Invalid usernames
eduroam service providers must ensure that all authentication requests forwarded to the National RADIUS Servers contain valid usernames.
A valid username must follow the format of a Network Access Identifier, including an @ symbol and a realm component containing at least one dot (for example, user@university.edu). Requests without a realm, with a malformed realm, or containing invalid characters should be rejected by the service provider’s RADIUS Server and not sent upstream.
The following are examples of invalid realm formats and must not be forwarded to the NRS:
- Usernames with no realm (no @).
- Realms lacking at least one dot (for example, user@university).
- Usernames or realms starting or ending with a space.
- Machine accounts in the format of "host/[FQDN of device]" (for example, host/WIN10-ADMIN.university.edu). Note: host/username@rea.lm is a valid format, where @ is included and at least one dot in the realm.
Invalid realms
The following realms are considered invalid and must be filtered locally:
- myabc.com
- *3gppnetwork.org
- *3gppnetworks.org
- gmail.com
- googlemail.com
- hotmail.*
- live.com
- outlook.com
- myabc.com
- yahoo.com
- unimail.com
- Any realm ending in .local