Versions Compared

Old Version 26

changes.mady.by.user Stefan Winter

Saved on

compared with

New Version 28

changes.mady.by.user Stefan Winter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Baseline Participation: OpenRoaming for All Identities, settlement-free, no personal data requested, baseline QoS - includes, but is not limited to users in education and research
    5A-03-BA-00-00 - usage of the hotspot is governed by the OpenRoaming End-User Terms and Conditions
  • Education-Only Participation: OpenRoaming Visited Network Providers who want to signal that they specifically welcome educational and research (i.e. eduroam) visitors settlement-free, should add the following RCOI instead:
    5A-03-BA-08-00 - usage of the hotspot is governed by the OpenRoaming End-User Terms and Conditions
    (this option makes sense if the hotspot is also welcoming other identities but on different terms, e.g. with-settlement)
  • The OpenRoaming framework allows announcing better QoS levels ("Silver" and "Gold") which come with their own RCOIs, differing from the above in one hexit. Since there is no benefit for an ANP in giving higher quaranteesguarantees, it is suggested not to announce those RCOIs. 
  • Note, as of 8 Feb 2021: some onboarding tools and IdPs still use exclusively the pre-standard RCOI from Cisco times. This includes most notably: Cisco "OpenRoaming" app; the Samsung OneUI onboarding workflow. If you want to support users with IdPs served by these tools, be sure to include the RCOI 00-40-96 in the beacon.

...

The configuration snippets that enable OpenRoaming with the "OpenRoaming All" and an uplink to the eduroam OT proxy are on this separate page.

eduroam SPs

Beacon Settings

...

  1. negotiate a RADIUS AAA server address and shared secret with an eduroam NRO, to be used as uplink for authentications.Then, either
    1a)  send all realms not belonging to another roaming partner to the eduroam servers (a "default" routing to eduroam). This is only possible if all other roaming partners at the hotspot are identifiable and can be enumerated.
    1b) use equipment that supports Passpoint R3 to allow identifying and forwarding of the thousands of realms in eduroam towards that one server (by leveraging the then-present RADIUS attribute "HS2.0 roaming consortium" [Vendor-Specific, Vendor 40808, Attribute 6] in the authentication request).
  2. get a roaming certificate for usage with RADIUS/TLS and Dynamic Server Discovery (e.g. from eduroam Operations directly) and look up DNS NAPTR records for the realm in question; the NAPTR labels being "x-eduroam:radius.tls" (if you have a RADIUS/TLS server certificate from eduroam) or "aaa+auth:radius.tls" (if you have any other server certificate). Connections should be attempted to all servers resulting from the respective DNS responses. Note: only a minority of eduroam IdPs currently use NAPTR records; not all eduroam realms will be reached with this configuration.

1b1a) is currently the most viable option.

...

There are currently no plans to move away from using the SSID "eduroam" as the single user-facing identifier for hotspots operated directly by an eduroam participating organisation. If this ever changes, the Roaming Consortium Organisation Identifier

00-1B-C5-04-6F [configured in end-user device to be displayed as: "eduroam®"]

is reserved for that purpose. It is configured in some supplicants but not expected to be emitted by any SP which has an SSID "eduroam" at this point.

However, eduroam SPs which deploy a separate onboarding SSID can benefit from the Online Sign-Up capabilities in Passpoint R2 and above. They should configure their eduroam SSID to emit the OSU (Online Sign-Up) portions of Passpoint and configure the OSU server URL as defined below as the target server for Online Sign-Up. Their onboarding SSID must then allow access for end-users to that URL and to eduroam CAT.

Identity Provider settings

...