Versions Compared

Old Version 33

changes.mady.by.user Stefan Paetow

Saved on

compared with

New Version Current

changes.mady.by.user Stefan Paetow

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

(work in progress)

Table of Contents

Service Provider settings

Also see Passpoint / Hotspot 2.0

OpenRoaming ANPs

Participating in OpenRoaming as an ANP means

...

Your own RADIUS server can be anything, but if you have a RADIUS server that can speak Radsec, you'll be well on your way there.

Beacon Settings

In order to signal that eduroam users are welcome, a set of these RCOIs can be used. Below are two common choices. Note that the SSID for the network is then arbitrary but SHOULD NOT be "eduroam" as there are known side-effects on supplicants when the network configuration matches both by SSID and by RCOI.

Radsecproxy is arguably the most well-known open-source Radsec server (and you can put it in front of other non-Radsec servers like Microsoft's NPS) and it is actively supported by the eduroam community; FreeRADIUS 3.2.x has vastly improved Radsec support over earlier versions (you're strongly encouraged to move to the v3.2 branch). Radiator, Cisco ISE and Aruba ClearPass are paid-for solutions that support Radsec, with Radiator very well-suited to do dynamic routing. If you know of other software that supports Radsec, let us know!

Beacon Settings

In order to signal that eduroam users are welcome, a set of these RCOIs can be used. Below are two common choices. Note that the SSID for the network is then arbitrary but SHOULD NOT be "eduroam" as there are known side-effects on supplicants when the network configuration matches both by SSID and by RCOI.

  • Baseline Participation: OpenRoaming for All Identities, settlement-free, no personal data requested, baseline QoS - includes, but is not limited to users in education and research
    5A-03-BA-00
  • Baseline Participation: OpenRoaming for All Identities, settlement-free, no personal data requested, baseline QoS - includes, but is not limited to users in education and research
    5A-03-BA-00-00 - usage of the hotspot is governed by the OpenRoaming End-User Terms and Conditions
  • Education-Only Participation: OpenRoaming Visited Network Providers who want to signal that they specifically welcome educational and research (i.e. eduroam) visitors settlement-free, should add the following RCOI instead:
    5A-03-BA-08-00 - usage of the hotspot is governed by the OpenRoaming End-User Terms and Conditions(this option makes sense if the hotspot is also welcoming other identities but on different terms, e.g. with-settlement)
  • Education-Only Participation: OpenRoaming Visited Network Providers who want to signal that they specifically welcome educational and research (i.e. eduroam) visitors settlement-free, should add the following RCOI instead:
    5A-03-BA-08-00 - usage of the hotspot is governed by the OpenRoaming End-User Terms and Conditions
    (this option makes sense if the hotspot is also welcoming other identities but on different terms, e.g. with-settlement)
  • The OpenRoaming framework allows announcing better QoS levels ("Silver" and The OpenRoaming framework allows announcing better QoS levels ("Silver" and "Gold") which come with their own RCOIs, differing from the above in one hexit. Since there is no benefit for an ANP in giving higher guarantees, it is suggested not to announce those RCOIs. 
  • Note, as of 8 Feb 2021: some onboarding tools and IdPs still use exclusively the pre-standard RCOI from Cisco times. This includes most notably: Cisco "OpenRoaming" app; the Samsung OneUI onboarding workflow. If you want to support users with IdPs served by these tools, be sure to include the RCOI 00-40-96 in the beacon.

In order to be able to communicate with OpenRoaming, In order to be able to communicate with OpenRoaming, you have to either set yourself up as an OpenRoaming service provider (called an ANP in OpenRoaming land) by applying for a certificate from the Wireless Broadband Alliance (WBA), or you have to connect your server to an uplink (a proxy that gets you access to the Openroaming network).

