This toolset uses nmap and either Vagrant or Docker to check a local network's compliance with the eduroam(UK) Technical Specification.
It is intended as for system and network administrators to verify their local firewall configuration by making connections and sending packets to a Jisc hosted endpoint.
- Some firewalls do not pass some UDP packets which are invalid for the port being tested's protocol (mainly this is IPSEC on
udp/500). - The endpoint currently only supports the TCP or UDP protocol checks, not the other IP protocols.
Various options are available, depending on the local toolset available:
- Vagrant and a local hypervisor (eg. Virtualbox)
- Docker
- Directly run the
eduroam-test.shscript
All three end up running the supplied eduroam-test.sh shell script.
First validate the Vagrantfile and eduroam-test.sh script to ensure you're happy with what it will do.
vagrant up
vagrant upload eduroam-test.sh
vagrant ssh -- sudo bash eduroam-test.sh
When you're finished testing, you'll need to tidy up:
vagrant halt
vagrant destroy -f
First validate the Dockerfile and eduroam-test.sh script to ensure you're happy with what it will do.
docker build -t jisc/eduroam-test .
docker run --rm -i jisc/eduroam-test
When you're finished testing, you'll need to tidy up:
docker rmi jisc/eduroam-test
docker rmi base/archlinux # optional
Due to the options used, the nmap script requires root privileges. Please review the script before running as root!
sudo ./eduroam-test.shYou should see an output from the nmap command similar to that below. Ideally, all of the STATE results should be open.
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-02 12:36 UTC
Nmap scan report for eduroamuk-probe.dev.ja.net (193.63.63.194)
Host is up, received user-set (0.029s latency).
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
22/tcp open ssh syn-ack
80/tcp open http syn-ack
143/tcp open imap syn-ack
220/tcp open imap3 syn-ack
406/tcp open imsp syn-ack
443/tcp open https syn-ack
465/tcp open smtps syn-ack
587/tcp open submission syn-ack
636/tcp open ldapssl syn-ack
993/tcp open imaps syn-ack
995/tcp open pop3s syn-ack
1194/tcp open openvpn syn-ack
1494/tcp open citrix-ica syn-ack
3128/tcp open squid-http syn-ack
3389/tcp open ms-wbt-server syn-ack
3653/tcp open tsp syn-ack
5900/tcp open vnc syn-ack
8080/tcp open http-proxy syn-ack
10000/tcp open snet-sensor-mgmt syn-ack
123/udp filtered ntp host-prohibited ttl 52
500/udp open|filtered isakmp no-response
1194/udp open openvpn udp-response ttl 64
3653/udp open tsp udp-response ttl 64
4500/udp open nat-t-ike udp-response ttl 64
7000/udp open afs3-fileserver udp-response ttl 64
7001/udp open afs3-callback udp-response ttl 64
7002/udp open afs3-prserver udp-response ttl 64
7003/udp open afs3-vlserver udp-response ttl 64
7004/udp open afs3-kaserver udp-response ttl 64
7005/udp open afs3-volser udp-response ttl 64
7006/udp open afs3-errors udp-response ttl 64
7007/udp open afs3-bos udp-response ttl 64
10000/udp open ndmp udp-response ttl 64
Nmap done: 1 IP address (1 host up) scanned in 15.79 seconds