Govroam

The Roaming solution for the public sector

User Tools

Site Tools


public:faq

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
public:faq [2019/08/20 12:55]
admin [Technical]
public:faq [2021/04/07 10:04] (current)
admin
Line 7: Line 7:
 A: Contact <govroam@jisc.ac.uk> and you'll be sent all the appropriate documentation for joining. A: Contact <govroam@jisc.ac.uk> and you'll be sent all the appropriate documentation for joining.
  
-The {{ :public:20180815_full_boarding_v3.0_gov011.docx |full boarding form}}  needs filling out completely. It asks for contact information, information about your RADIUS servers and various other pieces of information. The form refers to a {{ :public:federationregistry.xls |Registry}} document - if you're joining as a Federation, please fill that in too. Send them to <govroam@jisc.ac.uk>.+The [[ https://utilities.govroam.uk/boardingforms/boarding/full |full boarding form]] needs filling out completely. It asks for contact information, information about your RADIUS servers and various other pieces of information. If you're joining as Federation, please fill in the {{ :public:federationregistry.xls |Registry}} document too and send it to <govroam@jisc.ac.uk>.
  
-Once we have properly completed forms then we'll sort out the appropriate payments, shared secrets for RADIUS servers, access to the CAT, the Govroam App, subscribe you to the support mailing lists and add your support details to our Support Matrix.+Once we have properly completed forms then we'll sort out the appropriate payments, send you an [[public:unpacking_.tar.gpg.zip_file|encrypted file with the shared secrets]] for RADIUS servers, access to the CAT, the Govroam App, subscribe you to the support mailing lists and add your support details to our Support Matrix.
  
 ===Q: We're a public sector organisation and would like to join Govroam as a Visited Only site, what are the next steps?=== ===Q: We're a public sector organisation and would like to join Govroam as a Visited Only site, what are the next steps?===
Line 15: Line 15:
 A: Contact <govroam@jisc.ac.uk> and you'll be sent all the appropriate documentation for joining. A: Contact <govroam@jisc.ac.uk> and you'll be sent all the appropriate documentation for joining.
  
-The {{ :public:20180820_visited_boarding_v3.0_gov012.docx |Visited Only Boarding form}} needs filling out completely. It asks for contact information, information about your RADIUS servers and for a letter of consent, on corporate headed paper, from someone senior e.g:+The [[ https://utilities.govroam.uk/boardingforms/boarding/visited | Visited Only boarding form]] needs filling out completely. It asks for contact information, information about your RADIUS servers and for a letter of consent, on corporate headed paper, from someone senior e.g:
  
 <code> <code>
Line 29: Line 29:
 </code> </code>
  
-scan it to a PDF and send it to <govroam@jisc.ac.uk>.+scan it to a PDF and upload it to the form.
  
-Submit the form back to us, and then we'll sort out the shared secrets for RADIUS servers, the Govroam App, subscribe you to the support mailing lists and add your support details to our Support Matrix.+Submit the form back to us, and then we'll send an [[public:unpacking_.tar.gpg.zip_file|encrypted file with the shared secrets]] for RADIUS servers, the Govroam App, subscribe you to the support mailing lists and add your support details to our Support Matrix.
  
 ===Q: We're a University/Third Party that wants to implement Govroam as a Visited Only service. What do we have to do?=== ===Q: We're a University/Third Party that wants to implement Govroam as a Visited Only service. What do we have to do?===
Line 37: Line 37:
 A: There are three things to do: A: There are three things to do:
  
-  - Take your existing eduroam configuration, duplicate the part of it related to visitors, change the 'eduroam' bits to 'govroam'. So that should cover the SSID, 802.1x setting on your wireless controllers, a VLAN to put the visitors on, an address range for them, firewall settings (same as eduroam). Then the RADIUS config should be able to send unknown realms to our NRPS.  +1. If you've already got eduroam then take your existing configuration, duplicate the part of it related to visitors, change the 'eduroam' bits to 'govroam'. So that should cover the SSID, 802.1x setting on your wireless controllers, a VLAN to put the visitors on, an address range for them, firewall settings (same as eduroam). Then the RADIUS config should be able to send unknown realms to our NRPS.  
-  - Download the {{ :public:20180820_visited_boarding_v3.0_gov012.docx |Visited Only Boarding form}}, fill it out and send it back to <govroam@jisc.ac.uk>+ 
-  - Have your Director of IT (or someone suitably senior) write a brief letter of authorisation, on corporate headed paper, along the lines of+2. Have your Director of IT (or someone suitably senior) write a brief letter of authorisation, on corporate headed paper, along the lines of
 <code> <code>
 "Dear Sir/Madam, "Dear Sir/Madam,
Line 45: Line 45:
 Re: Govroam Re: Govroam
  
-Please accept this letter as authority of behalf of <insert institution here> for the provision of the Govroam service over our network infrastructure as a Visited Only site.+Please accept this letter as authority of behalf of <insert institution/organisation here> for the provision of the Govroam service over our network infrastructure as a Visited Only site.
  
