Adding OpenRoaming to existing IdP
and roaming federation service
first deployment experiences

Radiator Software: Who we are?
● One of the few commercial RADIUS, RADSEC, Diameter,
TACACS+ software vendors – Radiator
● SIM authentication (with IMSI privacy), Policy&Charging and
other operator oriented extension packs for Radiator
● Small scale RADIUS, Wi-Fi Roaming as a Service service
provider (Radiator Auth.Fi, roam.fi, eduroam Finland (since
2004) etc.)
● In March 2023 it will be 25 years from the first release of
Radiator

Adding OpenRoaming to …
● roam.fi regional Wi-Fi roaming federation
service
● Radiator Auth.Fi – Enterprise Wi-Fi IdP as a
service
● The first deployment experiences

roam.fi
Regional Wi-Fi roaming service

Roam.fi – regional Wi-Fi roaming federation
● Started in 2006 as a Langaton Tampere (Wireless Tampere) Wi-Fi
community network
● Based on eduroam architecture and technology, but open for all
● Centralised RADIUS hierarchy with each organisation joining with
their own Wi-Fi network and RADIUS server
● Rebranded as roam.fi when the roaming coverage expanded
outside Tampere and neighbouring cities to Finnish cities like
Seinäjoki and Vaasa.
● Nowadays used actively especially in Tampere Region for
education, municipal work, guests, tourists, university people etc.

Radiator Auth.Fi
Enterprise Wi-Fi as a
service
Redundant roam.fi
RADIUS service in public
cloud
Roam.Fi Architecture
Tampere University
RADIUS
Other customers
connecting via
RADIUS, e.g. City of
Seinäjoki, Seinäjoki
education etc.
Default RADIUS route
for all roam.fi
members, but no own
default RADIUS route
RADIUS
RADIUS
RADIUS
RADIUS
Customers are used
to connect via
RADIUS, getting them
to use RadSec will
not happen very
quickly and easily.
One question is that should RADIUS
connections be allowed and do we need to
send Accounting for Settlement-Free
OpenRoaming.

Radiator Auth.Fi
Enterprise Wi-Fi as a
service
Redundant roam.fi
RADIUS service in public
cloud
Adding OpenRoaming to Roam.Fi
Tampere University
RADIUS
Other customers
connecting via
RADIUS, e.g. City of
Seinäjoki, Seinäjoki
education etc.
RADIUS
RADIUS
RADIUS
RADIUS
Adding OpenRoaming to Roam.Fi was as
simple as adding two more Radiator
processes and setting them as roam.fi’s
default RADIUS route for unknown realms.
Now any roam.fi member can try OpenRoaming
just by adding OpenRoaming Settlement-Free
RCOIs to their Wi-Fi network beacon
advertisement.
OpenRoaming
roaming partners
OpenRoaming
roaming partners

Next steps
● Getting the largest roam.fi organisations to try
OpenRoaming and broadcast OpenRoaming RCOIs
● Convince the organisations to take OpenRoaming into
production => make it a roam.fi production service
● Switching gradually to RadSec connections with
organisations that can deploy it
● Some minor configuration for RADIUS attributes,
certificate CRLs, 3gppnetwork.org realm

Radiator Auth.Fi
Enterprise Wi-Fi IdP as a Service

Radiator Auth.Fi
Radiator Auth.Fi is a RADIUS based Wi-Fi authentication cloud service for
authenticating network users and guests. It provides a RADIUS based user
authentication as a service mainly for Wi-Fi, but can be used also for wired
802.1X or even RADIUS based VPN authentication.
Entry requirement is a RADIUS capable Wi-Fi controller and access points –
no new hardware is needed for enterprise-level WPA2/WPA3 security for your
company Wi-Fi. Radiator Auth.Fi includes RADIUS servers, but can also be
integrated with customer RADIUS servers for additional control.
Subscription based service is delivered from the Google Cloud. Regional
service endpoints are added based on demand.
Radiator Auth.Fi is designed to work with RADIUS roaming federations such
as eduroam and govroam. Optional add-ons include client certificate
authentication and self-service guest access solution and roaming
federation integrations.

Radiator Auth.Fi for…
Employees, contractors, regular
users of organisation Wi-Fi
Organisation’s guest Wi-Fi users Roaming users

Secured WPA2/WPA3 Enterprise Wi-Fi access

Certificate provisioning and authentication

Roaming with Radiator Auth.Fi
Roaming was done bases on
the Wi-Fi network name
(SSID, e.g. roam.fi, eduroam)

OpenRoaming
Roaming with Radiator Auth.Fi
Inbound RadSec
Radiator instance
with Kyrio certificates
was added for IdP
functionality
Roam.fi federation
top-level Outbound
RadSec Radiator
instance was used for
OpenRoaming
connection
Providing a Radiator Auth.Fi
customer OpenRoaming IdP only
requires enabling it in the service and
adding NAPTR record to customer
DNS domain.
“Available now”, only minor RADIUS
attribute and Kyrio certificate CRL
and 3gppnetwork.org realm
configuration pending.

How long did it take?
● ~22.5h in work time so far for both IdP and
roaming service, but more as calendar time
● Configuration guides helped a lot and a guide is
under work for Radiator as well => next
deployment will require less work time
● Most of the calendar time was spent in waiting
for Radiator Software to get verified by Kyrio
and the delivery of certificates needed.

Thank you. Questions, Comments?
Follow Radiator Software for more information…
Radiator Software blog:
https://blog.radiatorsoftware.com/
Twitter:
https://twitter.com/RadiatorAAA
Slideshare:
https://slideshare.net/radiatorsoftware/
Bookings for conference calls:
https://radiatorsoftware.com/contact/ / info@radiatorsoftware.com

Meet us in London 7th - 9th of November 2022
Karri Huhtanen and Heikki Vatiainen will be
attending IETF 115 in London, UK on the 7th of
November, but we stay in London for additional
days to meet new, existing and interested
customers, partners and companies.
Please, contact us if you want to meet:
firstname.surname@radiatorsoftware.com
sales@radiatorsoftware.com