eduroam is a member of the Wireless Broadband Alliance (WBA) and a pioneer member of the OpenRoaming federation service. enabling automatic and secure Wi-Fi. eduroam strives to leverage the existing eduroam infrastructure to enable easy OpenRoaming participation for eduroam participants.
Architectural Considerations
The architecture of OpenRoaming supports interconnection between OpenRoaming Identity Providers (IdPs) and OpenRoaming Access Network Providers (ANPs), the equivalent of an eduroam service provider, without need for intermediate proxies. The architecture differs somewhat from that of eduroam, as it does not require aggregation on top-level domains or other constructs.
Nontheless, proxies such as NRO proxies are not forbidden, and the architecture is thus compatible with eduroam-internal request routing. Tooling from the eduroam Operations Team can receive authentication requests from OpenRoaming ANPs and forward those requests inside the eduroam routing fabric to the corresponding IdP.
In this setup, the IdP decides whether to make use of the eduroam tooling or use any other means of connecting to the OpenRoaming infrastructure. On a technical level, the connection is made by the IdP publishing a DNS NAPTR record, which points to a selected OpenRoaming endpoint.
Since the policy decision to participate via the eduroam-provided tooling, lies with the IdP, the role of NRO proxies in the eduroam infrastructure is limited to either facilitator or prohibitor of the IdP’s OpenRoaming connection via the IdP’s NRO proxy.
OpenRoaming authentication requests can be identified on the NRO proxy server by carrying the RADIUS attribute “Operator-Name” and the value of that attribute starting with the character “4”. The remainder of the string inside the attribute identifies the WBA member that operates the hotspot.
Example: an imaginary Wi-Fi Operator “Vodkafone” with a Wi-Fi hotspot in Antarctica could use “Operator-Name = 4vodkafone:aq”
NRO Options for Participation in OpenRoaming
An NRO has some influence on OpenRoaming participation. First it can control whether its proxy can and should proxy authentication requests originating from an OpenRoaming ANP. Second it can permit or deny its IdPs the ability to enable OpenRoaming in the eduroam CAT toolset for user onboarding.
Request Routing
With the current eduroam tooling for IdPs, NROs can take the following position regarding OpenRoaming:
- Allow proxy of OpenRoaming authentication requests from eduroam Operations Team tooling towards their IdPs. This is the “do-nothing” option, as the routing of OpenRoaming requests is identical to normal eduroam request routing.
- Prohibit proxy of OpenRoaming authentication requests. This requires a slight reconfiguration of the NRO proxy so that authentication requests carrying said “Operator-Name=4” attributes are dropped. Alternatively, NROs can contact the eduroam Operations Team to ask that requests for their top-level domains (TLD) are immediately dropped at the point of entryt.
Note: Option 2 cannot prevent the educational institution that is an eduroam Identity Provider to become an OpenRoaming Identity Provider. It only means the institution needs to find a different (business) partner for its connection to OpenRoaming.
Going forward, the eduroam Operations Team plans to extend the available tooling so that eduroam NRO proxies are able to become their own OpenRoaming translation endpoints. This would enable the NRO proxies’ eduroam IdPs to have OpenRoaming ANPs send authentication requests directly to their NRO, shortening the routing path inside the eduroam infrastructure. Not only does this make the authentications more efficient, it also prevents authentication requests from out-of-country eduroam tooling. To that end, eduroam needs to become an OpenRoaming Issuing Certificate Authority and issue endpoint certificates to NROs. Once the certificate issuance infrastructure is in place, NROs will have a third option in addition to the two above:
- Allow receipt of OpenRoaming requests directly on the NRO server, for proxying to their IdPs.
(alternatively, NROs can also procure such a certificate from another WBA member)
Onboarding Tools (CAT)
A future version of eduroam CAT can help IdPs with:
- Technical setup verification (NAPTR records)
- The creation of installers enriched with OpenRoaming Roaming Consortium Organization Identifiers (RCOIs).
- The display of and user consent to the OpenRoaming Terms & Conditions upon download of OpenRoaming-enriched installers.
The feature set relating to OpenRoaming can be exposed to the IdPs, at the discretion of the NRO. The NRO-level options in CAT will contain a Boolean switch “Enable OpenRoaming”, which can be set. The default setting of NRO-level options are to be determined.
