Versions Compared

Old Version 28

changes.mady.by.user Stefan Winter

Saved on

compared with

New Version Current

changes.mady.by.user Stefan Paetow

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

(work in progress)

Table of Contents

Service Provider settings

Also see Passpoint / Hotspot 2.0

OpenRoaming ANPs

Participating in OpenRoaming as an ANP means

a) having a compatible Wi-Fi infrastructure that supports OpenRoaming

b) adding a number of Passpoint Roaming Consortium Organization Identifiers (RCOIs) in the beacons of the Wi-Fi network and

bc) to have an uplink into the OpenRoaming RADIUS infrastructure.

Wi-Fi Infrastructure

To be able to use OpenRoaming, you must use access points (APs) that support Hotspot 2.0 (Passpoint), which OpenRoaming relies on. This means your APs must support ANQP, standardised as 802.11u. Some vendors will not mention whether Hotspot 2.0 is supported in their AP. APs geared towards home networks (so, consumer-level) tend to not have it. If in doubt, contact the vendor.

Enterprise-level APs tend to have support for ANQP and also for Hotspot 2.0. Again, if in doubt, please contact the vendor first and verify that the AP will support it before you purchase. The Release version of Passpoint is described here: https://source.android.com/docs/core/connect/wifi-passpoint 

Vendors that do support Hotspot 2.0 are Aruba, Meraki and (obviously) Cisco. This list is not exclusive. 

Some vendors only make Hotspot 2.0 features available on request. One example is Meraki, where you must contact support through the Meraki online management portal to request that Hotspot 2.0 is enabled. 

Your own RADIUS server can be anything, but if you have a RADIUS server that can speak Radsec, you'll be well on your way there. Radsecproxy is arguably the most well-known open-source Radsec server (and you can put it in front of other non-Radsec servers like Microsoft's NPS) and it is actively supported by the eduroam community; FreeRADIUS 3.2.x has vastly improved Radsec support over earlier versions (you're strongly encouraged to move to the v3.2 branch). Radiator, Cisco ISE and Aruba ClearPass are paid-for solutions that support Radsec, with Radiator very well-suited to do dynamic routing. If you know of other software that supports Radsec, let us know!

Beacon Settings

In order to signal that eduroam users are welcome, a set of these RCOIs can be used. Below are two common choices. Note that the SSID for the network is then arbitrary but SHOULD NOT be "eduroam" as there are known side-effects on supplicants when the network configuration matches both by SSID and by RCOI.

  • Baseline Participation: OpenRoaming for All Identities, settlement-free, no personal data requested, baseline QoS - includes, but is not limited to users in education and research
    5A-03-BA-00-00 - usage of the hotspot is governed by the OpenRoaming End-User Terms and Conditions
  • Education-Only Participation: OpenRoaming Visited Network Providers who want to signal that they specifically welcome educational and research (i.e. eduroam) visitors settlement-free, should add the following RCOI instead:
    5A-03-BA-08-00 - usage of the hotspot is governed by the OpenRoaming End-User Terms and Conditions
    (this option makes sense if the hotspot is also welcoming other identities but on different terms, e.g. with-settlement)
  • The OpenRoaming framework allows announcing better QoS levels ("Silver" and "Gold") which come with their own RCOIs, differing from the above in one hexit. Since there is no benefit for an ANP in giving higher guarantees, it is suggested not to announce those RCOIs. 
  • Note, as of 8 Feb 2021: some onboarding tools and IdPs still use exclusively the pre-standard RCOI from Cisco times. This includes most notably: Cisco "OpenRoaming" app; the Samsung OneUI onboarding workflow. If you want to support users with IdPs served by these tools, be sure to include the RCOI 00-40-96 in the beacon.
  • You can calculate other RCOIs supported by OpenRoaming here: https://wireless-broadband-alliance.github.io/OR-rcoi-config/

In order to be able to communicate with OpenRoaming, you have to either set yourself up as an OpenRoaming service provider (called an ANP in OpenRoaming land) by applying for a certificate from the Wireless Broadband Alliance (WBA), or you have to connect your server to an uplink (a proxy that gets you access to the Openroaming network).

  • Third-party hotspots which are onboarded in the OpenRoaming ecosystem by a third party need to take no further action. An OpenRoaming ANP uses the normal NAPTR discovery for users from an eduroam realm. This means that eduroam IdPs will need to publish that a NAPTR record (see further down) and have it point to an eduroam ↔ OpenRoaming ANP proxy. (eduroam OT provides one such proxy for all eduroam participants; eduroam NROs may provide their own for their own institutional user base).
  • existing Existing eduroam hotspots wishing to make use of eduroam infrastructure as their OpenRoaming uplink provider currently need to connect the Wi-Fi network that has these RCOIs to a proxy run by eduroam OT - contact points for this are Paul Dekkers and Stefan Winter.
  • If you intend to be an ANP, depending on your network access provision conditions, you may need to arrange for additional network provision that allows you to route network traffic that does not comply with your existing provision conditions. For example, organisations receiving network access through the UK JANET network must ensure that non-research/educational users are not routed over the existing network connection, but via separate network access (such as a broadband connection from a commercial provider).

