The Roaming solution for the public sector https://wiki.govroam.uk/dokuwiki/ 2026-05-01T04:16:35+00:00 https://wiki.govroam.uk/dokuwiki/ https://wiki.govroam.uk/dokuwiki/lib/exe/fetch.php?media=wiki:logo.png text/html 2022-05-18T10:14:13+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:advanced_orps_radsecproxy_configuration&rev=1652868853&do=diff Advanced ORPS RADSECProxy Configuration This should be representative of the configuration used in production. It contains the appropriate logging and filtering. For RadSecProxy 1.8.0 and above: # Some basic logging LogLevel 3 LogDestination x-syslog:///LOG_DAEMON # Prev… text/html 2024-05-15T12:47:40+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:aruba_clearpass&rev=1715777260&do=diff Aruba Clearpass Clearpass - Setting O-N Clearpass - Setting realm filters Clearpass - Setting attribute filters Clearpass - FTICKS text/html 2026-04-20T12:34:37+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:attribute_filtering_by_server&rev=1776688477&do=diff Attribute Filtering RADSECProxy Attribute filtering FreeRADIUS Attribute filtering Cisco ISE Attribute Filtering Clearpass Attribute Filtering text/html 2022-09-07T11:01:09+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:attribute_filtering_for_cisco_ise&rev=1662548469&do=diff Attribute Filtering * In Administration -> Network Resources -> RADIUS Server Sequences * In the Advanced Attribute Settings for the NRPS Sequence * In the Modify attributes before access accept * You can RemoveAll attributes such as Airespace-Interface-Name text/html 2023-04-05T11:58:45+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:basic_freeradius_orps_and_idp_configuration&rev=1680695925&do=diff IN PROGRESS Prerequesites The winbind package must be installed and working. Changed files * clients.conf * proxy.conf * sites-available/govroam * sites-available/govroam-inner-tunnel * mods-available/eap * mods-available/govroam_logs text/html 2024-11-21T15:00:33+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:basic_freeradius_orps_configuration&rev=1732201233&do=diff Changed files * clients.conf * proxy.conf * sites-available -> govroam * mods-available -> govroam_logs Delete any other links in the sites-enabled directory ('status' can be left/added if you're allowing status checks). Attempting to run 'govroam' and 'default' will likely result in problems starting the RADIUS server. text/html 2025-08-18T13:11:51+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:basic_orps_radsecproxy_configuration&rev=1755522711&do=diff # Some basic logging LogLevel 3 LogDestination x-syslog:///LOG_DAEMON # Prevents RADIUS servers from causing a loop by sending requests back again. LoopPrevention On # FTICKS is a standardi… text/html 2025-11-20T14:01:26+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:called_station_id&rev=1763647286&do=diff Called Station ID From RFC3580: 3.20. Called-Station-Id For IEEE 802.1X Authenticators, this attribute is used to store the bridge or Access Point MAC address in ASCII format (upper case only), with octet values separated by a "-". Example: "00-10-A4-23-19-C0". In IEEE 802.11, where the SSID is known, it SHOULD be appended to the Access Point MAC address, separated from the MAC address with a ":". Example "00-10-A4-23-19-C0:AP1". text/html 2019-11-27T11:27:10+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:calling_station_id&rev=1574854030&do=diff The correct format for the CSI (called/calling station ID) is explained in RFC3580: uppercase and hyphen separated. This code snipped for FreeRADIUS will capitalise and format correctly: rewrite_calling_station_id { if (Calling-Station-Id =~/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) { … text/html 2024-04-25T13:00:30+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:cisco_ise&rev=1714050030&do=diff Realm filtering for Cisco ISE Operator-Name for Cisco ISE FTICKS logging for Cisco ISE Attribute filtering for Cisco ISE text/html 2021-02-09T11:33:05+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:clearpass_-_setting_attribute_filters&rev=1612870385&do=diff Clearpass - Attribute Filters Attribute filtering helps with the TechSpec requirement that sites don't send unnecessary, and potentially dangerous, attributes back to other sites. The normal problem is that a Home site will attach RADIUS attributes which set VLANs or roles intended for their own wireless controller. However, if these are sent back to a remote site where one of their users is trying to authenticate, then it might inadvertently set the VLAN or role of on the remote wireless contr… text/html 2024-05-15T13:08:49+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:clearpass_-_setting_o-n&rev=1715778529&do=diff Setting Operator-Name in Clearpass The Operator-Name attribute is used to identify the Visited Site to the Home Site. i.e. when a user joins at a Visited Site the name of the site is passed through in a RADIUS Request to the