These Release Notes include updates to the eduroam-US RADIUS routing infrastructure. You can find Release Notes for the eduroam Federation Manager portal here.

V1.9.4

Release Date: November 19, 2024

Story

  • The national proxy servers have been recompiled to use the libkqueue library.  This library enables high-volume traffic management as a replacement for the standard sockets library select() call.  We expect this to enable us to overcome a limitation where an individual server instance cannot handle more traffic, even though its memory and CPU usage are both low.
  • Our handling of realm routing has changed somewhat.
    • The national proxy servers have been configured to be authoritative over the .edu and .us realms in eduroam.  This is a technical change, rather than a change in policy.  The servers now issue Access-Reject responses to authentications in the .edu or .us realm space unless they find a home IdP to issue an Access-Accept.  Effectively, unknown (or mistyped) realms will now be rejected by the national proxy servers directly, instead of entering a loop between the US servers and the global servers before being rejected because of loop detection.  The impact on eduroam Subscribers is that authentications to bogus realms should be rejected faster.
    • Because of this, we have added explicit routes for about fifty realms within .edu to be routed to the global servers, because those realms are connected by other national eduroam operators.  There is no impact on eduroam Subscribers.
    • Upon a request from the global eduroam operators, we have removed our routes for sending authentications to Asia-Pacific servers more directly.  Instead, all international authentications will be routed to the global servers operated by GÉANT in Europe.  The impact on eduroam Subscribers will be that Asian-Pacific authentications will take more time to complete.

 Improvement

  • Change the network processing model to use libkqueue, a high-performance replacement for select()
  • Add target realm to Access-Request messages sent to check IdP server status.
  • Be authoritative for .edu and .us realms - meaning, if we receive an authentication for a .edu or .us realm we don't know, then reject it instead of forwarding to the global servers.

 Bug

  • Log rotation for proxy FreeRADIUS servers, to avoid filling disks
  • Handle RADIUS secrets containing characters beyond ASCII

V1.9.3

Release Date, November 7, 2024

Story

  • 1.9.3 was a tagged version of the eduroam infrastructure that was partially deployed and rolled back.  Its defects were addressed and it became the 1.9.4 release.

V1.9.2

Release Date: March, 2024

Story

  • 1.9.2 is a pseudo-release with no externally visible changes.  Its purpose is to refactor some of the Terraform infrastructure code, and realign the Terraform code with deployed resources.

V1.9.1

Release Date: January 17, 2024

Story

  • Log Viewer opens to the organization currently viewed in Federation Manager. (Requires Federation Manager change as well.)

 Improvement

  • Recent patches and security updates for the Traffic Controller Boxes.

 Bug

  • RADIUS Fix for certain state mismatch failures.

V1.9.0

Release Date: October 10, 2023

Story

  •   Update to Grafana 10 (logviewer)
    • More intuitive data explorer
    • [#8]Name of Organization at top
    • General improvements overall
  • Update of log storage system to most recent release

Improvement

  • Security improvements using AWS secrets

Bug

  • [#47]Fix an issue where the proxy would fail on an unreadable configuration file.

v1.8.0

Release Date: June 13, 2023

Story

  • Allow listing (New Feature)
    • Traffic is filtered to only allow traffic from configured subscribers to reach the RADIUS proxies
    • This reduces load on the traffic controller and the proxies
      • Traffic controller has less traffic to monitor for rate limiting
      • Proxies do not have to answer invalid requests
  • Rate Limit Log Monitoring
    • New tools to monitor incidents of Rate Limiting more closely in order to better diagnose issues
  • Enhanced deployment tools
    • Allow for faster releases with less downtime
  • IdP Testing Fixes
    • Improved error handling and responses
  • Security enhancements
  • Minor bug fixes

v1.7.1

Release Date: April 6, 2023

Improvement

  • Implemented certificate revocation for certificates used in RP testing
  • For the Operator-Name attribute to known valid values, rather than accepting values supplied by the RP

v1.7.0

Release Date: March 13, 2023

Story

  • RP testing
    • Add an IdP for testing your local eduroam WiFi network
    • Generates short-lived certificates to authenticate to that RP
    • Supply CAT-generated installers for that IdP and certificate

v1.6.0

Release Date: October 18, 2022

Story

  • Internal cost reductions
    • Reduced the capacity of MQ servers
    • Removed unused DB instances

v1.5.0

Release Date: October 6, 2022

Story

  • Self-Healing Containers Feature
    • Containers in AWS now periodically re-register themselves with the Traffic Controller
    • Prevents containers from being 'forgotten' in the event of network issues

v1.4.0

Release Date: August 16, 2022

Story

  • IdP Testing infrastructure
    • Install the infrastructure that will support an FM feature allowing eduroam administrators to test whether their IdP responds to traffic on the federation.
    • Install an AWS Lambda function to perform the IdP testing
    • Install MQ configuration for FM to send IdP testing requests to the eduroam infrastructure, and for the eduroam infrastructure to send responses
    • Update the RADIUS configuration to accept authentication requests from the IdP Testing lambda function
  • Update to the latest released FreeRADIUS version, 3.2.0

v1.3.0

Release Date: August 5 & August 8, 2022

Story

  • Load balancing
    • Change the network routing of multiple Docker-ized containers behind each TLRS service from an active/standby configuration to an active/active load balanced configuration.
  • Ubuntu system updates applied to TC routers

v1.2.0

Story

  • Rate Limit Feature Update
    • Limits incoming traffic to prevent the national-level proxies from being overloaded with spurious requests
  • [#30] Code Cleanup
  • Ubuntu system updates applied to TC routers and VPN endpoints

v1.1.2

UPDATE: 4/1/2022 This release has been rolled back. Certain issues will be cherry-picked and released at a future date.

Bug

  • [#23] Access-rejects not providing a failure reason
  • [#26] Reject requests with invalid punctuation
  • [#24] RADIUS server unexpectedly restarts under high load
  • [#25] Remove nonresponsive upstream servers

v1.1.1

Improvement

  • Improve log line identification for easier processing by a log viewer

v1.1.0

Bug

  • [IFMC-2112] - Problem escaping special characters in RADIUS secrets

Story

  • Enhancements to service resilience in the event of an AWS Region or Data Center outage
    • [IFMC-2221] - Top-Level Server redundancy/failover
    • [IFMC-2222] - Create new TLRS’ servers
    • [IFMC-2223] - Failover scripts/tooling for TC boxes
  • Logging Foundation
    • [IFMC-2040] -  Log appropriate info on radius servers
    • [IFMC-2241] -  Collect log data from radius servers on FluentD
    • [IFMC-2227] -  FTICKs entries in logs
  • Update operator-name behavior to write attribute if not present
    • [IFMC-2224] -  Operator-Name and Country-Code Insertion
    • [IFMC-2225] -  Insert operator-name attribute if not present
    • [IFMC-2226] -  Country-code insertion

Improvement

v1.0.1

Bug

  • [IFMC-2015] - Allow use of sub-realm
  • [IFMC-2012] - Escape additional special characters in RADIUS secrets

Story

Improvement

  • [IFMC-2125] -  Flush connection tracking after migration

v1.0.0

  • Initial Release


Versions

  • No labels