This document discusses OpenRoaming and the Captive Portal API (CapPort). OpenRoaming allows users to automatically connect to Wi-Fi networks around the world using their existing credentials. It benefits both access network providers and identity providers. The minimum requirements to participate as each type are outlined. Implementing OpenRoaming with Radiator Software is also discussed. The CapPort API allows notifying Wi-Fi users via mobile notifications and could be useful for promoting preferred networks like eduroam. A demonstration of implementing CapPort with only a DHCP server and web server is provided.
3. What is OpenRoaming?
● OpenRoaming is a Wi-Fi roaming federation.
● Wi-Fi roaming is like mobile phone roaming, but becoming
an operator is less difficult.
● If you are already familiar with eduroam, OpenRoaming is
like eduroam for all of us.
● The idea is that end users can utilise their existing user
credentials (e.g. username-password, certificates, cellular
identities (SIMs)) to automatically connect to Wi-Fi
networks around the world.
4. With OpenRoaming™ WBA is acting as a centralized policy authority
enabling an ecosystem for identity providers and Wi-Fi network providers to
work together and deliver automatic and secure Wi-Fi experience to millions
of users
Source: https://wballiance.com/openroaming/how-it-works/
OpenRoaming video: https://www.youtube.com/watch?v=YvhZouk6MKM
5. Benefits for Guest Network Providers
● Easier, automatic admission/authentication of
guest network users (into WPAx-Enterprise
Wi-Fi networks)
● Multi-vendor supported network
authentication, configuration and provisioning
● Additional monetisation of guest/hospitability
Wi-Fi networks
● Called Access Network Providers (ANPs)
6. Benefits for Identity Providers
● Providing network access to identity
provider users via roaming
● Cost-savings from using roaming Wi-Fi
networks compared to cellular network
roaming
● Multi-vendor supported network
authentication, configuration and
provisioning
7. example.org
RADIUS server
example.com
RADIUS server
OpenRoaming Technical Functionality
Passpoint (Hotspot 2.0)
compatible Wi-Fi network
SSID: *any*
RCOI (Settled): BA-A2-D0-xx-xx
or RCOI (Settlement-Free):
5A-03-BA-xx-xx
RADIUS capable
Wi-Fi controller or
example.net’s own
RADIUS server
OpenRoaming Settled or
Settlement-Free Access
Service Provider
Static Radius over
TLS (RadSec, RFC
6614) connection
Passpoint (Hotspot 2.0)
compatible Wi-Fi network
SSID: *any*
RCOI (Settled): BA-A2-D0-xx-xx
or RCOI (Settlement-Free):
5A-03-BA-xx-xx
Global Public DNS
Passpoint (Hotspot 2.0)
compatible Wi-Fi network
SSID: *any*
RCOI (Settled): BA-A2-D0-xx-xx
or RCOI (Settlement-Free):
5A-03-BA-xx-xx
DNS discovery:
NAPTR aaa+auth:radius.tls.tcp <realm>
SRV <NAPTR result>
Name lookup <SRV result>
Dynamic RadSec
connection to
example.net’s IdP
service provider
Dynamic RadSec
connections to
example.com IdP
Dynamic RadSec
connection to
example.org IdP
user@example.com user@example.net user2@example.com user@example.org
8. OpenRoaming requirements for Access Network
Provider (ANP)
● For organisations who only want to let OpenRoaming
users roam in their network
● Minimum requirements:
○ Passpoint (Hotspot 2.0) compatible Wi-Fi network equipment
○ OpenRoaming Settled or Settlement-Free Access service from
some WBA member service provider
○ No WBA membership needed
● Connecting directly to other OpenRoaming members
requires WBA client certificate (via service provider or
WBA membership), and an own RADIUS server
9. OpenRoaming requirements for Identity Provider
(IdP)
● For organisations who want their members or subscribers
roam in OpenRoaming member networks
● Minimum requirements:
○ (Passpoint (Hotspot 2.0) compatible Wi-Fi network equipment) *
○ Ability to configure OpenRoaming DNS records for IdP realm
○ OpenRoaming Settled or Settlement-Free Access service and IdP
service from some WBA member service provider
○ No WBA membership needed
● Connecting directly to other OpenRoaming members
requires WBA client+server certificate (via service provider or
WBA membership) and an own RADIUS server.