Home Site. The Home Site might use this information to generate statistics on where its users are visiting or to report problems with the Visited Site. text/html 2024-05-15T12:46:56+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:clearpass_-_setting_o-n_and_cui_wrong&rev=1715777216&do=diff Setting Operator Name and CUI in Clearpass Background Operator-Name (O-N) and Chargeable-User-Identity (CUI) are two attributes that provide a Govroam operators with useful audit information. Operator-Name identifies the sending site (in the form of their realm) and CUI contains the MAC address and username of the user device, encoded. text/html 2025-02-13T09:25:17+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:clearpass_-_setting_realm_filters&rev=1739438717&do=diff Clearpass - Setting Realm Filters There are several types of filtering that can be done. * Syntax * Known bad realms * Typos Syntax Filtering This is the easiest and captures the most problematic Username string. Simple typos such as @@, .. or illegal characters such as commas or underscores. text/html 2024-05-20T12:34:25+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:clearpass_fticks&rev=1716208465&do=diff ClearPass FTICKS for Federation Operators only NOTE: This is untested. This only applies to Federation Operators and not to individual sites There are a number of steps required to set up FTICKS logging. Syslog Targets Create a new Syslog Target ( text/html 2021-05-07T09:20:59+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:client_certificate_pki_configuration&rev=1620379259&do=diff Client Certificate PKI Configuration The idea is simple, the implementation is complex and the execution simple. The idea is that the client sends a certificate (and key) to the server. The server checks the certificate against a CA and, if it matches, approves the authentication. text/html 2026-04-20T12:31:14+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:configuration_fragments&rev=1776688274&do=diff Configuration Fragments If you have any configuration suggestions please feel free to add to the list: RADSECproxy FreeRADIUS RADIATOR MS NPS Aruba Clearpass Cisco ISE ---------- Realm Filtering Called Station ID Operator Name Attribute Filtering text/html 2019-10-18T13:54:46+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:filebeat_for_windows_configuration&rev=1571406886&do=diff Download and install Filebeat from <https://www.elastic.co/downloads/beats/filebeat> Edit the filebeat.yml file: * Under filebeat.prospectors make the path the path to the directory containing the NPS log files (e.g C:\Windows\System32\LogFiles\*) * If there is a line enabled: false then change it to text/html 2024-03-18T11:36:11+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:freeradius&rev=1710761771&do=diff Basic FreeRADIUS ORPS configuration Basic FreeRADIUS ORPS and IdP configuration Syslog F-TICKS logging FreeRADIUS RADSEC Configuration FreeRADIUS Useful configuration Realm Filtering Calling Station ID FreeRADIUS Attribute Filtering FreeRADIUS Realm Filtering FreeRADIUS Operator-Name setting FreeRADIUS Certificate (TLS) Authentication Retro-fitting FTICKS logging to FreeRADIUS text/html 2020-11-20T11:28:26+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:freeradius_attribute_filtering&rev=1605871706&do=diff FreeRADIUS Attribute Filtering Work in progress Pre-Proxy filtering: Access-Request User-Name =* ANY, Reply-Message =* ANY, Service-Type := 'Authenticate-Only', State =* ANY, Class =* ANY, Message-Authenticator =* ANY, Calling-Station-ID =* ANY, Proxy-State =* ANY, EAP-Message =* ANY, MS-MPPE-Send-Key =* ANY, MS-MPPE-Recv-Key =* ANY, Fall-Through = yes Chargeable-User-Identity =* ANY, Called-Station-ID =* A… text/html 2021-05-07T08:11:12+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:freeradius_certificate_tls_authentication&rev=1620375072&do=diff FreeRADIUS Certificate (TLS) Configuration From the RADIUS point of view, this is pretty easy, with only minor changes to the base configuration. The hard bit is the certificates themselves. Not only do they have to work with RADIUS but they also have to cope with the idiosyncrasies of the operating systems they're installed on. text/html 2025-03-11T15:39:27+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:freeradius_operator-name_setting&rev=1741707567&do=diff FreeRADIUS Operator-Name Setting Basic O-N setting This configuration simply updates the Operator-Name value in the request packets and is appropriate for Individual Organisations (not RFOs): server govroam { ... authorize { ... update request { Operator-Name := 1your.domain } ... text/html 2023-04-05T12:00:44+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:freeradius_radsec_configuration&rev=1680696044&do=diff RADSEC is something for the future. Currently it's not recommended so don't worry about it for now. clients.conf: clients radsec { client roaming0.govroam.uk { ipaddr = 212.219.190.139 proto = tls secret = radsec } client roaming1.govroam.uk { ipaddr = 212.219.209.43 proto = tls secret = radsec } client roaming2.govroam.uk { ipaddr = 212.219.247.59 proto = tls secret = radsec } client roaming3.