Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

00-1B-C5-04-60 [configured in end-user device to be displayed as: "eduroam® Hitchhiker" (name provisional)]

to indicate that their Passpoint network is willing to accept eduroam guests.

...

End-User Device Settings

Starting with version 2.0.31, the eduroam onboarding toolset (eduroam CAT and eduroam Managed IdP) automatically inject integrates Passpoint network definitions in general, and OpenRoaming settings in particular, in its standard workflow. This version is currently available for testing on https://cat-test.eduroam.org with a stale copy of production data.

eduroam Passpoint settings

CAT automatically injects network definitions based on the eduroam Roaming Consortium Organisation identifiers (RCOI) on all platforms where this is possible. The platforms and their respective caveats are listed below.

In general, the Passpoint configuration configures two eduroam RCOIs:

identifier (RCOI 00-1B-C5-04-60 [ with the Display Name "eduroam® Hitchhiker" (name provisional) ]
00-1B-C5-04-6F [Display Name "eduroam®"]
The latter one is reserved for a distance-future use, in case eduroam would go fully Passpoint and give up on SSID-based configurations throughout all SPs world-wide. The RCOI would then signify eduroam self-operated hotspots with this "home" display name.

To allow your users to connect also to OpenRoaming hotspots (under the OpenRoaming End-User Terms and Conditions), firstly make sure that your users acknowledge the OpenRoaming End-User Terms and Conditions. Then configure the following six RCOIs additionally:

5A-03-BA-00-00, 5A-03-BA-10-00, 5A-03-BA-20-00 (a.k.a. all platforms where this is possible and does not create nuisances for end users.

OpenRoaming settings

When their eduroam NRO has enabled the feature set in their country's tenancy (which they do by setting "OpenRoaming: Allow Organisation Opt-In" in their NRO settings), eduroam IdPs can easily have CAT create OpenRoaming enabled installers by adding a single attribute in the "Media-Specific" category. This will include the RCOIs 5A-03-BA-00-00 "OpenRoaming for All Identities, settlement-free, no personal data requested, baseline /silver/gold QoS) - usage of the hotspot is governed by the OpenRoaming End-User Terms and Conditions") and 5A-03-BA-08-00, 5A-03-BA-18-00, 5A-03-BA-28-00 (a.k.a. "OpenRoaming for Educational or Research Identities, settlement-free, no personal data requested, baseline /silver/gold QoS) - usage of the hotspot is governed by the OpenRoaming End-User Terms and ConditionsQoS") in the installers. The attribute is called "OpenRoaming" and can take one of four values:

ValueMeaning
Ask UserDuring download on the web interface, users will be actively asked whether they want to have OpenRoaming access included in their installer (on platforms where OpenRoaming installation is technically feasible). They are shown and need to acknowledge the OpenRoaming T&Cs before the download starts. Where not technically feasible, users will get a standard eduroam installer download and won't see the OpenRoaming T&Cs.
Ask User, T&Cs pre-agreedDuring download on the web interface, users will be actively asked whether they want to have OpenRoaming access included in their installer (on platforms where OpenRoaming installation is technically feasible). By selecting this value, the IdP asserts that their end users have already seen and accepted the OpenRoaming T&Cs; the download flow does not repeat this acknowledgement. Where not technically feasible, users will get a standard eduroam installer download and won't see the OpenRoaming T&Cs.
AlwaysInclude the OpenRoaming access details in all installers (where technically feasible). The users are shown and need to acknowledge the OpenRoaming T&Cs before the download starts. Where not technically feasible, users will get a standard eduroam installer download and won't see the OpenRoaming T&Cs.
Always, T&Cs pre-agreedInclude the OpenRoaming access details in all installers (where technically feasible). By selecting this value, the IdP asserts that their end users have already seen and accepted the OpenRoaming T&Cs; the download flow does not repeat this acknowledgement. Where not technically feasible, users will get a standard eduroam installer download and won't see the OpenRoaming T&Cs.


Device support

Windows before 10

These platforms are not configured for Passpoint.

Windows 10 and Windows 11

Both for eduroam CAT and eduroam Managed IdP, the SSID-based eduroam Passpoint profile is always included and the OpenRoaming Passpoint profile are installed in sequence. The SSID based configuration always succeeds. Installation of the Passpoint profile is optionally included. Installation of these may fail if the chipset and driver on the machine does not support Passpoint. Such failures are silently ignored (and only the eduroam SSID configuration is then installed); no user inconvenience.As of October 2019, there are field reports that some 10-20% of devices which do claim Passpoint support and which will be configured with Passpoint do not actually work post-config. These failures are occuring for all Passpoint configurations, i.e. are independent of eduroam; but they also do not cause any harm to the end user - the authentication and connection to Passpoint networks is simply not possible then. Up-to-date drivers are reported to help in such situations.

Apple (Mac OS X, macOS, iOS, iPadOS)

For eduroam Managed IdP, eduroam Passpoint-based profiles are always installed alongside the SSID-based ones. This is expected to work throughout the product palette of Apple, and with no additional user interaction. For eduroam CAT, Passpoint configuration is only installed OpenRoaming is not currently enabled on Managed IdP.

eduroam CAT will install OpenRoaming Passpoint profiles when enabled (all EAP types); it will however only install the eduroam Passpoint profile if the IdP's chosen EAP type is "EAP-TLS" as this EAP type does not trigger multiple prompts for usernames and passwords. For all password-based EAP methods, only the SSID-based configuration is pushed to the device. Apple personnel is aware of the annoyance of . This is because of known user nuisances regarding multiple username/password prompts and installation of Passpoint configurations alongside SSID-based ones will be enabled as soon as the situation amelioratesfor multiple SSID and Passpoint profiles which CAT minimises by omitting that extra prompt for eduroam Passpoint.

Android

The eduroam CAT app needs an update to support configuring Passpoint networks.

(The built-in method of Passpoint R1 provisioning as described in AOSP: Wi-Fi Passpoint R1) is not generally usable as the installation of new, dedicated Wi-Fi root CAs is prohibited by Android API.)eduroam Passpoint profiles and the optional OpenRoaming Passpoint profiles can be installed only with the new geteduroam app (i.e. not with the predecessor "eduroamCAT"). geteduroam has varying support for Passpoint profiles depending on the Android version and whether the IdP chose "Ask" vs. "Always" - the "Always" variant currently has better support across all supported Android versions; "Ask" support needs special IdP workarounds.

Linux

TBD.

ChromeOS

TBD.

Infrastructure

OpenRoaming

...