1.
OPENROAMING AND CAPPORT
2023-01-30 Karri Huhtanen (Radiator Software Oy)

2.
OPENROAMING
“eduroam for all”

3.
What is OpenRoaming?
● OpenRoaming is a Wi-Fi roaming federation.
● Wi-Fi roaming is like mobile phone roaming, but becoming
an operator is less difficult.
● If you are already familiar with eduroam, OpenRoaming is
like eduroam for all of us.
● The idea is that end users can utilise their existing user
credentials (e.g. username-password, certificates, cellular
identities (SIMs)) to automatically connect to Wi-Fi
networks around the world.

4.
With OpenRoaming™ WBA is acting as a centralized policy authority
enabling an ecosystem for identity providers and Wi-Fi network providers to
work together and deliver automatic and secure Wi-Fi experience to millions
of users
Source: https://wballiance.com/openroaming/how-it-works/
OpenRoaming video: https://www.youtube.com/watch?v=YvhZouk6MKM

5.
Benefits for Guest Network Providers
● Easier, automatic admission/authentication of
guest network users (into WPAx-Enterprise
Wi-Fi networks)
● Multi-vendor supported network
authentication, configuration and provisioning
● Additional monetisation of guest/hospitability
Wi-Fi networks
● Called Access Network Providers (ANPs)

6.
Benefits for Identity Providers
● Providing network access to identity
provider users via roaming
● Cost-savings from using roaming Wi-Fi
networks compared to cellular network
roaming
● Multi-vendor supported network
authentication, configuration and
provisioning

7.
example.org
RADIUS server
example.com
RADIUS server
OpenRoaming Technical Functionality
Passpoint (Hotspot 2.0)
compatible Wi-Fi network
SSID: *any*
RCOI (Settled): BA-A2-D0-xx-xx
or RCOI (Settlement-Free):
5A-03-BA-xx-xx
RADIUS capable
Wi-Fi controller or
example.net’s own
RADIUS server
OpenRoaming Settled or
Settlement-Free Access
Service Provider
Static Radius over
TLS (RadSec, RFC
6614) connection
Passpoint (Hotspot 2.0)
compatible Wi-Fi network
SSID: *any*
RCOI (Settled): BA-A2-D0-xx-xx
or RCOI (Settlement-Free):
5A-03-BA-xx-xx
Global Public DNS
Passpoint (Hotspot 2.0)
compatible Wi-Fi network
SSID: *any*
RCOI (Settled): BA-A2-D0-xx-xx
or RCOI (Settlement-Free):
5A-03-BA-xx-xx
DNS discovery:
NAPTR aaa+auth:radius.tls.tcp <realm>
SRV <NAPTR result>
Name lookup <SRV result>
Dynamic RadSec
connection to
example.net’s IdP
service provider
Dynamic RadSec
connections to
example.com IdP
Dynamic RadSec
connection to
example.org IdP
user@example.com user@example.net user2@example.com user@example.org

8.
OpenRoaming requirements for Access Network
Provider (ANP)
● For organisations who only want to let OpenRoaming
users roam in their network
● Minimum requirements:
○ Passpoint (Hotspot 2.0) compatible Wi-Fi network equipment
○ OpenRoaming Settled or Settlement-Free Access service from
some WBA member service provider
○ No WBA membership needed
● Connecting directly to other OpenRoaming members
requires WBA client certificate (via service provider or
WBA membership), and an own RADIUS server

9.
OpenRoaming requirements for Identity Provider
(IdP)
● For organisations who want their members or subscribers
roam in OpenRoaming member networks
● Minimum requirements:
○ (Passpoint (Hotspot 2.0) compatible Wi-Fi network equipment) *
○ Ability to configure OpenRoaming DNS records for IdP realm
○ OpenRoaming Settled or Settlement-Free Access service and IdP
service from some WBA member service provider
○ No WBA membership needed
● Connecting directly to other OpenRoaming members
requires WBA client+server certificate (via service provider or
WBA membership) and an own RADIUS server.
*) only if providing also Wi-Fi access network services (ANP)