… text/html 2025-02-13T09:24:43+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:freeradius_realm_filtering&rev=1739438683&do=diff FreeRADIUS Realm Filtering In your proxy.conf file: # Blackhole (REJECT) where the realm is missing. realm NULL { } # Realms that don't match any other listed send to the pool of govroam servers realm "~^[^@.]([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$" { auth_pool = govroam nostrip } text/html 2020-02-05T17:17:44+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:freeradius_useful_configuration&rev=1580923064&do=diff Routing for a variety of realms: route_realms { ## make sure our domains are sent to the AD proxy's if (&Stripped-User-Domain =~ /^bath\.ac\.uk$/) { ## send requests for bath.ac.uk to the ad servers update { control:Load-Balance-Key := &Calling-Station-ID control:Proxy-To-Realm := 'PROXY-AD' request:Realm := 'PROXY-AD' } } else { if (&… text/html 2024-05-20T08:53:22+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:fticks_for_ms_nps&rev=1716195202&do=diff FTICKS for NPS NOTE: This is untested. This only applies to Federation Operators and not to individual sites The syslog server configuration below is for NXLog which is only capable of sending us a form of the Windows Event logs, not FTICKS unfortunately. Recommendations for free Windows syslog servers start and stop with NXLog and, in it's Community from, is simply unable to generate FTICKS. text/html 2024-05-20T12:37:11+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:fticks_logging_for_cisco_ise&rev=1716208631&do=diff Logging for Cisco ISE NOTE: This is untested. This only applies to Federation Operators and not to individual sites Unfortunately ISE can't generate custom logs in the format required (FTICKS) but, fortunately, it can generate syslog logs with the right information, which can be sent to a syslog server and munged into a suitable format. text/html 2021-04-28T12:21:03+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:fticks_logging_for_radiator&rev=1619612463&do=diff F-TICKS Logging for RADIATOR <AuthLog SYSLOG> Identifier TICKS LogSuccess 1 LogFailure 0 LogSock udp LogHost utilities.govroam.uk SuccessFormat F-TICKS/govroam/1.0#REALM=%R#VISCOUNTRY=%{eduroam-SP-Country}#VISINST=%{Operator-Name}#CSI=%{Calling-Station-Id}#RESULT=OK# </AuthLog> text/html 2018-02-27T11:47:07+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:govroam_logging&rev=1519732027&do=diff filebeat_for_windows_configuration text/html 2021-08-11T11:07:59+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:install_a_radsecproxy_server&rev=1628680079&do=diff Install a RadSecProxy Server * Install Debian Buster/10 on hardware or a VM apt-get update apt-get install radsecproxy * Use the configuration from the code fragments to configure RadSecProxy. Chances are that you'll need the older version (pre 1.8). * Use the text/html 2023-01-17T12:00:29+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:ms_nps&rev=1673956829&do=diff See for instructions on how to install NPS for eduroam. This should be easily converted to installing govroam. FTICKS for MS NPS Realm filtering for MS NPS text/html 2022-09-07T09:44:24+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:operator-name_for_cisco_ise&rev=1662543864&do=diff Adding Operator-Name Cisco ISE doesn't insert O-N into the Request by default. O-N helps Home sites identify where their users' authentications are coming from. Combined with Chargeable User Identity, Home and Visited sites can provide and follow an audit trail back to a user without the Visited site knowing the users' details. text/html 2026-03-17T10:49:18+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:operator_name&rev=1773744558&do=diff Setting Operator-Name Attribute FreeRADIUS Aruba ClearPass Cisco ISE RADSECProxy text/html 2022-09-07T15:09:35+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:radiator&rev=1662563375&do=diff FTICKS Logging text/html 2022-09-07T10:12:03+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:radius_server_choice_guide&rev=1662545523&do=diff System Cost Platform Pros text/html 2021-08-11T10:21:34+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:radius_server_installation&rev=1628677294&do=diff RADIUS Server Installation Install a RadSecProxy Server text/html 2019-08-28T13:32:48+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:radius_troubleshooting&rev=1566999168&do=diff General Troubleshooting Common Problems * The govroam monitoring system should be sending ICMP and RADIUS requests to your servers quite frequently (several times every five minutes). So you should be able to see these in your firewall logs or using Wireshark on your server. If you can't then check your firewall settings to allow ICMP echo/response