Versions Compared

Old Version 11

changes.mady.by.user Stefan Winter

Saved on

compared with

New Version 12

changes.mady.by.user Stefan Winter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


Service Provider settings

OpenRoaming ANPs

Beacon Settings

Participating in OpenRoaming as an ANP means adding a number of Passpoint Roaming Consortium Organization Identifiers (RCOIs) in the beacons of the Wi-Fi network. Below are two common choices.5A-03-BA-00-00, 5A-03-BA-20-00, or 5A-03-BA-40-00 (a.k.a. "

  • Baseline Participation: OpenRoaming for All Identities, settlement-free, no personal data requested

...


  • 5A-03-BA-00-00 - usage of the hotspot is governed by the OpenRoaming End-User Terms and Conditions
  • Education-Only Participation: OpenRoaming Visited Network Providers who want to signal that they specifically welcome

...

  • educational (i.e. eduroam) visitors settlement-free, should add the following

...

  • RCOI instead:
    5A-03-BA-08

...

  • -

...

  • 00

...

  • -

...

  • usage of the hotspot is governed by the OpenRoaming End-User Terms and Conditions

00-1B-C5-04-60 (eduroam's own RCOI) - usage of the hotspot is governed by the eduroam Terms and Conditions

An SSID which emits the OpenRoaming RCOIs should have a RADIUS server configuration pointing to the eduroam ↔ OpenRoaming ANP proxy. Details and shared secret negotiation for that proxy are currently with Paul Dekkers.

Third-party SPs

  • (this option makes sense if the hotspot is also welcoming other identities but on different terms, e.g. with settlement)
  • Third-party hotspots which are onboarded in the OpenRoaming ecosystem by a third party need to take no further action. An OpenRoaming ANP uses the normal NAPTR discovery for users from an eduroam realm. eduroam IdPs will need to publish that NAPTR record and have it point to an eduroam ↔ OpenRoaming ANP proxy (eduroam OT provides one such proxy for all eduroam participants; eduroam NROs may provide their own for their own institutional user base).
  • existing eduroam hotspots wishing to make use of eduroam infrastructure as their OpenRoaming uplink provider currently need to connect the Wi-Fi network that has these RCOIs to a proxy run by eduroam OT - contact points for this are Paul Dekkers and Stefan Winter

eduroam SPs

Beacon Settings

Hotspots which want to become eduroam SPs but cannot use the SSID "eduroam" Third parties should use the eduroam Roaming Consortium Organisation Identifier (RCOI)

...

to indicate that their Passpoint network is willing to accept eduroam guests.

Uplink

For the actual request routing, there are three possible ways:a)

  1. negotiate a RADIUS AAA server address and shared secret with an eduroam NRO, to be used as uplink for authentications.Then, either

...

  1. 1a)  send all realms not belonging to another roaming partner to the eduroam servers (a "default" routing to eduroam). This is only possible if all other roaming partners at the hotspot are identifiable and can be enumerated.

...

  1. 1b) use equipment that supports Passpoint R3 to allow identifying and forwarding of the thousands of realms in eduroam towards that one server (by leveraging the then-present RADIUS attribute "HS2.0 roaming consortium" [Vendor-Specific, Vendor 40808, Attribute 6] in the authentication request).

...

  1. get a roaming certificate for usage with RADIUS/TLS and Dynamic Server Discovery (e.g. from eduroam Operations directly) and look up DNS NAPTR records for the realm in question; the NAPTR labels being "x-eduroam:radius.tls" (if you have a RADIUS/TLS server certificate from eduroam) or "aaa+auth:radius.tls" (if you have any other server certificate). Connections should be attempted to all servers resulting from the respective DNS responses. Note: only a minority of eduroam IdPs currently use NAPTR records; not all eduroam realms will be reached with this configuration.

1b) is currently the most viable option.

Note for existing eduroam SPs based on SSID

There are currently no plans to move away from using the SSID "eduroam" as the single user-facing identifier for hotspots operated directly by an eduroam participating organisation. If this ever changes, the Roaming Consortium Organisation Identifier

00-1B-C5-04-6F [configured in end-user device to be displayed as: "eduroam®"]

is reserved for that purpose. It is configured in some supplicants but not expected to be emitted by any SP which has an SSID "eduroam" at this point.

However, eduroam SPs which deploy a separate onboarding SSID can benefit from the Online Sign-Up capabilities in Passpoint R2 and above. They should configure their eduroam SSID to emit the OSU (Online Sign-Up) portions of Passpoint and configure the OSU server URL as defined below as the target server for Online Sign-Up. Their onboarding SSID must then allow access for end-users to that URL and to eduroam CAT.

...

realm.name. 43200 IN NAPTR 100 10 "s" "aaa+auth:radius.tls.tcp" "" _radsec._tcp.openroaming.eduroam.org.

(or another SRV target if instructed so by their eduroam NRO)

Infrastructure

OpenRoaming

...