In this post, we’ll give a deeper overview of the OpenRoaming federation. This is one of the sections in our extensive 52-page White Paper that covers all you need to know about OpenRoaming. Download the white paper below to get the complete picture of OpenRoaming and what it means for you. We will continue to post chapters from the white paper, and here you can find all relevant OpenRoaming Insights to date.
All You Need To Know About OpenRoaming – White Paper
This is an excerpt from our white paper, All You Need To Know About OpenRoaming. The full white paper is available here if you like what you read. Don’t hesitate to contact us if you have any questions.
The Purpose of OpenRoaming
The primary purpose of OpenRoaming is to simplify connecting to Wi-Fi networks while maintaining the highest levels of security and privacy. By establishing a standardized framework for seamless Wi-Fi roaming, OpenRoaming seeks to enhance the user experience, unlock new business opportunities, and drive innovation in wireless connectivity.
The members of the OpenRoaming Federation can assume two distinct roles: Access Network Provider (ANP) and Identity Provider (IDP).
One of the fundamental principles and the beauty of OpenRoaming is that access network providers, when also acting as identity providers, can roam with each other without being aware that the other party exists. Similarly, identity providers without any Wi-Fi network can authenticate and authorize their users to access Wi-Fi networks in the federation without knowing they exist. This calls for mutual trust between the members of the OpenRoaming federation. However, several mechanisms are in place to control who is roaming with whom, which we will address in an upcoming post Staying in control in the OpenRoaming era.
The OpenRoaming Architecture
Access Network Providers (ANP)
An Access Network Provider (ANP) provides the Wi-Fi network. Any organization with a Wi-Fi network can apply to be part of the OpenRoaming federation.
Identity Providers (IDP)
An Identity Provider (IDP) authenticates and authorizes users for the OpenRoaming service offered by ANPs. Anyone providing a user account can apply to be part of the OpenRoaming federation.
An excellent example is device manufacturers. Both Samsung and Google are identity providers. Samsung devices from Galaxy S9 and Google Pixel phones with Android 11 and above have OpenRoaming profiles enabled from the factory. Apple is largely expected to follow suit. Other potential identity providers could be companies with loyalty programs, such as Airlines or Internet giants like Facebook, Amazon, and Netflix.
Other Wi-Fi federations such as WiFi4EU and Eduroam can also join OpenRoaming. As OpenRoaming federation partners, they will provide their users with auto-connect and secure access to OpenRoaming Wi-Fi networks globally.
Wi-Fi Alliance Passpoint
OpenRoaming is a game changer for the real-life deployment of Passpoint. The industrywide Passpoint project has been in the works since 2012, but the issue has always been the provisioning of Passpoint profiles.
Because Passpoint is pre-enabled for OpenRoaming in many devices from the factory, Passpoint can finally achieve mass-market success. How important this is for Passpoint and the Wi-Fi industry cannot be understated.
As discussed, Passpoint enables a seamless and secure user experience. Four additional technology standards are enabling the OpenRoaming federation of Wi-Fi industry players:
- PKI – Public Key Infrastructure Certificate
- RadSec – Secure RADIUS over TCP and TLS (RFC 6614)
- DPD – Dynamic Peer Discovery (RFC 7585)
- WRIX – Wireless Roaming Intermediary eXchange Framework by WBA
The Wireless Broadband Alliance issues certificates for Access Network Providers and Identity Providers, coupled with their individual WBA Identity (WBAID).
The certificate must be installed in the Authentication, Authorization, and Accounting (AAA) servers for both the IDP and ANP roles. These WBA-PKI certificates enable trust between members even if they are unaware of each other.
The certificates are also a prerequisite for the secure RADIUS (RadSec) communication between the participating AAA servers. In this context, the ANP AAA is a RADIUS client, and the IDP AAA is a RADIUS server.
Currently (December 2023), the yearly fee is 400 USD for an ANP client certificate and 750 USD for an IDP server certificate or both a client and server certificate.
RADIUS is a networking protocol that authorizes and authenticates users accessing the OpenRoaming federation’s Wi-Fi networks. It is also used for sending accounting data between the AAA servers of the ANP and IDP.
