This configuration was tested on ArubaOS 188.8.131.52 (Vela build). Configuration of OpenRoaming (and Passpoint in general) is not possible via the UI, one needs to resort to CLI mode. The total configuration consists of multiple building blocks, each of which has its own section below. Much of it is copy&paste - the bits to adapt are marked with .
wlan ssid-profile PasspointAruba
essid PasspointAruba # ANPs choice and irrelevant for OpenRoaming purposes
auth-server OR_Proxy_eduroamOT # we will only connect you if you are an eduroam SP! Definition see below.
hotspot-profile OpenRoaming # the important bit. Definition see below.
hotspot hs-profile OpenRoaming
no asra # no captive portal on this network
internet # internet access is provided
addtl-roam-cons-ois 0 # there are not more than 3 roaming consortium OIs (-> no ANQP queries to be run)
access-network-type private # eduroam networks are private to the R&E community
venue-group business # adjust to the classification of your hotspot
venue-type research-and-dev-facility # adjust to the classification of your hotspot
roam-cons-len-1 5 # OpenRoaming RCOIs are always 4.5 bytes long (5 octets rounded)
roam-cons-oi-1 5a03ba0000 # the main OpenRoaming RCOI: "OpenRoaming-All" (unsettled access, all identities welcome, baseline QoS)
roam-cons-len-2 3 # Cisco's legacy OpenRoaming RCOI is 3 bytes long
roam-cons-oi-2 004096 # Cisco's legacy OpenRoaming RCOI, still needed for their OpenRoaming app and Samsung OneUI onboarding workflow
advertisement-profile anqp-venue-name YourVenueInfo # description of the venue in ANQP. Definition see below.
advertisement-profile anqp-roam-cons OpenRoaming # in case a station does run ANQP for the list of RCOIs, also add the same RCOIs as an ANQP element
advertisement-profile anqp-roam-cons OpenRoamingCiscoLegacy # in case a station does run ANQP for the list of RCOIs, also add the same RCOIs as an ANQP element
The uplink can be realised over "good old" RADIUS/UDP, but then a shared secret and static IP address need to be negotiated with eduroam OT. Or, as a holder of a eduPKI RADIUS/TLS certificate, the connection can be established over RADIUS/TLS ("RadSec"). Pick one of the two variants below.
wlan auth-server OR_Proxy_eduroamOT
ip ... # IP address of the preliminary OpenRoaming ANP-side proxy of eduroam OT
key ... # your shared secret for the preliminary OpenRoaming ANP-side proxy of eduroam OT
wlan auth-server OR_Proxy_eduroamOT
ip openroaming-ap.eduroam.org # this is the real hostname
port 1812 # these don't matter, it is an ArubaOS artifact. The port used is TCP/2083.
acctport 1813 # these don't matter, it is an ArubaOS artifact. The port used is TCP/2083.
# the certificates themselves need to be uploaded in the web interface (Maintenance -> Certificates -> Upload -> Client/Trusted CA)
pki-cert-assign application radsec cert-type ClientCert certname RADIUS-TLS-Cert # "RADIUS-TLS-Cert" is the friendly name given to the client certificate during upload
pki-cert-assign application radsec cert-type TrustedCA certname eduPKI-Root # "eduPKI-Root" is the friendly name given to the Trusted CA certificate during upload
hotspot anqp-venue-name-profile YourVenueInfo
venue-group business # repeats beacon info (see above) in ANQP
venue-type research-and-dev-facility # repeats beacon info (see above) in ANQP
venue-lang-code eng # a descriptive name for the venue in English language follows
venue-name "RESTENA Offices" # the name in English
hotspot anqp-roam-cons-profile OpenRoaming
hotspot anqp-roam-cons-profile OpenRoamingCiscoLegacy