OpenRoaming requirements checklist

Download as PDFDownload as PDF

Here's a requirements checklist to use when you want to deploy OpenRoaming (or when you are trialling it):

1. Check your Wi-Fi infrastructure

Your Wi-Fi infrastructure must be Hotspot 2.0 compatible. This means it has to support ANQP (802.11u), ideally WPA3-Enterprise (although WPA2-Enterprise is sufficient), and has to have functionality available to support Passpoint Release 1 or 2 (3 includes the previous two) in the settings to be able to set Roaming Consortium OIs (RCOIs), Operator names and the like. If you have already deployed a WPA3-Enterprise network, do not switch 192-bit security on for WPA3. It is not compatible with OpenRoaming. You are required to use Protected Management Frames (PMF).

Most recent enterprise-class kit from Aruba, Meraki and Cisco should support all of the above. If your kit datasheet or technical details mention Passpoint R1, R2, or R3, then you should be set. OpenWRT-powered kit does support Hotspot 2.0 to a degree. Unfortunately, if you are using Ubiquiti kit, you will *not* have the joy of Hotspot 2.0 (despite them teasing you terribly with the 'coming soon' moniker - Our tech specialist has been waiting for 3 years and counting). If you are unsure, please ask the vendor to confirm which of their devices support Hotspot 2.0. 

If you use web-managed devices, like Meraki's MR series, you may need to ask your vendor's tech support to either show you where the Hotspot 2.0 settings are or, if they don't seem to exist, enable them for you. On Aruba Instant APs or standalone APs running the latest version of ArubaOS 8 (both of which have their own built-in UI), you are required use the command-line, or you can export your configuration, modify the configuration in a text editor, and then import that modified configuration to enable OpenRoaming.

2. Check your RADIUS server

Your RADIUS server should support Radsec. OpenRoaming uses Radsec to shuttle traffic around the world. When a user visits an Access Network Provider (ANP - similar to a visited site in eduroam land), the ANP's RADIUS server will dynamically look up where to send the user's request. The ANP server then connects directly to the user's home service via Radsec to securely complete the authentication.

OSC Radiator does (and does dynamic discovery very well), FreeRADIUS does (but we have not tested dynamic discovery), radsecproxy also does (and does dynamic discovery well). Cisco's ISE and Aruba's Clearpass Policy Manager also support Radsec, but we have not tried to see if either support dynamic discovery or not. 

Unfortunately, NPS does *not* support Radsec, but by pointing it at a Radsecproxy instance (either running in the Linux subsystem for Windows or on a dedicated VM or Docker container), you ought to be able to support OpenRoaming. 

Note: If you use our OpenRoaming proxy service (which you would for our trial), we continue to support UDP over port 1812, but just like with your eduroam servers, we need to register these in our configuration. If you are using eduPKI certificates with Radsec to connect to our eduroam national roaming servers, you can also use these with our OpenRoaming proxy service.

3. Check your DNS server

Your DNS server software (or DNS service) must support NAPTR records. NAPTR records are often used for SIP services, but eduroam uses NAPTR records to indicate to other countries' roaming operators where to send traffic, which is faster than sending it one hop at a time up and along a server chain. OpenRoaming, being a mesh-like roaming federation, does exactly the same.

We know that there are well-known DNS services out there that notably do *not* support NAPTR records. Azure is currently one of them (although we understand that Microsoft is working to add NAPTR support to Azure DNS). The Jisc Name Server service does support NAPTR records, as do Cloudflare and Infoblox. Linux server software like BIND, and Windows DNS server do too. Please let us know if you use software on other platforms that support (or don't support) NAPTR records. 

To check that your NAPTR record is correctly configured, use the NAPTR Lookup at DNS Lookup Online and stick your realm name in.

4. Consider your network options

Do you just want to provide your users with the ability to roam onto OpenRoaming networks (i.e. just act as an identity provider)?