and UDP port 1812 (incoming for Home sites, outgoing for Visited). text/html 2026-03-17T10:47:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:radsecproxy&rev=1773744462&do=diff Basic ORPS configuration: Basic ORPS RADSECProxy configuration - should be used to initially to test functionality. Advanced ORPS RADSECProxy configuration - should be used in production. RADSECProxy Attribute filtering RADSECProxy VLAN assignment RADSECProxy Realm filtering RADSECProxy Operator-Name text/html 2021-03-09T14:49:20+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:radsecproxy_attribute_filtering&rev=1615301360&do=diff RADSECProxy Attribute Filtering ### Only release a small set of required attributes to the NRPS ### Update/Inject Operator-Name for your site rewrite OutboundFilter { # Operator-Name RemoveAttribute 126 AddAttribute 126:'1example.ac.uk WhitelistMode on # User-Name WhitelistAttribute 1 # EAP-Message WhitelistAttribute 79 # Message-Authenticator WhitelistAttribute 80 # State WhitelistAttribute 24 # Proxy-State WhitelistAttribute 33 # O… text/html 2026-03-17T10:48:51+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:radsecproxy_operator-name&rev=1773744531&do=diff RADSECProxy Operator-Name Add this to the config: rewrite OutboundFilter { # Operator-Name SupplementAttribute 126:'1home.site } with 'home.site' replaced with your primary realm. text/html 2025-08-18T13:14:48+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:radsecproxy_realm_filtering&rev=1755522888&do=diff RADSECProxy Realm Filtering ### Catch a load of common misconfigurations realm /^$/ { replymessage "Misconfigured client: empty realm!" } realm /@((myabc|gmail|googlemail|hotmail|live|outlook|yahoo|unimail).com|(.*\.)?3gppnetworks?.org|yahoo.cn) { replymessage "Misconfigured client: govroam realm not permitted" } realm /@(.*\.(ax\.uk|ax\.edu|sc\.uk|ac\.edu|ac\.u|local)|ac\.uk)$ { replymessage "Misconfigured client: govroam realm invalid (typo?)" } realm /@\. { replymessage "… text/html 2021-03-09T14:49:45+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:radsecproxy_vlan_assignment&rev=1615301385&do=diff RADSECProxy VLAN Assignment ### Used to add RADIUS attributes to drop all users onto VLAN 7 ### The leading "'" is important as the number should be sent as a string rewrite AddVLANAssignment { # Tunnel-Private-Group-Id = 7 RemoveAttribute 81 AddAttribute 81:'7 # Tunnel-Type = VLAN RemoveAttribute 64 AddAttribute 64:13 # Tunnel-Medium-Type = IEEE-802 RemoveAttribute 65 AddAttribute 65:6 # Filter-Id = 7 RemoveAttribute 11 AddAttribute 11:'7 } … text/html 2019-12-05T10:51:08+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:realm_filtering&rev=1575543068&do=diff Basic syntax checking can be done with the 'filter_username' policy. From the FreeRADIUS documents: # Filter the username # # Force some sanity on User-Name. This helps to avoid issues # issues where the back-end database is "forgiving" about # what constitutes a user name. text/html 2023-01-17T13:43:07+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:realm_filtering_by_server&rev=1673962987&do=diff Clearpass Realm Filtering FreeRADIUS Realm Filtering RADSECProxy Realm Filtering Cisco ISE Realm Filtering MS NPS Realm Filtering text/html 2025-02-13T09:25:34+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:realm_filtering_for_cisco_ise&rev=1739438734&do=diff Realm Filtering It's a requirement of Govroam to avoid sending inappropriate authentication requests to the NRPS. There are a number of ways a request could have badly formatted realms (missing realm, '..', '@@', etc.). One way is to put a regex into the proxy policy to the NRPS '^[^@]*@([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$'. This only allows correctly formatted realms to be proxied. text/html 2025-04-07T07:41:07+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:realm_filtering_for_ms_nps&rev=1744011667&do=diff Realm filtering for MS NPS Unlike other RADIUS servers, NPS doesn't have an explicit REJECT option. With other RADIUS server you could add specific matches to say 'If the realm is X then REJECT' to filter out unwanted realms. MS NPS needs the logic to be 'If the realm is valid then authenticate otherwise pass it on the default reject'. text/html 2025-08-27T08:07:10+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:start&rev=1756282030&do=diff Site Administrators' Area Testing Tools RADIUS server choice guide Configuration Fragments RADIUS Troubleshooting govroam_logging RADIUS Server installation text/html 2024-11-13T13:22:16+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.govroam.uk/dokuwiki/doku.php?id=siteadmin:syslog_f-ticks_logging&rev=1731504136&do=diff If you're acting as a Federation then we need your logs sent to us. If you're an Individual organisation then it's not necessary as we see all the traffic on our NRPS. Configuring F-TICKS for FreeRADIUS is as simple as adding an extra module file and restarting FR. This is an