Differences

This shows you the differences between two versions of the page.

--- public:faq [2021/01/18 08:32] – admin
+++ public:faq [2024/08/02 10:02] (current) – [Q: We're a public sector organisation and would like to join Govroam, what are the next steps?] admin
@@ Line 7: / Line 7: @@
 A: Contact <govroam@jisc.ac.uk> and you'll be sent all the appropriate documentation for joining.
-The [[ https://utilities.govroam.uk/boardingforms/boarding/full |full boarding form]] needs filling out completely. It asks for contact information, information about your RADIUS servers and various other pieces of information. The form refers to a {{ :public:federationregistry.xls |Registry}} document - if you're joining as a Federation, please fill that in too and send it to <govroam@jisc.ac.uk>.
+The [[ https://utilities.govroam.uk/boardingforms/boarding/full |full boarding form]] needs filling out completely. It asks for contact information, information about your RADIUS servers and various other pieces of information. If you're joining as a Federation, please fill in the {{ :public:federationregistry.xls |Registry}} document too and send it to <govroam@jisc.ac.uk>.
-Once we have properly completed forms then we'll sort out the appropriate payments, shared secrets for RADIUS servers, access to the CAT, the Govroam App, subscribe you to the support mailing lists and add your support details to our Support Matrix.
+Once we have properly completed forms then we'll sort out the appropriate payments, send you an [[public:unpacking_.tar.gpg.zip_file|encrypted file with the shared secrets]] for RADIUS servers, the Govroam App, subscribe you to the support mailing lists and add your support details to our Support Matrix.
 ===Q: We're a public sector organisation and would like to join Govroam as a Visited Only site, what are the next steps?===
@@ Line 31: / Line 31: @@
 scan it to a PDF and upload it to the form.
-Submit the form back to us, and then we'll sort out the shared secrets for RADIUS servers, the Govroam App, subscribe you to the support mailing lists and add your support details to our Support Matrix.
+Submit the form back to us, and then we'll send an [[public:unpacking_.tar.gpg.zip_file|encrypted file with the shared secrets]] for RADIUS servers, the Govroam App, subscribe you to the support mailing lists and add your support details to our Support Matrix.
 ===Q: We're a University/Third Party that wants to implement Govroam as a Visited Only service. What do we have to do?===
@@ Line 37: / Line 37: @@
 A: There are three things to do:
-  - If you've already got eduroam then take your existing configuration, duplicate the part of it related to visitors, change the 'eduroam' bits to 'govroam'. So that should cover the SSID, 802.1x setting on your wireless controllers, a VLAN to put the visitors on, an address range for them, firewall settings (same as eduroam). Then the RADIUS config should be able to send unknown realms to our NRPS.
+. If you've already got eduroam then take your existing configuration, duplicate the part of it related to visitors, change the 'eduroam' bits to 'govroam'. So that should cover the SSID, 802.1x setting on your wireless controllers, a VLAN to put the visitors on, an address range for them, firewall settings (same as eduroam). Then the RADIUS config should be able to send unknown realms to our NRPS.
-  - Have your Director of IT (or someone suitably senior) write a brief letter of authorisation, on corporate headed paper, along the lines of
+. Have your Director of IT (or someone suitably senior) write a brief letter of authorisation, on corporate headed paper, along the lines of
 <code>
 "Dear Sir/Madam,
@@ Line 44: / Line 45: @@
 Re: Govroam
-Please accept this letter as authority of behalf of <insert institution here> for the provision of the Govroam service over our network infrastructure as a Visited Only site.
+Please accept this letter as authority of behalf of <insert institution/organisation here> for the provision of the Govroam service over our network infrastructure as a Visited Only site.
 Your faithfully,
@@ Line 52: / Line 53: @@
 scan it to a PDF and upload it through the form below.
-  - Visit the [[ https://utilities.govroam.uk/boardingforms/boarding/visited | Visited Only boarding form]], fill it out and submit it.
-Then we'll send you the details (shared secrets and addresses) for our NRPS for you to configure in your RADIUS servers. We'll include a test account so that you can confirm that outgoing authentication requests work and we have a web page through which you can test incoming authentication requests. We'll sign you up to a technical mailing list and give you access to our Wiki of relevant information.
+. Visit the [[ https://utilities.govroam.uk/boardingforms/boarding/visited | Visited Only boarding form]], fill it out and submit it. You will need to have the hostnames of your RADIUS servers already configured.
-This documentation is related:
+Then we'll send you an [[public:unpacking_.tar.gpg.zip_file|encrypted file with the shared secrets]] for our NRPS for you to configure in your RADIUS servers. We'll include a test account so that you can confirm that outgoing authentication requests work and we have a web page through which you can test incoming authentication requests. We'll sign you up to a technical mailing list and give you access to our Wiki of relevant information.
-{{ :public:20171212_govroam_tech_spec_v2.docx |Tech Spec V2}}
+An overview of how to deploy visited-only govroam alongside an existing eduroam service:
+{{ :public:deploying_govroam_alongside_eduroam.pdf | Joint deployment presentation}}
+(first presented November 2019)
+Our technical requirements in detail:
+{{ :public:2021_techspec_v3.pdf |Tech Spec V3}}
 ====Technical====
@@ Line 100: / Line 105: @@
 If you already have a RADIUS server then you may be able to configure it to act as an ORPS at no extra cost. If the software doesn't allow it, or you want to separate your services then the ORPS you add will only be handling the authentication requests destined/source to/from offsite, which will by about 1% of your total authentication requests.
-As for the software - any modern RADIUS server can handle Govroam. There are no odd requirements. Having said that through, there should be a preference for servers which can handle Server Status (for resilience), CUI (Chargeable User Identity for audit), Operator-Name (for logging) and RADSEC (for the future).
+As for the software - any modern RADIUS server can handle Govroam. There are no odd requirements. Having said that though, there should be a preference for servers which can handle Server Status (for resilience), CUI (Chargeable User Identity for audit), Operator-Name (for logging) and RADSEC (for the future).
 If you value the service then resilience should be considered. At least two RADIUS servers at each level are recommended and three is quite common. Many RADIUS servers (and wireless controllers) offer load balancing options so hardware load balancers shouldn't be needed. The servers themselves are generally stateless and require no intercommunication.
@@ Line 171: / Line 176: @@
 A: Follow these instructions: [[Unpacking .tar.gpg.zip file]]
+===Q: Firewall is seeing fragmented packets from RADIUS servers?===
+A: If the RADIUS packets exceed the MTU size then they'll be fragmented. This normally happens only with EAP-TLS (client certificate based authentication). We have some suggestions on [[How to deal with fragmentation of EAP packets|how to deal with packet fragmentation]].