 Your faithfully, Your faithfully,
Line 52: Line 52:
 </code> </code>
  
-scan it to a PDF and send it to <govroam@jisc.ac.uk>.+scan it to a PDF and upload it through the form below.
  
-Then we'll send you the details (shared secrets and addresses) for our NRPS for you to configure in your RADIUS servers. We'll include a test account so that you can confirm that outgoing authentication requests work and we have a web page through which you can test incoming authentication requests. We'll sign you up to a technical mailing list and give you access to our Wiki of relevant information.+3. Visit the [[ https://utilities.govroam.uk/boardingforms/boarding/visited | Visited Only boarding form]], fill it out and submit it. You will need to have the hostnames of your RADIUS servers already configured.
  
-This documentation is related:+Then we'll send you an [[public:unpacking_.tar.gpg.zip_file|encrypted file with the shared secrets]] for our NRPS for you to configure in your RADIUS servers. We'll include a test account so that you can confirm that outgoing authentication requests work and we have a web page through which you can test incoming authentication requests. We'll sign you up to a technical mailing list and give you access to our Wiki of relevant information.
  
-{{ :public:20171212_govroam_tech_spec_v2.pdf | Tech Spec V2}}+An overview of how to deploy visited-only govroam alongside an existing eduroam service: 
 +{{ :public:deploying_govroam_alongside_eduroam.pdf | Joint deployment presentation}} 
 +(first presented November 2019) 
 + 
 +Our technical requirements in detail: 
 +{{ :public:20171212_govroam_tech_spec_v2.docx |Tech Spec V2}}
  
 ====Technical==== ====Technical====
Line 67: Line 72:
 Thus it's possible to have neither, either or both.  Thus it's possible to have neither, either or both. 
  
-If you already run eduroam (i.e. a University) then adding Govroam is easy (and free). Essentially you need to duplicate your wireless and RADIUS configurations and request the shared secret details from JISC. This may require separate infrastructure (normally different RADIUS server VMs) or could be done on shared systems. +If you already run eduroam as a Home site (i.e. a University) then adding Govroam as a Visited Only site is easy (and free). Essentially you need to duplicate your wireless and RADIUS configurations and request the shared secret details from JISC. This may require separate infrastructure (normally different RADIUS server VMs) or could be done on shared systems. 
  
 It's not possible for people with eduroam accounts to authenticate using Govroam, or vice versa. We encourage sites with eduroam to run Govroam Visited Only and Govroam sites to to eduroam Visited Only, for maximum coverage. It's not possible for people with eduroam accounts to authenticate using Govroam, or vice versa. We encourage sites with eduroam to run Govroam Visited Only and Govroam sites to to eduroam Visited Only, for maximum coverage.
Line 108: Line 113:
 A: Following on from the above question: between zero and a lot. If you have a spare piece of hardware, or can create a VM at no cost then installing a linux variant and FreeRADIUS would cost nothing. As would adding the ORPS capability to an existing RADIUS configuration. If you have to buy hardware then £500-1000 should cover the cost of a suitable Dell server. If you want to purchase RADIUS software such as Clearpass then you'll have to talk to a reseller as the licences can be complex. Even a reasonably sized hospital ought to be able have something for under £5,000 though. The final costs with depend on a number of factors which are site specific.  A: Following on from the above question: between zero and a lot. If you have a spare piece of hardware, or can create a VM at no cost then installing a linux variant and FreeRADIUS would cost nothing. As would adding the ORPS capability to an existing RADIUS configuration. If you have to buy hardware then £500-1000 should cover the cost of a suitable Dell server. If you want to purchase RADIUS software such as Clearpass then you'll have to talk to a reseller as the licences can be complex. Even a reasonably sized hospital ought to be able have something for under £5,000 though. The final costs with depend on a number of factors which are site specific. 
  
-==Q: What do I do with users once they're authenticated?===+===Q: What do I do with users once they're authenticated?===
  
 A: You can make this as simple or as complex as you wish. There is a minimum service level associated with govroam but it's not particularly restrictive. At the simplest level govroam Visitors to your site need a network segment separate from other users, a basic set of open ports (such as web and VPN) and some bandwidth.  A: You can make this as simple or as complex as you wish. There is a minimum service level associated with govroam but it's not particularly restrictive. At the simplest level govroam Visitors to your site need a network segment separate from other users, a basic set of open ports (such as web and VPN) and some bandwidth. 
Line 165: Line 170:
   - The site is provided with a login to Jisc's App site so that they can populate Govroam locations on a map.   - The site is provided with a login to Jisc's App site so that they can populate Govroam locations on a map.
  
-This {{ :public:federationregistry.xls |spreadsheet}} can be used as a template for the information that should be collected for sending to Jisc.+This {{ :public:federationregistry.xls |spreadsheet}} can be used as a template for the information that should be collected for sending to Jisc: (<govroam@jisc.ac.uk>). Use RED to indicate information to be removed, YELLOW for changes, and GREEN for new additions. 
 + 
 +===Q: How do I unpack the file sent?=== 
 + 
 +A: Follow these instructions: [[Unpacking .tar.gpg.zip file]] 
 + 
public/faq.1566305707.txt.gz · Last modified: 2019/08/20 12:55 by admin