RadSec, defined in RFC 6614, is a protocol for transporting RADIUS datagrams over TCP and TLS. In OpenRoaming, it is used to maintain integrity and secure communication between the AAA servers.
DPD – Dynamic Peer Discovery
Dynamic peer discovery (DPD), specified in RFC 7585, allows ANPs to dynamically discover the AAA servers operated by an IDP through Domain Name System (DNS) lookups.
Before OpenRoaming, enabling Wi-Fi roaming was complicated and time-consuming. Each roaming partner relationship required a specific configuration in the Wi-Fi network.
With OpenRoaming and DPD, the access network no longer needs a particular configuration for each roaming partner. DPD is a game-changer for Wi-Fi roaming and a prerequisite for the OpenRoaming federation.
OpenRoaming with DPD allows Wi-Fi roaming to happen automatically without any intervention from the user or mutual relationships between the roaming partners. OpenRoaming reduces operating expenses and removes the scaling limitations of bilateral and hub-based Wi-Fi roaming approaches.
Although members have no control over which actors participate in the OpenRoaming federation, they can achieve control over the roaming by implementing Closed Access Group policies (CAG) – more about this in the upcoming Staying in control in the OpenRoaming era post.
The Wireless Roaming Intermediary eXchange (WRIX) framework has been developed by the WBA Roaming Work Group.
OpenRoaming is deployed as a settlement-free service for all (currently in the majority) or where individual IDPs and ANPs have a financial relation and thus exchange billing and settlement information. Support for WRIX is a prerequisite for the settled service, and ANPs / IDPs can outsource this function to a ANP/IDP hub provider.
Different actors can perform various WRIX functions divided into the following categories:
WRIX-N: Network configuration requirements and specifications.
WRIX-i: Specifies guidelines for Wi-Fi roaming interconnection, including connectivity types, RADIUS requirements, session mediation, and service levels.
WRIX-d: Defines procedures for applying interoperator tariffs and data formats for file exchanges, usage validation, and dispute resolution between roaming partners.
WRIX-f: Financial clearing specification. It covers financial data handling, invoicing, payment, and settlements and resolves billing/payment issues or disputes.
WRIX-L: Location feed format and file exchange standard.
For more information, please refer to the WBA WRIX Umbrella document.
It might be a challenge to support all the open standards needed to be part of the OpenRoaming federation. This is especially true for the settled use case, which requires support for WRIX-d/f.
IDP and ANP Hubs
Fortunately, there are so-called IDP and ANP hubs available that can take care of the technical details on behalf of the provider, such as settlement, according to WRIX-d/f.
Another reason, for e.g., a mobile operator IDP, to use a hub for the settled service is that they can have one commercial agreement rather than multiple bilateral agreements.
But you don’t even need to have all the technical support for OpenRoaming to join. Legacy identity providers not dynamically discoverable through Dynamic Peer Discovery (DPD) can be enabled by the IDP hub by setting up conventional static routing of the requests.
The IDP hub acts on behalf of the legacy identity provider and then forwards the incoming requests. Equally, where a legacy ANP has not deployed a OpenRoaming enabled AAA, they can still join through an ANP Hub provider.
Moreover, there are other ways of joining the OpenRoaming federation as ANP. A Guest Wi-Fi Cloud service, such as the Enea Aptilo GWC, can enable all enterprise customers’ Wi-Fi networks by acting as the ANP for all under one WBAID. The individual Wi-Fi networks must configure RCOIs, but the Guest Wi-Fi Cloud Service can centralize the AAA for Dynamic Peer Discovery and RadSec communication.
How Enea Aptilo SMP Adds Value
The Enea Aptilo SMP (software) and SMP-S (service on AWS) support all features needed for OpenRoaming. The most critical features are support for RadSec, EAP authentication, and Dynamic Peer Discovery (DPD). With these features, you can assume the following roles within OpenRoaming.
OpenRoaming Access Network Provider (ANP)
- Dynamic Peer Discovery (DPD).
- RADIUS over TLS (RadSec).
OpenRoaming Identity Provider (IDP)
- Provisioning of OpenRoaming Passpoint profiles from a Portal or App.
- RadSec termination.
- User authentication using EAP-SIM/AKA/AKA’/5G, EAP-TLS, EAP-TTLS.