10.
OpenRoaming with eduroam (community)
● Do-it-yourself trial service for IdP (roaming with eduroam credentials in
OpenRoaming networks) available from eduroam:
https://wiki.geant.org/pages/viewpage.action?pageId=133763844
● Access Network Provider/Service Provider (ANP/SP) (allowing
OpenRoaming users roam in guest networks) is not available from
eduroam.
● Summary information about OpenRoaming and eduroam:
https://eduroam.org/openroaming-and-eduroam-useful-information-for-e
duroam-identity-providers-and-service-providers/
● Wi-Fi configuration profile provisioning via https://cat.eduroam.org/
● Support from eduroam community

11.
OpenRoaming with Radiator Software
● Allowing OpenRoaming visitors in guest networks as well as roaming in
OpenRoaming networks with eduroam credentials both supported as a service
● RadSec connections (with Radiator or radsecproxy) supported for securing
roaming connections => connections behind dynamic IPs supported as well
● No need for Wireless Broadband Alliance membership (otherwise required by
organisation or its service provider)
● With https://roam.fi/ membership an open roaming and OpenRoaming Wi-Fi
network authentication service
● Wi-Fi configuration provisioning via eduroam-cat
● Minimum tuning with RADIUS/RadSec service and support from Radiator
Software
● If interested, please contact Radiator Software (sales@radiatorsoftware.com,
info@radiatorsoftware.com) for limited free trial

12.
Other OpenRoaming implementations, services and
instructions
● Cisco Spaces OpenRoaming Configuration Guide:
https://www.cisco.com/c/en/us/td/docs/wireless/spaces/openroaming/b-
spaces-or-cg.html
● Wi-Fi authentication/roaming service providers:
○ e.g Single Digits, GlobalTechnology

13.
OpenRoaming with Radiator
webinar on the 14th and 16th of February 2023
LEARN
● What is required for OpenRoaming?
● What is the quickest way to start testing?
● What are the recommended architecture and practices for
adding OpenRoaming both for a Service/Access Network
Provider and for an Identity Provider?
● Where can one find help to configure Radiator for
OpenRoaming?
Register at https://radiatorsoftware.com/webinars/

14.
CAPPORT API
Contacting your users via mobile notifications

15.
CapPort API resources
● CapPort API demonstration site: https://capport.net/
● CapPort API demonstration privacy policy:
https://capport.net/privacy.html
● RFC8908 Captive Portal API: https://datatracker.ietf.org/doc/html/rfc8908
● RFC8910 Captive-Portal Identification in DHCP and Router
Advertisements (RAs): https://datatracker.ietf.org/doc/html/rfc8910
● Google CapPort information:
https://developer.android.com/about/versions/11/features/captive-portal
● Apple CapPort information:
https://developer.apple.com/news/?id=q78sq5rv

16.
Do it yourself CapPort … You only need a …
# ISC DHCP server example
subnet 192.168.144.0 netmask 255.255.255.0 {
range 192.168.144.130 255.255.255.0;
option domain-name-servers 192.168.144.1;
option subnet-mask 255.255.255.0;
option routers 192.168.144.1;
option broadcast-address 192.168.144.255;
option default-url "https://example.com/capporttest/";
default-lease-time 28800;
max-lease-time 86400;
}
// this can be an index.html file as well
{
// captive portal is not used
// venue-info-url is where you want to send the
// user
"captive": false,
"venue-info-url": "https://example.com/"
}
Wi-Fi network DHCP server WWW server for JSON file

17.
CapPort API summary
● Android (and Apple) supported technology to provide mobile
notifications to Wi-Fi users
● Works, deployable already, even from organisation own
servers
● Can be used to notify and provide information to Wi-Fi
network users (usage policy, organisation contact
information, organisation advertisement etc.)
● Could be especially useful in promoting a preferred Wi-Fi
network (like eduroam/roam.fi) and a provisioning tool like
https://cat.eduroam.org/ for guest Wi-Fi users

18.
Thank you. Questions, Comments?
Follow Radiator Software for more information…
Radiator Software blog:
https://blog.radiatorsoftware.com/
Twitter:
https://twitter.com/RadiatorAAA
Slideshare:
https://slideshare.net/radiatorsoftware/
Webinar registration and materials:
https://radiatorsoftware.com/webinars/