Versions Compared

Old Version 32

changes.mady.by.user Stefan Paetow

Saved on

compared with

New Version 33

changes.mady.by.user Stefan Paetow

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Participating in OpenRoaming as an ANP means

a) having a compatible Wi-Fi infrastructure that supports OpenRoaming

b) adding a number of Passpoint Roaming Consortium Organization Identifiers (RCOIs) in the beacons of the Wi-Fi network and

bc) to have an uplink into the OpenRoaming RADIUS infrastructure.

Wi-Fi Infrastructure

To be able to use OpenRoaming, you must use access points (APs) that support Hotspot 2.0 (Passpoint), which OpenRoaming relies on. This means your APs must support ANQP, standardised as 802.11u. Some vendors will not mention whether Hotspot 2.0 is supported in their AP. APs geared towards home networks (so, consumer-level) tend to not have it. If in doubt, contact the vendor.

Enterprise-level APs tend to have support for ANQP and also for Hotspot 2.0. Again, if in doubt, please contact the vendor first and verify that the AP will support it before you purchase. The Release version of Passpoint is described here: https://source.android.com/docs/core/connect/wifi-passpoint 

Vendors that do support Hotspot 2.0 are Aruba, Meraki and (obviously) Cisco. This list is not exclusive. 

Some vendors only make Hotspot 2.0 features available on request. One example is Meraki, where you must contact support through the Meraki online management portal to request that Hotspot 2.0 is enabled. 

Your own RADIUS server can be anything, but if you have a RADIUS server that can speak Radsec, you'll be well on your way there.

Beacon Settings

In order to signal that eduroam users are welcome, a set of these RCOIs can be used. Below are two common choices. Note that the SSID for the network is then arbitrary but SHOULD NOT be "eduroam" as there are known side-effects on supplicants when the network configuration matches both by SSID and by RCOI.

  • Baseline Participation: OpenRoaming for All Identities, settlement-free, no personal data requested, baseline QoS - includes, but is not limited to users in education and research
    5A-03-BA-00-00 - usage of the hotspot is governed by the OpenRoaming End-User Terms and Conditions
  • Education-Only Participation: OpenRoaming Visited Network Providers who want to signal that they specifically welcome educational and research (i.e. eduroam) visitors settlement-free, should add the following RCOI instead:
    5A-03-BA-08-00 - usage of the hotspot is governed by the OpenRoaming End-User Terms and Conditions
    (this option makes sense if the hotspot is also welcoming other identities but on different terms, e.g. with-settlement)
  • The OpenRoaming framework allows announcing better QoS levels ("Silver" and "Gold") which come with their own RCOIs, differing from the above in one hexit. Since there is no benefit for an ANP in giving higher guarantees, it is suggested not to announce those RCOIs. 
  • Note, as of 8 Feb 2021: some onboarding tools and IdPs still use exclusively the pre-standard RCOI from Cisco times. This includes most notably: Cisco "OpenRoaming" app; the Samsung OneUI onboarding workflow. If you want to support users with IdPs served by these tools, be sure to include the RCOI 00-40-96 in the beacon.

In order to be able to communicate with OpenRoaming, you have to either set yourself up as an OpenRoaming service provider (called an ANP in OpenRoaming land) by applying for a certificate from the Wireless Broadband Alliance (WBA), or you have to connect your server to an uplink (a proxy that gets you access to the Openroaming network).

  • Third-party hotspots which are onboarded in the OpenRoaming ecosystem by a third party need to take no further action. An OpenRoaming ANP uses the normal NAPTR discovery for users from an eduroam realm. This means that eduroam IdPs will need to publish that a NAPTR record (see further down) and have it point to an eduroam ↔ OpenRoaming ANP proxy. (eduroam OT provides one such proxy for all eduroam participants; eduroam NROs may provide their own for their own institutional user base).
  • existing Existing eduroam hotspots wishing to make use of eduroam infrastructure as their OpenRoaming uplink provider currently need to connect the Wi-Fi network that has these RCOIs to a proxy run by eduroam OT - contact points for this are Paul Dekkers and Stefan Winter.

Access Point Configuration examples

...

  • The contact information concerning the Identity Provider in the eduroam Operations Database needs to MUST be complete and accurate, including at least email address, postal address and telephone number
  • The Identity Provider must MUST generate Chargeable-User-Identity attributes in authentication responses

  • The DNS zone for the Identity Provider's realm name must MUST include a NAPTR record for their realm pointing to an eduroam OpenRoaming interchange proxy. The example below targets the general-purpose proxy operated by eduroam OT; the target host may be different for eduroam NROs who operate their own proxy:

    realm.name. 43200 IN NAPTR 100 10 "s" "aaa+auth:radius.tls.tcp" "" _radsec._tcp.openroaming.eduroam.org.

  • End user devices need to be provisioned with the pertinent settings to recognise OpenRoaming hotspots - see section "End-User Device Settings" below
  • The end users themselves need to be made aware that they are bound by the OpenRoaming End-User Terms and Conditions whenever they connect to OpenRoaming hotspots.

...

where the string is the WBA Identifier of the organisation that operates the hotspot. If you are not a WBA member, you may not have a WBA Identifier. We're establishing how such identifiers can be made available.

End-User Device Settings

...