Versions Compared

Old Version 8

changes.mady.by.user Unknown User (swinter)

Saved on

compared with

New Version Current

changes.mady.by.user Wenche Backman-Kamila

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Set up of Dynamic Discovery (in federations which have RADIUS/TLS enabled)

What is Dynamic Discovery?

...

So let's take a look at the parts of the above entry:

EntryMeaning
greatidp.aq.This is the zone name (label) for which the NAPTR entry is defined
43200DNS caching lifetime of the entry (just like any other DNS resource record)
INThis entry is meant for consumption in the INternet (just like any other DNS resource record)
NAPTR

This entry is a Network Authority PoinTeR

100

Order: if multiple NAPTR entries are defined for the label, prefer lower order number over higher ones

(Note: since eduroam requires only one single entry, any number is fine here, unless your national federation operator instructs you otherwise)

10

Preference: if multiple NAPTR entries with the same Order are defined for this label, alternate between all those entries when resolving names

(Note: since eduroam requires only one single entry, any number is fine here, unless your national federation operator instructs you otherwise)

"s"

This NAPTR entry should be resolved to hostnames by doing a subsequent SRV lookup on the target label

(Note: eduroam only works with "s" labels; it is a configuration error to use "a" or "u" targets)

"x-eduroam:radius.tls"

This is the service; only resolve the later target name if you want to use the service - otherwise ignore the NAPTR response

(Note: this string is fixed in eduroam, as the roaming service with Dynamic Discovery is exclusively defined for RADIUS/TLS)

""

Regular Expression: some very advanced uses of NAPTR records allow transformation of target names according to regular expressions.

(Note: eduroam does not make use of this feature. The regular expression field MUST be the empty string; it is a configuration error to speciffy anything else)

_radsec._tcp.eduroam.aqThe target: please contact this server (after resolving its IP addresses and port numbers) if you want to use the "x-eduroam" service

...


At this point you may wonder: so how does this eventually yield an IP address of my national authentication server?

...

Finally, the querying server will then either ask for A or AAAA records to get to the IP address of the responsible server - and the discovery process is complete.