The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

> so I played around with geteduroam a bit. Apparently it automatically
> registers Hotspot 2.0 / Passpoint.
>
> I looked it up and i am not sure what this thing does, all
> descriptions I read mostly say that with it "there is no interaction
> needed to connect anymore" - which it isn't anyway after configuring
> eduroam...
>
> What does this for eduroam, and why is it on by default? 


Passpoint is a relatively new addition to the IEEE 802.11 standards for
Wi-Fi (well it has been in the specs for some five years or more,
originally called IEEE 802.11r, then "the Interworking chapter", and
branded/certified first as "Hotspot 2.0" and finally "Passpoint"). In
essence, it allows a client device to identify networks it can connect
to by other means than an SSID. There are multiple of these alternative
ways; the one we configure is called a "Roaming Consortium Organization
Identifier" (RCOI). eduroam has registered such an RCOI with IEEE in the
IEEE OUI Registry. It listens to the beautiful name of "001bc50460".


Of course, eduroam is very rigidly requiring to use the SSID "eduroam"
on hotspots, and our configuration tools set up the SSID "eduroam". So a
network identification with our Passpoint RCOI is not needed when using
the SSID to identify our hotspots; which is 100% of today's deployment.


The Passpoint additions are to be seen as future-proofness. It is meant
for situations where an eduroam SP is for whatever reason unable to use
the SSID eduroam. Think of cases where a commercial hotspot (airport,
coffee shop chain, ...) would be willing to let eduroam users in, but is
not willing to expend broadcast of a dedicated SSID "eduroam" for that
because SSIDs are "expensive" in terms of lost beacon airtime and number
limitation. So far, we have to tell such hypothetical SP participants:
"too bad" and lose the potential hotspot.


This is of course a chicken-and-egg problem: hotspots will only use that
identification method if there are actual eduroam users out there who
have devices capable of reacting to that network identification. And it
only makes sense to configure user devices if there are actual hotspots
to connect to.


To break through this chicken-and-egg, we are now adding eduroam's
Roaming Consortium Organization Identifier to client installations
"where it doesn't hurt" (i.e. no additional user interaction during
install time). That is true for Windows 10 and Android currently -
notably, Apple installers do have some quite unbearable user interaction
when an RCOI configuration item is in a mobileconfig, so we do not add
them there by default.


The idea is to seed an installed base of user devices that could use
Passpoint based network identification so that in a future world
hotspots could broadcast that, allowing a connection to eduroam
regardless of SSID. Maybe, in a very distant future, we could more
generally relax the requirement to put eduroam authentication onto an
SSID literally called "eduroam". But many things in the industry need to
move forward for that to be a possibility.


Until then, that part of the configuration just sits there.


I'll follow-up separately with another possible use of Passpoint which
we DO NOT CONFIGURE but which is something in the industry's pipeline. I
don't want to put both into one mail in order not to confuse everyone.
What you've read above is all that happens.


Greetings,


Stefan Winter

Attachment: OpenPGP_signature
Description: OpenPGP digital signature