Access Point Configuration examples

ArubaOS 8.x

The configuration snippets that enable OpenRoaming with the "OpenRoaming All" and an uplink to the eduroam OT proxy are on this separate page.the following pages:

ArubaOS 8.x (stand-alone)
ArubaOS 8.x (controller-based)
Cisco IOS-XE

FortiWiFi or FortiAP

Meraki OpenRoaming configuration snippet (cloud controller managed)

eduroam SPs

Beacon Settings

...

00-1B-C5-04-60 [configured in end-user device to be displayed as: "eduroam® Hitchhiker" (name provisional)]

to indicate that their Passpoint network is willing to accept eduroam guests.

...

  • The contact information concerning the Identity Provider in the eduroam Operations Database needs to MUST be complete and accurate, including at least email address, postal address and telephone number
  • The Identity Provider must MUST generate Chargeable-User-Identity attributes in authentication responses

  • The DNS zone for the Identity Provider's realm name must MUST include a NAPTR record for their realm pointing to an eduroam OpenRoaming interchange proxy. The example below targets the general-purpose proxy operated by eduroam OT; the target host may be different for eduroam NROs who operate their own proxy:

    realm.name. 43200 IN NAPTR 100 10 "s" "aaa+auth:radius.tls.tcp" "" _radsec._tcp.openroaming.eduroam.org.

  • End user devices need to be provisioned with the pertinent settings to recognise OpenRoaming hotspots - see section "End-User Device Settings" below
  • The end users themselves need to be made aware that they are bound by the OpenRoaming End-User Terms and Conditions whenever they connect to OpenRoaming hotspots.

...

Operator-Name = 4<string>

where the string is the WBA Identifier of the organisation that operates the hotspot. If you are not a WBA member, you may not have a WBA Identifier. We're establishing how such identifiers can be made available.

End-User Device Settings

Starting with version 2.0.31, the eduroam onboarding toolset (eduroam CAT and eduroam Managed IdP) integrates Passpoint network definitions in general, and OpenRoaming settings in particular, in its standard workflow. This version is currently available for testing on https://cat-test.eduroam.org with a stale copy of production data.

CAT eduroam Passpoint settings

CAT automatically injects automatically inject network definitions based on the eduroam Roaming Consortium Organisation identifiers (RCOI) on all platforms where this is possible. The platforms and their respective caveats are listed below.

In general, the Passpoint configuration configures two eduroam RCOIs:

identifier (RCOI 00-1B-C5-04-60 [ with the Display Name "eduroam® Hitchhiker" (name provisional) ]
00-1B-C5-04-6F [Display Name "eduroam®"]
The latter one is reserved for a distance-future use, in case eduroam would go fully Passpoint and give up on SSID-based configurations throughout all SPs world-wide. The RCOI would then signify eduroam self-operated hotspots with this "home" display name.

To allow your users to connect also to OpenRoaming hotspots (under the OpenRoaming End-User Terms and Conditions), firstly make sure that your users acknowledge the OpenRoaming End-User Terms and Conditions. Then configure the following six RCOIs additionally:

all platforms where this is possible and does not create nuisances for end users.

CAT OpenRoaming settings

When their eduroam NRO has enabled the feature set in their country's tenancy (which they do by setting "OpenRoaming: Allow Organisation Opt-In" in their NRO settings), eduroam IdPs can easily have CAT create OpenRoaming enabled installers by adding a single attribute in the "Media-Specific" category. This will include the RCOIs 5A-03-BA-00-00 5A-03-BA-00-00, 5A-03-BA-10-00, 5A-03-BA-20-00 (a.k.a. "OpenRoaming for All Identities, settlement-free, no personal data requested, baseline /silver/gold QoS) - usage of the hotspot is governed by the OpenRoaming End-User Terms and Conditions") and 5A-03-BA-08-00, 5A-03-BA-18-00, 5A-03-BA-28-00 (a.k.a. "OpenRoaming for Educational or Research Identities, settlement-free, no personal data requested, baseline /silver/gold QoS") - usage of the hotspot is governed by the OpenRoaming End-User Terms and Conditionsin the installers. The attribute is called "OpenRoaming" and can take one of four values:

