These Release Notes describe updates to the eduroam-US RADIUS routing infrastructure. You can find Release Notes for the eduroam Federation Manager portal here.


1.  V2.2.0

Release Date: October 6, 2025

This release maintains the eduroam infrastructure with minor updates.  This release primarily updates background aspects of the building and deploying of the eduroam infrastructure. Three updates of interest to eduroam Subscribers:

  • Enhancement: Hotspot Test certificates are now issued for twenty-four hours, instead of two.
  • Enhancement: The RADIUS status check issued when the national proxy has lost contact with an IdP and probes to determine if the IdP is again responsive contains an Access-Request username that has changed from `account_that_its_ok_to_reject@realm` to `eduroam_status_check@realm`
  • Bugfix: While the IP traffic whitelist is being regenerated, default to passing all traffic through

2.  V2.1.3

Release Date: September 21, 2025

This release upgraded an element of the eduroam infrastructure from Ubuntu version 20.04 to version 24.04. 

3. V2.1.2

Release Date: August 14, 2025

Migrated the internal messaging protocol which supports configuration updates and testing between eduroam Federation Manager and the eduroam infrastructure.

4. V2.1.1

Release Date: August 11, 2025

This eduroam release addresses problems some eduroam administrators experienced when accessing the eduroam log viewer at https://logs.production.infra.eduroam.us/.  When accessing the log viewer, some users would experience a loop of authentication and re-authentication.

The following improvements are included in this release:

  • The SAML SP that provides the authentication for the Grafana log viewer has been updated.
  • The SAML SP configuration has been changed in how it stores session data, preventing the authentication loops.
  • The Grafana "explore" panel's live view feature now works.


5. V2.1.0

Release Date: July 17, 2025

This eduroam release includes new dashboard capability with improvements for all eduroam organizations, and combines logs from multiple eduroam service organization constituents into a single viewer, simplifying their admin capabilities. 

The eduroam release completed successfully, but the connector which provisions users, organizations, and dashboards into the log viewer did not function correctly. During testing and QA, this component had functioned correctly. Immediately after the release, the full updated dashboard capability is not available. The incident notification is posted here. 

The following log improvements are available in the current log viewer: 

  • Log viewer now shows up to 10,000 log lines instead of the 5,000 log lines it showed previously.
  • RADIUS server logs, in the lower half of the log viewer page, now shows the following new messages: 
    • A warning for failed user connections from a site with a RADIUS secret that does not match what is configured on the US Top Level RADIUS.
    • Realm-less requests are identified with a message and a source IP address; previously, these failing requests did not show in the log viewer because they did not have a source institution. 

6. V2.0.0

Release Date: March 19, 2025 (TLRS2)  & April 2, 2025 (TLRS1)

6.1. Story

The eduroam 2.0.0 release improves the scalability of the eduroam-US infrastructure to support the continued growth of the eduroam-US service. This was accomplished by: (1) finer-grained load balancing, and (2) load balancing traffic from both TLRS1 and TLRS2 to all of the available proxy containers. We now discard RADIUS Accounting traffic before reaching the RADIUS containers to reduce resource use and computational overhead.

We also made several significant DevOps improvements to better automate the process of building and deploying the eduroam-US infrastructure.

If your organization is running status checks against port 1813 (RADIUS Accounting) for TLRS1/2, you will not get a response on port 1813 since TLRS1/2 no longer accepts RADIUS accounting traffic. 

6.2.  Improvements

  • Finer-grained load balancing (formerly per-Service Provider(SP), now per-device MAC address):
    • Allows traffic to be spread more evenly and more dynamically across the available proxy containers.
  • Tiered RADIUS proxy architecture:
    • Flexible dispatching of RADIUS requests from both coasts across proxy containers in all four US AWS regions.
    • Greatly improves capacity for horizontal scaling of the service.
    • Improves resiliency when one or more system components are down or unreachable.
  • Discard RADIUS Accounting traffic (UDP port 1813) before it reaches the RADIUS proxies
    • Reduces unnecessary load on the proxies, since eduroam does not use RADIUS Accounting.
      If your organization is running status checks against port 1813 (Radius Accounting) for TLRS1/2, you will not get a response.  
    • All non-RADIUS traffic was already discarded in earlier releases.
  • All traffic engineering functions have been moved into AWS:
    • Sets the stage for direct, higher-bandwidth network connection to the service in a later release.
  • DevOps improvements to further automate deployment of the eduroam infrastructure:
    • Allows faster deployment of urgent or high-priority fixes.
    • Decreases the time needed to redeploy the full service or a single region if necessary, improving service resiliency.

