The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[<aaron.wyatt AT bc.edu>]

Hi All-

We recently obtained a new RADIUS certificate and so I am in the process of
rebuilding the CAT configuration for our organization.  Running through the
static connectivity tests, we pass without issue, but there are two pieces of
feedback I get:

  (1) This realm has no NAPTR records.
  (2) The certificate chain includes the root CA certificate. This does not
serve any useful purpose but inflates the packet exchange, possibly leading to
more round-trips and thus slower authentication.

Regarding #1, a quick google search tells me that NAPTR records are commonly
used for SIP and other telephony protocols.  What role do they plan in the
RADIUS world?

Regarding #2, this makes sense to me but I had never heard it explained
before.  Does this mean I don't need any of my chain in the RADIUS certificate
used for CAT?  Does this also mean I don't need to provide the entire chain
when I install the certificate on my RADIUS servers?  i.e. I don't need to
present the entire chain to clients attempting to authenticate?

Any insights would be much appreciated.

Aaron
Boston College