The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,


so here is this other mail I promised, which is all about possible
future features. You find none of this deployed in CAT 2.0.4, and much
of it is in flux and in the making still. But since people ask...


As you've read in the previous mail, using Passpoint network identifiers
makes it possible to not rely on SSIDs for network configuration. In
eduroam, we had to and did standardise on one, and that's why roaming
works for us and Passpoint is a very optional feature to look at. The
rest of the Wi-Fi world is not at that level.


But with SSIDs becoming irrelevant when using Passpoint, it would be
possible to build a roaming consortium with arbitrary SSIDs, still being
able to configure all those different networks in one go. So some people
have set out to do that: imagine every single Wi-Fi hotspot in the world
can participate in a roaming consortium, without the need to standardise
on an SSID. And with "proper" authentication based on IEEE 802.1X /
Enterprise Wi-Fi. Just like eduroam, but for everyone on the planet
(arbitrary IdPs) and for every hotspot that wants to join in (arbitrary
SPs).


That is what has become known as OpenRoaming, coordinated by the
Wireless Broadband Alliance (WBA): https://wballiance.com/openroaming/


You will see on their homepage that eduroam is a partner of OpenRoaming,
and so are a few individual NROs actually.


OpenRoaming comes with its own participation policies, both IdP-side and
SP-side, for end-users, and for "ecosystem brokers" (a.k.a. proxies ;-)
). It leverages all the technologies we have invented or pioneered
(RADIUS over TLS, DNS-based dynamic discovery, ...) and can in many
aspects be considered the eduroam for non-eduroamers. So you would say
it has nothing to do with eduroam, and you are right in saying that.


However: since OpenRoaming is open for arbitrary IdPs - it would be a
shame if our sizable subset of "arbitrary" - thousands of educational
IdPs - could not easily be integrated into this, if that is what the IdP
in question wants.


So we are spending quite a sizable fraction of our time these days
wondering how to make it easy for eduroam IdPs to enlist also as
OpenRoaming IdPs. Since OpenRoaming is exclusively based on Passpoint,
we have naturally gotten up to speed on Passpoint provisioning on client
devices. OpenRoaming uses its own distinct set of RCOIs to signal
service availability - which, again: we don't configure in CAT and will
never do unsolicitedly.


What we have in place today is:

- a dedicated proxy infrastructure bridging the worlds of OpenRoaming
hotspots towards willing eduroam IdPs;

- a dedicated proxy infrastructure allowing willing eduroam SPs to set
up OpenRoaming in parallel and let OpenRoaming IdP users onto their
network;

- preliminary code in CAT that allows an IdP to configure OpenRoaming
RCOIs if they so wish


Using the above, you could trial enabling your eduroam IdP RADIUS
installation to also serve as OpenRoaming IdP RADIUS. Some things are a
bit rough and in flux, and this is not yet at a level where it's a
no-brainer. But if you are tech-savvy and willing to invest some time
into it, be our guest and let us know that you want to be part of this.


As time goes by, we will improve the CAT code side of things to

- make the OpenRoaming RCOI opt-in smoother (one-click on profile level
ideally)

- iron out things like making end-users accept the OpenRoaming end-user
Terms and Conditions easy ( https://wballiance.com/openroaming/toc-2020/ , 

- giving individual users of an OpenRoaming opted-in IdP the choice of
whether they personally really want to configure both consortia on their
device or not


At some point, this would be part of a CAT 2.1 release. But bear in mind
that CAT code alone does not suffice. Your IdP also needs to meet extra
technical requirements to be compatible with OpenRoaming (DNS entries of
resource record type NAPTR, provide the Chargeable-User-Identity
attribute during authentications, ideally DNSSEC ...) so opting into
OpenRoaming will likely never be something we can do for you in entirety
just by writing CAT code and you checking a box.


Greetings,


Stefan Winter

Attachment: OpenPGP_signature
Description: OpenPGP digital signature