How does the discovery service work

The discovery service is based on a DNS resolution mechanism. For each realm that needs to act as Identity Provider, you need to configure DNS for the respective realm with the correct information, as explained below.

 

Ex : if you want to configure the discovery for mydomain.com you need to fill your DNS with following entries

 

 NAPTR   100 10 "s" "x-eduroam:radius.tls" "" _RadSec._tcp.mydomain.com.

_RadSec._tcp.mydomain.com. IN SRV 0 0 2083  myradius1.mydomain.com.

_RadSec._tcp.mydomain.com. IN SRV 1 0 2083  myradius2.mydomain.com.

 

In this example we configured 2 RADIUS servers with different priorities (0 and 1) for redundancy reasons, but we could also configure them with the same priority value and use a DNS load balancer instead.

When one of your home users is visiting a RadSec enabled organisation this organisation will try to find your RADIUS server using the DNS information you have configured. It will then directly establish a TLSv3 secure transport layer with myradius1.mydomain.com or myradius2.mydomain.com. During this process a mutual authentication process based on certificates is executed. When a TLSv3 tunnel is established, then traditional RADIUS mechanisms are executed.

 

Your organisation does not have RadSec enabled yet?

If the visited organisation is not yet RadSec enabled then the visited organisation will transmit the request to their national top level RADIUS server using the traditional RADIUS server.

Two cases are possible:

  • The national top level is RadSec enabled and then this is the national top level that will perform the discovery and contact your RADIUS server.
  • The national top level is not RadSec enabled and then it will forward the request to the eduroam top level RADIUS server using the traditional RADIUS mechanism. And when the eduroam top level is configured with RadSec, then it is the eduroam top level that will contact your RADIUS server.  

 

The discovery service doesn’t work correctly?

If the discovery service (DNS) doesn’t work or is not well configured then the old hierarchical mechanism is used to forward the request to your RADIUS server.