*) only if providing also Wi-Fi access network services (ANP)
10. OpenRoaming with eduroam (community)
● Do-it-yourself trial service for IdP (roaming with eduroam credentials in
OpenRoaming networks) available from eduroam:
https://wiki.geant.org/pages/viewpage.action?pageId=133763844
● Access Network Provider/Service Provider (ANP/SP) (allowing
OpenRoaming users roam in guest networks) is not available from
eduroam.
● Summary information about OpenRoaming and eduroam:
https://eduroam.org/openroaming-and-eduroam-useful-information-for-e
duroam-identity-providers-and-service-providers/
● Wi-Fi configuration profile provisioning via https://cat.eduroam.org/
● Support from eduroam community
11. OpenRoaming with Radiator Software
● Allowing OpenRoaming visitors in guest networks as well as roaming in
OpenRoaming networks with eduroam credentials both supported as a service
● RadSec connections (with Radiator or radsecproxy) supported for securing
roaming connections => connections behind dynamic IPs supported as well
● No need for Wireless Broadband Alliance membership (otherwise required by
organisation or its service provider)
● With https://roam.fi/ membership an open roaming and OpenRoaming Wi-Fi
network authentication service
● Wi-Fi configuration provisioning via eduroam-cat
● Minimum tuning with RADIUS/RadSec service and support from Radiator
Software
● If interested, please contact Radiator Software (sales@radiatorsoftware.com,
info@radiatorsoftware.com) for limited free trial
12. Other OpenRoaming implementations, services and
instructions
● Cisco Spaces OpenRoaming Configuration Guide:
https://www.cisco.com/c/en/us/td/docs/wireless/spaces/openroaming/b-
spaces-or-cg.html
● Wi-Fi authentication/roaming service providers:
○ e.g Single Digits, GlobalTechnology
13. OpenRoaming with Radiator
webinar on the 14th and 16th of February 2023
LEARN
● What is required for OpenRoaming?
● What is the quickest way to start testing?
● What are the recommended architecture and practices for
adding OpenRoaming both for a Service/Access Network
Provider and for an Identity Provider?
● Where can one find help to configure Radiator for
OpenRoaming?
Register at https://radiatorsoftware.com/webinars/
15. CapPort API resources
● CapPort API demonstration site: https://capport.net/
● CapPort API demonstration privacy policy:
https://capport.net/privacy.html
● RFC8908 Captive Portal API: https://datatracker.ietf.org/doc/html/rfc8908
● RFC8910 Captive-Portal Identification in DHCP and Router
Advertisements (RAs): https://datatracker.ietf.org/doc/html/rfc8910
● Google CapPort information:
https://developer.android.com/about/versions/11/features/captive-portal
● Apple CapPort information:
https://developer.apple.com/news/?id=q78sq5rv
16. Do it yourself CapPort … You only need a …
# ISC DHCP server example
subnet 192.168.144.0 netmask 255.255.255.0 {
range 192.168.144.130 255.255.255.0;
option domain-name-servers 192.168.144.1;
option subnet-mask 255.255.255.0;
option routers 192.168.144.1;
option broadcast-address 192.168.144.255;
option default-url "https://example.com/capporttest/";
default-lease-time 28800;
max-lease-time 86400;
}
// this can be an index.html file as well
{
// captive portal is not used
// venue-info-url is where you want to send the
// user
"captive": false,
"venue-info-url": "https://example.com/"
}
Wi-Fi network DHCP server WWW server for JSON file
17. CapPort API summary
● Android (and Apple) supported technology to provide mobile
notifications to Wi-Fi users
● Works, deployable already, even from organisation own
servers
● Can be used to notify and provide information to Wi-Fi
network users (usage policy, organisation contact
information, organisation advertisement etc.)
● Could be especially useful in promoting a preferred Wi-Fi
network (like eduroam/roam.fi) and a provisioning tool like
https://cat.eduroam.org/ for guest Wi-Fi users
18. Thank you. Questions, Comments?
Follow Radiator Software for more information…
Radiator Software blog:
https://blog.radiatorsoftware.com/
Twitter:
https://twitter.com/RadiatorAAA
Slideshare:
https://slideshare.net/radiatorsoftware/
Webinar registration and materials:
https://radiatorsoftware.com/webinars/