Skip to main content
Status Page Contact Us
AARNet Home

How to set up eduroam with RadSec?

  • Updated

The below process is for institutions to configure secure RADIUS servers within the eduroam federated network using RadSec (Secure RADIUS). RadSec use TLS over TCP to encrypt RADIUS communications.

Prerequisites

You must have a functional RADIUS server or servers configured and operational, running one of the following:

  • FreeRADIUS: Open source RADIUS server with RadSec support
  • RadSecProxy: Dedicated RadSec proxy software
  • Radiator: Commercial RADIUS server solution

Configure RADIUS server

Setup Admin Portal at http://admin.eduroam.org.au/

  1. Access the admin portal at https://admin.eduroam.edu.au/manage/login/  
    Your institution's eduroam administrator will need to login with their institutional credentials
  2. Navigate to Server Configuration.
  3. Add additional servers, set type (IDP / SP) as required.
  4. Use the FQDN as the host name.
  5. Set the Label to the FQDN suffixed with -tls.
  6. For protocol, select Radius over TLS (radsec, RFC6614).
  7. Change accounting and authentication port to 2083.
  8. Check status-server support, if supported by your serve.
  9. Save all server configurations.
  10. Add a generic, public institutional contact. 
    Email Address: Use an aliased address (e.g., support@yourinstitution.edu or radius@yourinstitution.edu). 
    Contact Type: Set to service/department.  
    Contact Privacy: Set to public.  
    Note: Failure to complete this contact setup will block your ability to obtain RadSec certificates.
  11. Save changes.  
    It can take up to 36-48 hours for details to synchronise with the European PKI system. If the details are still not showing after this time, please contact support@aarnet.edu.au for assistance.

Request certificate

  1. Generate a Certificate Signing Request (CSR) on your local server. 

    # Use the following openssl command to generate a CSR, literally as is, customer is NOT to update subj!: 
    
    # Faster, modern ECC key 
    
    openssl req -new -newkey ec:<(openssl ecparam -name prime256v1) -out radsec.csr -keyout radsec.key -subj /DC=net/DC=geant/DC=eduroam/C=XY/O=WillBeReplaced/CN=will.be.replaced 
    
    # OR 
    
    # Much slower, traditional RSA key 
    
    openssl req -new -newkey rsa:4096 -out radsec.csr -keyout radsec.key -subj /DC=net/DC=geant/DC=eduroam/C=XY/O=WillBeReplaced/CN=will.be.replaced 

    Note: your private key will remain secure and will not be transmitted to external parties.

  2. 3-4 days after the synchronisation period has completed, send an email to support@aarnet.edu.au with the following details and a TLS certificate will be generated:
    • Subject: Request for eduroam RadSec certificate generation
    • Include your previously generated CSR

 Server configuration and testing

  1. Configure the TLS certificates that you receive from AARNet in your RADIUS/RadSec server, ensuring proper certificate chain configuration.
  2. Send an email to support@aarnet.edu.au to request an NRAD configuration update.
    • Subject: Addition of your RadSec servers to the national RADIUS server configuration
  3. Once complete, test your secure RADIUS client requests to national RADIUS servers using RadSec.
  4. Verify connectivity and authentication is working correctly.

Production deployment

Once testing is successful, you can use any or all of the below options for deployment.

  1. Add RadSec Servers as Secondary Method:
    • Deploy your RadSec servers alongside your existing RADIUS infrastructure.
    • Allow your RadSec servers to initiate RadSec connections to the NRAD servers.
    • Requests originating from the NRAD servers will continue to be sent to your institution via traditional UDP RADIUS.
  2. Promote RadSec to Primary Method:
    • After successful client RadSec connections, you may choose to promote your RadSec servers as the primary method of communication.
    • In this mode, the NRAD servers will prefer to use RadSec as the primary transport to your institution, but will fall back to regular UDP RADIUS if there is a communication failure.
  3. RadSec Only (Retire Traditional RADIUS):
    • Once communication from the NRAD servers to your RadSec servers is fully operational and stable, you may choose to retire your traditional RADIUS servers from the configuration.
    • This will result in only allowing RadSec communication between your institution and the NRAD servers.

Important notes

  • All certificate requests must go through the official eduroam PKI system.
  • Generic, public contact information is required to be issued a certificate.
  • Private keys should never be shared. Always generate CSRs locally.

Related articles