ValueMeaning
Ask UserDuring download on the web interface, users will be actively asked whether they want to have OpenRoaming access included in their installer (on platforms where OpenRoaming installation is technically feasible). They are shown and need to acknowledge the OpenRoaming T&Cs before the download starts. Where not technically feasible, users will get a standard eduroam installer download and won't see the OpenRoaming T&Cs.
Ask User, T&Cs pre-agreedDuring download on the web interface, users will be actively asked whether they want to have OpenRoaming access included in their installer (on platforms where OpenRoaming installation is technically feasible). By selecting this value, the IdP asserts that their end users have already seen and accepted the OpenRoaming T&Cs; the download flow does not repeat this acknowledgement. Where not technically feasible, users will get a standard eduroam installer download and won't see the OpenRoaming T&Cs.
AlwaysInclude the OpenRoaming access details in all installers (where technically feasible). The users are shown and need to acknowledge the OpenRoaming T&Cs before the download starts. Where not technically feasible, users will get a standard eduroam installer download and won't see the OpenRoaming T&Cs.
Always, T&Cs pre-agreedInclude the OpenRoaming access details in all installers (where technically feasible). By selecting this value, the IdP asserts that their end users have already seen and accepted the OpenRoaming T&Cs; the download flow does not repeat this acknowledgement. Where not technically feasible, users will get a standard eduroam installer download and won't see the OpenRoaming T&Cs.



Device support

Windows before 10

These platforms are not configured for Passpoint.

Windows 10 and Windows 11

Both for eduroam CAT and eduroam Managed IdP, the SSID-based eduroam Passpoint profile is always included and the OpenRoaming Passpoint profile are installed in sequence. The SSID based configuration always succeedsis optionally included. Installation of the Passpoint profile these may fail if the chipset and driver on the machine does not support Passpoint. Such failures are silently ignored (and only the eduroam SSID configuration is then installed); no user inconvenience.As of October 2019, there are field reports that some 10-20% of devices which do claim Passpoint support and which will be configured with Passpoint do not actually work post-config. These failures are occuring for all Passpoint configurations, i.e. are independent of eduroam; but they also do not cause any harm to the end user - the authentication and connection to Passpoint networks is simply not possible then. Up-to-date drivers are reported to help in such situations.

Apple (Mac OS X, macOS, iOS, iPadOS)

For eduroam Managed IdP, eduroam Passpoint-based profiles are always installed alongside the SSID-based ones. This is expected to work throughout the product palette of Apple, and with no additional user interaction. OpenRoaming is not currently enabled on Managed IdP.

For eduroam CAT , Passpoint configuration is only installed will install OpenRoaming Passpoint profiles when enabled (all EAP types); it will however only install the eduroam Passpoint profile if the IdP's chosen EAP type is "EAP-TLS" as this EAP type does not trigger multiple prompts for usernames and passwords. For all password-based EAP methods, only the SSID-based configuration is pushed to the device. Apple personnel is aware of the annoyance of . This is because of known user nuisances regarding multiple username/password prompts and installation of Passpoint configurations alongside SSID-based ones will be enabled as soon as the situation amelioratesfor multiple SSID and Passpoint profiles which CAT minimises by omitting that extra prompt for eduroam Passpoint.

Android

The eduroam CAT app needs an update to support configuring Passpoint networks.

eduroam Passpoint profiles and the optional OpenRoaming Passpoint profiles can be installed only with the new geteduroam app (i.e. not with the predecessor "eduroamCAT"). geteduroam has varying support for Passpoint profiles depending on the Android version and whether the IdP chose "Ask" vs. "Always" - the "Always" variant currently has better support across all supported Android versions; "Ask" support needs special IdP workarounds.

Intrinsic support for OpenRoaming exists on later (read, newer) devices and versions of Android. For example, recent Google Pixel devices (Pixel 5 and later) show "OpenRoaming" as a network when a HS2.0 hotspot is detected. You then have the choice to enable roaming to this network by choosing to use your Google account associated with your Android phone. Apps like 'Cisco Openroaming' also enable an account on the same network. CAT profiles installed with geteduroam will show "<realm name> via Passpoint" instead but do not associate with the "OpenRoaming" SSID. On some Samsung devices, you may see "OpenRoaming available using Samsung Account" instead, which will function in a similar fashion as the Google Pixel. (The built-in method of Passpoint R1 provisioning as described in AOSP: Wi-Fi Passpoint R1) is not generally usable as the installation of new, dedicated Wi-Fi root CAs is prohibited by Android API.)

Linux

TBD.

ChromeOS

TBD.

Infrastructure

OpenRoaming

eduroam currently operates a beta-quality central interchange point with OpenRoaming. Third-party SPs find it automatically by looking up NAPTR records in DNS for aaa+auth for the respective realm. Identity Providers need to configure a NAPTR record, see above.

UK eduroam operator Jisc also operates a beta-quality central interchange point with OpenRoaming. eduroam(UK) members should contact their eduroam helpdesk to gain access and join the trial.

Passpoint Release 2: Online Sign-Up

...