oskar456
commented
2 hours ago As far as I understand access points talk to local RADIUS server which in turn connects to the home RADIUS server of the user. So indeed RADIUS server participating in eduroam should be dual-stacked or worse IPv4-only, but the connection between local RADIUS and the access points might be IPv6 if APs support it, or just IPv4 if they don't. In any case this is probably a separate VLAN, different from those designated for user traffic.
Do I miss anything?
buraglio
I ran into a bit of a weird issue when moving eduroam to ipv6-mostly, we should probably address it in -01:
eduroam is a confederation of organizations that allows for wifi access based on a users local credentials. eduroam requires the use of 802.1x and the certificate of your home institution regardless of who operates any intermediate infrastructure. Some organizations do not have any IPv6, or their RADIUS system may not support IPv6, and some APs do not support communication authentication over IPv6. This imposes the requirement that the APs either operate as dual-stacked, or IPv4-only in order to allow for the 802.1x authentication for access to the given wifi network. Once the .1x is complete, the hosts may move to IPv6-only or ipv6-mostly. The manner in which the end user sees failure to authenticate is very vague and may cause notable confusion and troubleshooting effort.
for any system that operates this way, I suspect this can be the same experience: back end path and authentication services must also support IPv6 end to end or IPv4 is required, end to end.