  • Third-party hotspots which are onboarded in the OpenRoaming ecosystem by a third party need to take no further action. An OpenRoaming ANP uses the normal NAPTR discovery for users from an eduroam realm. This means that eduroam IdPs will need to publish a NAPTR record (see further down) and have it point to an eduroam ↔ OpenRoaming ANP proxy. (eduroam OT provides one such proxy for all eduroam participants; eduroam NROs may provide their own for their own institutional user base).
  • Existing eduroam hotspots wishing to make use of eduroam infrastructure as their OpenRoaming uplink provider currently need to connect the Wi-Fi network that has these RCOIs to a proxy run by eduroam OT - contact points for this are Paul Dekkers and Stefan Winter.

Access Point Configuration examples

  • If you intend to be an ANP, depending on your network access provision conditions, you may need to arrange for additional network provision that allows you to route network traffic that does not comply with your existing provision conditions. For example, organisations receiving network access through the UK JANET network must ensure that non-research/educational users are not routed over the existing network connection, but via separate network access (such as a broadband connection from a commercial provider).

Access Point Configuration examples

The configuration snippets that enable OpenRoaming The configuration snippets that enable OpenRoaming with the "OpenRoaming All" and an uplink to the eduroam OT proxy are on the following pages:

...

ArubaOS 8.x (controller-based)
Cisco IOS-XEXE

FortiWiFi or FortiAP

Meraki OpenRoaming configuration snippet (cloud controller managed)

eduroam SPs

Beacon Settings

...

Operator-Name = 4<string>

where the string is the WBA Identifier of the organisation that operates the hotspot. If you are not a WBA member, you may not have a WBA Identifier. We're establishing how such identifiers can be made available.

...

Intrinsic support for OpenRoaming exists on later (read, newer) devices and versions of Android. For example, recent Google Pixel devices (Pixel 5 and later) show "OpenRoaming" as a network when a HS2.0 hotspot is detected. You then have the choice to enable roaming to this network by choosing to use your Google account associated with your Android phone. Apps like 'Cisco Openroaming' also enable an account on the same network. CAT profiles installed with geteduroam will show "<realm name> via Passpoint" instead but do not associate with the "OpenRoaming" SSID. On some Samsung devices, you may see "OpenRoaming available using Samsung Account" instead, which will function in a similar fashion as the Google Pixel. 

Linux

TBD.

ChromeOS

TBD.

Infrastructure

OpenRoaming

eduroam currently operates a beta-quality central interchange point with OpenRoaming. Third-party SPs find it automatically by looking up NAPTR records in DNS for aaa+auth for the respective realm. Identity Providers need to configure a NAPTR record, see above.

Passpoint Release 2: Online Sign-Up

eduroam plans to operate an OSU server which directs unprovisioned end-users to the eduroam CAT toolset. The provisional URL for this server is

...

the same network. CAT profiles installed with geteduroam will show "<realm name> via Passpoint" instead but do not associate with the "OpenRoaming" SSID. On some Samsung devices, you may see "OpenRoaming available using Samsung Account" instead, which will function in a similar fashion as the Google Pixel. 

Linux

TBD.

ChromeOS

TBD.

Infrastructure

OpenRoaming

eduroam currently operates a beta-quality central interchange point with OpenRoaming. Third-party SPs find it automatically by looking up NAPTR records in DNS for aaa+auth for the respective realm. Identity Providers need to configure a NAPTR record, see above.

UK eduroam operator Jisc also operates a beta-quality central interchange point with OpenRoaming. eduroam(UK) members should contact their eduroam helpdesk to gain access and join the trial.

Passpoint Release 2: Online Sign-Up

eduroam plans to operate an OSU server which directs unprovisioned end-users to the eduroam CAT toolset. The provisional URL for this server is

https://cat-osu.eduroam.org/soap/?idp=X

Where to see OpenRoaming in action

OpenRoaming locations, given the relative 'novelty' of the technology and its growth, are still somewhat sporadic, depending on your location. The Wireless Broadband Alliance took the eduroam Map as an example (encouraged by eduroam community members) to publish its own map at https://wballiance.com/openroamingmaps/ - This map uses the WiGLE service to use crowdsourced data to populate the map and is generally accurate within 24 hours. Non-residential locations generally show up as clusters of at least 4 pins together (a pin per band per SSID).

Policy

GeGC to decide on terms and conditions for letting random SPs serve eduroam users.

...