Bug Fixes / Routing Maintenance

  • Updated all FreeRADIUS containers to FreeRADIUS 3.2.7/Ubuntu 24.04.
  • Updated Traffic Engineering VMs to Ubuntu 24.04.
  • Shortened the time required to rotate logs, reducing the potential for lost log information.
  • Better protected the Apache2 listener from outside access.

7. V1.9.4

Release Date: November 19, 2024

7.1. Story

  • The national proxy servers have been recompiled to use the libkqueue library.  This library enables high-volume traffic management as a replacement for the standard sockets library select() call.  We expect this to enable us to overcome a limitation where an individual server instance cannot handle more traffic, even though its memory and CPU usage are both low.
  • Our handling of realm routing has changed somewhat.
    • The national proxy servers have been configured to be authoritative over the .edu and .us realms in eduroam.  This is a technical change, rather than a change in policy.  The servers now issue Access-Reject responses to authentications in the .edu or .us realm space unless they find a home IdP to issue an Access-Accept.  Effectively, unknown (or mistyped) realms will now be rejected by the national proxy servers directly, instead of entering a loop between the US servers and the global servers before being rejected because of loop detection.  The impact on eduroam Subscribers is that authentications to bogus realms should be rejected faster.
    • Because of this, we have added explicit routes for about fifty realms within .edu to be routed to the global servers, because those realms are connected by other national eduroam operators.  There is no impact on eduroam Subscribers.
    • Upon a request from the global eduroam operators, we have removed our routes for sending authentications to Asia-Pacific servers more directly.  Instead, all international authentications will be routed to the global servers operated by GÉANT in Europe.  The impact on eduroam Subscribers will be that Asian-Pacific authentications will take more time to complete.

7.2.  Improvement

  • Change the network processing model to use libkqueue, a high-performance replacement for select()
  • Add target realm to Access-Request messages sent to check IdP server status.
  • Be authoritative for .edu and .us realms - meaning, if we receive an authentication for a .edu or .us realm we don't know, then reject it instead of forwarding to the global servers.

7.3.  Bug

  • Log rotation for proxy FreeRADIUS servers, to avoid filling disks
  • Handle RADIUS secrets containing characters beyond ASCII

8. V1.9.3

Release Date, November 7, 2024

8.1. Story

  • 1.9.3 was a tagged version of the eduroam infrastructure that was partially deployed and rolled back.  Its defects were addressed and it became the 1.9.4 release.

9. V1.9.2

Release Date: March, 2024

9.1. Story

  • 1.9.2 is a pseudo-release with no externally visible changes.  Its purpose is to refactor some of the Terraform infrastructure code, and realign the Terraform code with deployed resources.

10. V1.9.1

Release Date: January 17, 2024

10.1. Story

  • Log Viewer opens to the organization currently viewed in Federation Manager. (Requires Federation Manager change as well.)

10.2.  Improvement

  • Recent patches and security updates for the Traffic Controller Boxes.

10.3.  Bug

  • RADIUS Fix for certain state mismatch failures.

11. V1.9.0

Release Date: October 10, 2023

11.1. Story

  •   Update to Grafana 10 (logviewer)
    • More intuitive data explorer
    • [#8]Name of Organization at top
    • General improvements overall
  • Update of log storage system to most recent release

11.2. Improvement

  • Security improvements using AWS secrets

11.3. Bug

  • [#47]Fix an issue where the proxy would fail on an unreadable configuration file.