  • If so, then as an existing eduroam member you do not need to do that much. Note: We're still working through the details of what is required for identity providers, but the basics are the same between eduroam and OpenRoaming.
  • You must set up a NAPTR record in your DNS records to point to our OpenRoaming proxy. The NAPTR record is similar to the existing record we require for non-.uk domains (so .org, .net and .com). This NAPTR record will tell any ANPs where to route your traffic (to us). We'll do the rest, and you ought to see OpenRoaming requests flow to you via our existing eduroam proxies. Details of the NAPTR record are further down in the Technical information section.

Do you want to provide OpenRoaming visitors with the ability to roam onto your network (i.e. act as an ANP)?

  • If you are currently receiving Internet from Jisc via the JANET network, you must ensure that any non-educational OpenRoaming traffic does not exit through the JANET network. This means getting a broadband connection from another telecomms supplier in order to segregate education traffic from non-education traffic. This should also mean that your eduroam users and your OpenRoaming users are not on the same VLAN either. OpenRoaming provides specific beacon values (see further below) to indicate whether educational users, mobile users that just want free Internet, or users who will pay for their Internet, can connect to your network, so you can provide specific Hotspot 2.0 networks that segregate these.
  • Contact us for a secret for our OpenRoaming proxy (details are in the Technical information section below), which we keep separate from our eduroam national roaming servers for engineering reasons. Effectively, we will do the hard work of routing the OpenRoaming traffic for you. If you are one of the few eduroam members who connect to our roaming servers with Radsec, you can also use Radsec with the OpenRoaming proxy to secure your outgoing authentication traffic.

Do you want to be able to provide both your users with the ability to roam *and* allow OpenRoaming visitors onto your network (i.e. act as both an identity provider *and* as an ANP)?

  • Simply combine the two sets of requirements above.

5. Setting up your network

Supposing that you have enterprise-class access points that you can configure for Hotspot 2.0/Passpoint R1-3, you will need RCOI values to indicate what kind of network you are providing. The ANQP beacon features in access points only broadcast three RCOI values, and you can provide an additional three values by ANQP query. 

For an OpenRoaming network that is for eduroam or educational users only, use one or more of the following RCOIs:

001BC50460 (eduroam)
001BC5046F (eduroam)
5A03BA1900
5A03BA3900

For an OpenRoaming network that is for any identity, use one or more of the following RCOIs:

5A03BA0000
5A03BA0800
5A03BA1000
5A03BA1800
5A03BA2000
5A03BA2800

To include the eduroam RCOI and the educational RCOIs, simply combine values from both lists.

We would recommend broadcasting these three values:

001BC50460 (eduroam)
5A03BA0000 (the WBA RCOI for free OpenRoaming)
004096 (Cisco's 'legacy' RCOI for OpenRoaming)

The WBA makes available a handy RCOI calculator here: https://wireless-broadband-alliance.github.io/OR-rcoi-config/

6. Testing your network

To test your network, you can use the 'eduroam.ac.uk' test identity we make available in the eduroam Support portal Troubleshoot page. To use it, download the geteduroam app, select the 'Camford University' organisation, and then choose either the 'eduroam plus edu RCOI' or the 'eduroam plus settlement-free RCOI' profiles. Use your 'eduroam.ac.uk' test credentials there. On the device, change the option in the 'eduroam' network settings to not automatically connect, disconnect from the eduroam network and wait for your device to interrogate the beacons before it then attempts to connect to your OpenRoaming network SSID.

Assuming that your access point beacons allow *all* of the above beacon values, you should see the following behaviour:

  • On a geteduroam-configured mobile phone, you may see the realm of your identity (if you use our eduroam.ac.uk test identity, it will show eduroam.ac.uk), followed by the words 'via Passpoint'. This is the eduroam credential configured to connect to OpenRoaming.
  • On Samsung phones specifically, you will likely see an 'OpenRoaming' network without you having done anything. This is expected because Samsung automatically enrolls you into OpenRoaming with your Samsung identity. We find that the connectivity can be spotty (i.e. you must retry several times before it connects).
  • On Google Pixel phones, Google also makes the OpenRoaming network available and offers you the option to connect using your Google identity. This may also be spotty, but it is generally more stable than Samsung. 
  • You also have the ability to use the Cisco OpenRoaming app that is available on both the Google Play store and the Apple App Store. In this instance, you can sign in with Google or your Apple identity, and the phone should connect to your OpenRoaming network.

