Versions Compared

Old Version 50

changes.mady.by.user Stefan Paetow

Saved on

compared with

New Version Current

changes.mady.by.user Stefan Paetow

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You are required to pop a Chargeable-User-Identity request into your Access-Requests. If you are unable to do this, your uplink can potentially do this. The UK OpenRoaming proxy does this by default.

Beacon Settings

In order to signal that eduroam users are welcome, a set of these RCOIs can be used. Below are two common choices. Note that the SSID for the network is then arbitrary but SHOULD NOT be "eduroam" as there are known side-effects on supplicants when the network configuration matches both by SSID and by RCOI.

If using NPS as your RADIUS server for password-based authentication, you *must* add the user 'anonymous' into your Active Directory instance, but you can disable it (it must merely exist). Recent versions of Android will use the word 'anonymous' followed by your realm name as the so-called Outer Identity for tunnelled methods (such as EAP-TTLS or PEAP), and NPS will reject any authentication attempts from Android devices if the 'anonymous' user cannot be found in Active Directory. 

Beacon Settings

In order to signal that eduroam users are welcome, a set of these RCOIs can be used. Below are two common choices. Note that the SSID for the network is then arbitrary but SHOULD NOT be "eduroam" as there are known side-effects on supplicants when the network configuration matches both by SSID and by RCOI.

  • Baseline Participation: OpenRoaming for All Identities, settlement-free, no personal data requested, baseline QoS - includes, but is not limited to users in education and research
    5A-03-BA-00-00 - usage of the hotspot is governed by the OpenRoaming End-User Terms and Baseline Participation: OpenRoaming for All Identities, settlement-free, no personal data requested, baseline QoS - includes, but is not limited to users in education and research
    5A-03-BA-00-00 - usage of the hotspot is governed by the OpenRoaming End-User Terms and Conditions
  • Education-Only Participation: OpenRoaming Visited Network Providers who want to signal that they specifically welcome educational and research (i.e. eduroam) visitors settlement-free, should add the following RCOI instead:
    5A-03-BA-08-00 - usage of the hotspot is governed by the OpenRoaming End-User Terms and Conditions
    (this option makes sense if the hotspot is also welcoming other identities but on different terms, e.g. with-settlement)
  • The OpenRoaming framework allows announcing better QoS levels ("Silver" and "Gold") which come with their own RCOIs, differing from the above in one hexit. Since there is no benefit for an ANP in giving higher guarantees, it is suggested not to announce those RCOIs. 
  • Note, as of 8 Feb 2021: some onboarding tools and IdPs still use exclusively the pre-standard RCOI from Cisco times. This includes most notably: Cisco "OpenRoaming" app; the Samsung OneUI onboarding workflow. If you want to support users with IdPs served by these tools, be sure to include the RCOI 00-40-96 in the beacon.
  • You can calculate other RCOIs supported by OpenRoaming here: https://wireless-broadband-alliance.github.io/OR-rcoi-config/

...

  • The contact information concerning the Identity Provider in the eduroam Operations Database MUST be complete and accurate, including at least email address, postal address and telephone number
  • The Identity Provider MUST generate Chargeable-User-Identity attributes in authentication responses

  • The DNS zone for the Identity Provider's realm name MUST include a NAPTR record for their realm pointing to an eduroam OpenRoaming interchange proxy. The example below targets the general-purpose proxy operated by eduroam OT; the target host may be different for eduroam NROs who operate their own proxy:

    realm.name. 43200 IN NAPTR 100 10 "s" "aaa+auth:radius.tls.tcp" "" _radsec._tcp.openroaming.eduroam.org.

  • End user devices need to be provisioned with the pertinent settings to recognise OpenRoaming hotspots - see section "End-User Device Settings" below
  • The end users themselves need to be made aware that they are bound by the OpenRoaming End-User Terms and Conditions whenever they connect to OpenRoaming hotspots.made aware that they are bound by the OpenRoaming End-User Terms and Conditions whenever they connect to OpenRoaming hotspots.
  • If using NPS as the RADIUS server for password-based authentication, you *must* add the user 'anonymous' into your Active Directory instance, but you can disable it (it must merely exist). Recent versions of Android will use the word 'anonymous' followed by your realm name as the so-called Outer Identity for tunnelled methods (such as EAP-TTLS or PEAP), and NPS will reject any authentication attempts from Android devices if the 'anonymous' user cannot be found in Active Directory. 

When your user is actually roaming with OpenRoaming, this is visible in the RADIUS datagrams due to the RADIUS Attribute

...