12. v1.8.0

12.1. Release Date: June 13, 2023

12.2. Story

  • Allow listing (New Feature)
    • Traffic is filtered to only allow traffic from configured subscribers to reach the RADIUS proxies
    • This reduces load on the traffic controller and the proxies
      • Traffic controller has less traffic to monitor for rate limiting
      • Proxies do not have to answer invalid requests
  • Rate Limit Log Monitoring
    • New tools to monitor incidents of Rate Limiting more closely in order to better diagnose issues
  • Enhanced deployment tools
    • Allow for faster releases with less downtime
  • IdP Testing Fixes
    • Improved error handling and responses
  • Security enhancements
  • Minor bug fixes

13. v1.7.1

13.1. Release Date: April 6, 2023

13.2. Improvement

  • Implemented certificate revocation for certificates used in RP testing
  • For the Operator-Name attribute to known valid values, rather than accepting values supplied by the RP

14. v1.7.0

14.1. Release Date: March 13, 2023

14.2. Story

  • RP testing
    • Add an IdP for testing your local eduroam WiFi network
    • Generates short-lived certificates to authenticate to that RP
    • Supply CAT-generated installers for that IdP and certificate

15. v1.6.0

15.1. Release Date: October 18, 2022

15.2. Story

  • Internal cost reductions
    • Reduced the capacity of MQ servers
    • Removed unused DB instances

16. v1.5.0

16.1. Release Date: October 6, 2022

16.2. Story

  • Self-Healing Containers Feature
    • Containers in AWS now periodically re-register themselves with the Traffic Controller
    • Prevents containers from being 'forgotten' in the event of network issues

17. v1.4.0

17.1. Release Date: August 16, 2022

17.2. Story

  • IdP Testing infrastructure
    • Install the infrastructure that will support an FM feature allowing eduroam administrators to test whether their IdP responds to traffic on the federation.
    • Install an AWS Lambda function to perform the IdP testing
    • Install MQ configuration for FM to send IdP testing requests to the eduroam infrastructure, and for the eduroam infrastructure to send responses
    • Update the RADIUS configuration to accept authentication requests from the IdP Testing lambda function
  • Update to the latest released FreeRADIUS version, 3.2.0

18. v1.3.0

18.1. Release Date: August 5 & August 8, 2022

18.2. Story

  • Load balancing
    • Change the network routing of multiple Docker-ized containers behind each TLRS service from an active/standby configuration to an active/active load balanced configuration.
  • Ubuntu system updates applied to TC routers

19. v1.2.0

19.1. Story

  • Rate Limit Feature Update
    • Limits incoming traffic to prevent the national-level proxies from being overloaded with spurious requests
  • [#30] Code Cleanup
  • Ubuntu system updates applied to TC routers and VPN endpoints

20. v1.1.2

UPDATE: 4/1/2022 This release has been rolled back. Certain issues will be cherry-picked and released at a future date.

20.1. Bug

  • [#23] Access-rejects not providing a failure reason
  • [#26] Reject requests with invalid punctuation
  • [#24] RADIUS server unexpectedly restarts under high load
  • [#25] Remove nonresponsive upstream servers

21. v1.1.1

21.1. Improvement

  • Improve log line identification for easier processing by a log viewer

22. v1.1.0

22.1. Bug

  • [IFMC-2112] - Problem escaping special characters in RADIUS secrets

22.2. Story

  • Enhancements to service resilience in the event of an AWS Region or Data Center outage
    • [IFMC-2221] - Top-Level Server redundancy/failover
    • [IFMC-2222] - Create new TLRS’ servers
    • [IFMC-2223] - Failover scripts/tooling for TC boxes
  • Logging Foundation
    • [IFMC-2040] -  Log appropriate info on radius servers
    • [IFMC-2241] -  Collect log data from radius servers on FluentD
    • [IFMC-2227] -  FTICKs entries in logs
  • Update operator-name behavior to write attribute if not present
    • [IFMC-2224] -  Operator-Name and Country-Code Insertion
    • [IFMC-2225] -  Insert operator-name attribute if not present
    • [IFMC-2226] -  Country-code insertion

22.3. Improvement

23. v1.0.1

23.1. Bug

  • [IFMC-2015] - Allow use of sub-realm
  • [IFMC-2012] - Escape additional special characters in RADIUS secrets

23.2. Story

23.3. Improvement

  • [IFMC-2125] -  Flush connection tracking after migration

24. v1.0.0

  • Initial Release


24.1. Versions

  • No labels