7. Advertising your locations

Advertise your OpenRoaming locations by telling us where you have rolled out OpenRoaming (even if just as a trial), so that others wishing to test their own OpenRoaming trial implementations in the area will have an easy place to try and test their off-campus roaming ability. The Wireless Broadband Alliance (WBA) are also interested in knowing where OpenRoaming is being used, and they are collating locations to publish to their membership. 

Currently the most well-known functional locations in the UK are Loughborough University in both Loughborough and Olympic Park in east London, 22 Bishopsgate in the City of London, and the Elephant & Castle district in South London, but there are larger deployments elsewhere in Europe (notably the Delhaize Supermarket group in Belgium), Asia and the US. We're working on some more locations maintained by Jisc. 

Inspired and spurred on by some of our early work, the Wireless Broadband Alliance now publishes a 'live' map, similar to the eduroam map available through the Companion app, here: Global OpenRoaming Locations

Technical information for our service

NAPTR Record

To use our service, please insert this NAPTR record into your DNS configuration:

Type Order Preference Flags Services Regexp Replacement Name Class TTL
NAPTR 100 10 s aaa+auth:radius.tls.tcp   _radsec._tcp.openroaming.eduroam.uk your-realm.ac.uk IN 3600

You can add multiple records with different preferences if you also would like to add the European eduroam OpenRoaming proxy as a backup service. In their case, replace the '.uk' in the 'Replacement' segment with '.org'.

Proxy server address

We use two different hostnames for our proxy server:

  • For connecting via UDP/1812, use openroaming0.eduroam.uk. In this case, contact us and we'll register your server as a client and issue you with a secret.
  • For connecting via TCP/2083 (Radsec) with eduPKI (eduroam-issued Radsec) certificates, use openroaming0e.eduroam.uk
  • For connecting via TCP/2083 (Radsec) with WBA (or one of their agents) certificates, use openroaming0.eduroam.uk

Operator-Name attribute

On FreeRADIUS, Cisco ISE, Aruba Clearpass Policy Manager, Packetfence and Radiator, you can specify a value for the Operator-Name attribute. In eduroam, the value is '1your-realm.ac.uk'. In OpenRoaming, when sending OpenRoaming traffic, you should now use '4<WBA ID>' where WBA ID is an identifier issued or registered with the WBA. The European eduroam proxy's WBA ID is '4EDUROAM', while ours is '4JISC:GB'.

Please use '4YOUR-REALM.EDUROAM.JISC:GB' for your outgoing OpenRoaming traffic via our proxy, where YOUR-REALM is the value in the 'Identifier' box on the eduroam Support portal (on the Configure page in the 'Organisation settings' box), but without the '.AC.UK' suffix. For example, Camford University would use '4CAMFORD.EDUROAM.JISC:GB' as the correct value. If you can't set an Operator-Name attribute on your side, we will set it automatically in line with the existing eduroam Support portal behaviour.

On incoming traffic from our eduroam NRPSes, you can distinguish OpenRoaming traffic from normal eduroam traffic by looking at the Operator-Name attribute. Anything coming from the European OpenRoaming proxy will be labelled '4EDUROAM', while anything from our OpenRoaming proxy will be labelled '4JISC:GB' or a value ending with 'JISC:GB'. If you happen to roam onto an OpenRoaming network elsewhere in the world with your test device, you should see '4<their WBA ID>', e.g. when roaming in Japan, you would most likely see '4CITYROAM'.

More information on eduroam and OpenRoaming

Our colleagues in the European eduroam infrastructure team have extended notes on Passpoint networks (which includes OpenRoaming). You can see these here:

Roaming on Passpoint-based network infrastructure (incl. OpenRoaming)

More advanced topics

Joining OpenRoaming on your own (we're working on some check lists and process flows with the WBA for this, please bear with us).

Joining the WBA on your own (we're working on some check lists and process flows with the WBA for this, please bear with us).