separate all internet-facing RADIUS servers and the internal network. Access must be controlled and monitored. | MUST | 2 | Allow ICMP | Firewalls MUST permit ICMP to allow centralised monitoring of RADIUS servers | MUST | 3 | Limit admin access | System administration (RADIUS and associated systems) MUST be preformed over a private internal network ONLY. | MUST | 4 | Assess connectivity risks | All protocols permitted access to the servers MUST be risk-assessed (e.g. SMB and RDP may present security risks) | MUST | 5 | Regulate external port access | A deny-all policy MUST be applied, permitting only the minimum ports necessary for authentication (e.g. UDP 1812, Status-Server 18121, TCP 2083 if RadSec is used). | MUST | Why do we care about not running 1645. (Or even random other ports, like the hosted SP may do.) | 6 | Make sure UDP fragmentation works | Can be checked by peers. | 7 | Regulate Internal port access | A deny-all policy MUST be applied, permitting only the minimum ports necessary for administration functions (e.g. TCP 3389 for RDP or TCP 22 for SSH) | MUST | 8 | Undertake patch management | All server operating systems and applications MUST be kept fully patched and up to date (SysAdmins must apply risk assessment criteria to deciding whether to deploy early patches against zero-day exploits or to follow stable releases) | MUST | 9 | Ensure consistent timestamps | All servers MUST be configured against the same time-synched NTP server to minimise issues with log reconciliation. | MUST | 10 | Make back-ups | All servers and configuration files MUST be regularly backed up (as a minimum after every configuration change) | MUST | 11 | Conduct monitoring | Servers MUST be configured to detect and log rogue behaviour such as password brute forcing. Where automated defence is possible, it SHOULD be deployed (e.g. increasing authentication back-off times) | MUST | 12 | Retain authentication logs | All authentications to eduroam infrastructure systems MUST be logged. Such logs may constitute personal data and MUST be managed in a GDPR-compliant way. All such logs should be timestamped against a synced NTP source and held for a minimum of <central policy specified period?>. | MUST | 13 | Enable Alerts | Servers MUST be configured to send alerts (with copies of logs) to SysAdmins so that incidents can be detected dn responded to in real time. Alert systems should be regularly tested for effectiveness. | MUST | 14 | Deploy secure CA servers | CA servers MUST be hosted on a dedicated, locked-down server in a secure location, configured for minimum user access. Such servers SHOULD have a fully qualified domain name, although this MAY not be published through DNS. | MUST | 15 | Enable Message-Authenticator | MUST | EAP requests always carry it | 16 | Adopt AES | eduroam wi-fi services MUST implement WPA2 Enterprise with the use of the CCMP (AES) algorithm | MUST | 17 | Don't intercept traffic | NROs and members MUST NOT deploy interception technology or otherwise monitor the content of visitor or roaming traffic (e.g. do not use TLS or SSL interception proxies) | MUST NOT | 18 | Disable PAP | Password Authentication Protocol MUST NOT be used between access points and RADIUS servers | MUST NOT | 19 | DIsable SPAP | Shiva Password Authentication Protocol MUST NOT be used, as their encryption is reversible (see reference 7) | MUST NOT | 20 | Disable MS-CHAPv1 | Challenge Handshake Authentication Protocol is considered weak and MUST NOT be used. | MUST NOT | 21 | Disable WPA-TKIP | The WPA specification MUST NOT be supported and the TKIP algorithm MUST NOT be employed in eduroam services | MUST NOT | 22 | Suppress Accounting | RADIUS accounting messages MUST NOT be forwarded to the eduroam international RADIUS Proxies. They may contain potentially sensitive information and therefore GDPR compliance duties. NB: conflicts with existing policy, which states it SHOULD be supported. | MUST NOT | 23 | Secure RadSec server identities | If RadSec is used, X.509 certificates must be used to identify RADIUS servers | MUST (optional) | 24 | Deploy dedicated servers | NRO-level RADIUS servers SHOULD be dedicated to the task, not supporting other local or national services, in order to reduce their attack surface. | SHOULD (MUST?) | 25 | Suppress VLAN attributes | Dynamic VLAN attributes SHOULD NOT be sent in Access-Accept replies to the NRPS. | SHOULD NOT (MUST NOT?) | 26 | Adopt network segmentation | Network segmentation SHOULD be considered, placing roaming users into a separate segment to local organisation users. | SHOULD | 27 | Deploy VLAN spoofing countermeasures | the visitor network design SHOULD prevent devices from mailiciously placing themselves into unauthorised VLANs | SHOULD | 28 | Conduct external penetration testing | NROs SHOULD regularly conduct vulnerability assessment of internet-facing eduroam infrastructure. | SHOULD | 29 | Conduct internal vulnerability testing | NROs SHOULD regularly conduct vulnerability testing from within the internal network of eduroam infrastructure. | SHOULD | 30 | Separate non-eduroam guests | NRO and its members may offer a public guest Wi-Fi service for those unable to access eudroam; such users SHOULD be provisioned onto a separate network from eduroam visitors, with its own authentication, monitoring, and anti-circumvention measures. | SHOULD | 31 | Incorporate redundancy | NRO-level RADIUS servers SHOULD be deployed in a redundant, diverse configuration to maximise availability and meet SLAs | SHOULD | 32 | Deploy hardened servers | NRO-level RADIUS servers SHOULD be hardened to recognised best practice standards (includes secondary/backup RADIUS, certificate servers etc.) | SHOULD | 33 | Adopt encrypted comms | NRO SHOULD recommend to members that they use a VPN to protect communications between Access Points and the RADIUS server. | SHOULD | 34 | Set Operator-Name | Where possible, NRO and members SHOULD ensure all Access-Request packets proxied to the NRPS contain the Operator-Name attribute correctly set to the relevant realm. | SHOULD | 35 | Set eduroam-SP-Country | Advised to NROs to set eduroam-SP-Country attribute in particular for RadSec | SHOULD(etlr also does it, but not for RadSec | ) | 
4. References
| # | Reference | URL | 
|---|---|---|
| 1 | eduroam Compliance Statement | https://www.eduroam.org/support/eduroam_Compliance_Statement.pdf | 
| 2 | European Confederation eduroam policy | https://www.eduroam.org/wp-content/uploads/2016/05/GN3-12-194_eduroam-policy-for-signing_ver2-4_1_18052012.pdf | 
| 3 | eduroam Service Definition | https://www.eduroam.org/wp-content/uploads/2016/05/GN3-12-192_eduroam-policy-service-definition_ver28_26072012.pdf | 
| 4 | Jisc govroam code of practice: | 20171124 code of practice v2(4).pdf | 
| 5 | UK NIST security standards | https://nvd.nist.gov/ncp/repository | 
| 6 | UK CIS security standards | https://www.cisecurity.org | 
| 7 | SPAP vulnerability | https://technet.microsoft.com/en-us/library/dd197599(v=ws.10).aspx | 
| 8 | RADIUS EAP support (re. Message injection) | http://www.networksorcery.com/enp/rfc/rfc3579.txt | 
| 9 | EAP Types | https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol | 
...
