Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Next, in your Network application, go to the Settings (the gear icon), then go to your 'WiFi' menu, select a network, and check that you have 'Passpoint' listed as an option in the 'Hotspot 2.0' option. If you do not, then your UniFi Network application or your UniFi AP may not be running the minimum required software/firmware.

Settings

RADIUS server

  1. Under the 'WirelessSettings' (the gear icon), go to go 'SSIDsProfiles', and set up the SSID that you're going to use for OpenRoaming. Call it whatever you like. Many OpenRoaming visited operators (ANPs) use a variation of the OpenRoaming name (like 'Ontix-OpenRoaming') or the name 'OpenRoaming' itself. 
      - You can set the option 'Hide SSID' to avoid broadcasting it to all and sundry, maybe that's useful 😉
  2. Security is 'Enterprise with my RADIUS server', select 'WPA2 Only' for the time being, although you could select 'WPA3 only' but it'll reduce the number of devices that can test.
  3. For the Splash Page, you can add the 'click-through' splash page, and simply add something like the below on it:
    Or, you can leave out the splash page, it's all your choice 😉

  4. then select 'RADIUS'. 
  5. Click 'New'. Provide a name. For the eduroam Europe proxy, you could use 'eduroam OpenRoaming Proxy'. 
  6. Are you going to use Radsec? If so, select 'TLS'. You'll notice things change to add several more settings. 
  7. Provide the IP address for the proxy. If you use Radsec, use port 2083 with secret 'radsec'. Click 'Add' to add itAdd your upstream RADIUS server details. This could be your own server or the OpenRoaming proxy details.
     - You can contact the eduroam Ops Team for the eduroam Europe OpenRoaming proxy by emailing Paul Dekkers, who manages the proxy, and ask for the OR proxy details. The European eduroam OR proxy accepts both RADIUS (over UDP/1812) and RadSec (with eduPKI certificates, over TCP/2083).
     - You can also contact eduroam UK for the UK proxy by emailing eduroamuk at jisc.ac.uk  and asking for the OR proxy details. Like the eduroam Europe proxy, the UK proxy accepts both RADIUS and RadSec (with eduPKI certificates) traffic.
  8. No RADIUS accounting servers are needed at this time (it is required for OpenRoaming Settled), don't tick any of the three options beneath that for the time being.
  9. Under the Advanced RADIUS Settings:
     - Leave Called-Station-ID and NAS ID at 'AP MAC Address' followed by 'SSID name' and 'SSID number' respectively.
     - Set Server Timeout to '10' seconds, retry is '3', and RADIUS fallback is 'Off'.
  10. Client IP and VLAN is probably 'Meraki AP assigned NAT Mode'. 😊
  11. Save your settings.
  12. Under the 'Wireless' menu, choose 'Hotspot 2.0',then choose your SSID you created.
  13. If you use Radsec, provide the 'Client Certificate', 'Private Key', 'Private Key Password' and 'CA Certificate' values. The 'Private Key Password' option is optional. You can use your eduPKI certificates here for the hosts in Step 4. 
  14. Tick the option 'Accounting'. As an OpenRoaming visited site (ANP) you are required to send accounting packets.
  15. Click 'Apply Changes' to save the RADIUS server. 

Network settings

  1. Under the 'Settings' (the gear icon), go to the 'WiFi' menu. Click 'Create New' to create a new network. 
  2. Provide your SSID. Ignore the 'Password' option. Select the right 'Network' option to provide your VLAN you'll use.
  3. Select 'Manual' in the 'Advanced' option. Select 'Passpoint' in the 'Hotspot 2.0' option, there'll be new options availableSet 'Operator Name' to something that identifies your organisation:
    - The European eduroam OR proxy will re-set it to '4EDUROAM' before it gets sent to the OpenRoaming world.
    - The UK eduroam OR proxy will prefer an operator name suffixed with 'EDUROAM.JISC:GB'. An operator name will be assigned to you.
  4. The 'Venue Name' should be set to '<your location>', the Venue Type to 'University or College' (or 'Research and Development Facility', if you prefer)
  5. 'Network Type' should probably be set to 'Test or experimental' (which it is)
  6. 'Domain List' probably should be set to '[your domain]' and any other domains you might have.
  7. In 'Roaming Consortiums', set the following: 
    001BC50460 (eduroam)
    5A03BA0000 (Baseline 'Any identity' RCOI)
    5A03BA0800 (Baseline education RCOI)
    004096 (Legacy RCOI - many devices and apps for OpenRoaming on-boarding will still use this)
  8. There's no need for any NAI realms, unless you want to handle yours locally.
  9. , 'Venue Type', 'Network Type' and 'IP Address Type Availability' options are yours to select.
  10. Under 'NAI Realm', click 'Add' and fill in the 'Name' (the actual realm) and 'EAP Method' options. Under 'Sub-Methods', add the appropriate inner methods you can use. Click 'Save' to save the NAI realm.
    Important: You will not have PEAP as an authentication type in 'EAP Method'.
  11. In the 'Roaming Consortium List' option, add your appropriate RCOIs
    - For example, use 'Settlement Free' (or something similar) as 'Name' and '5A03BA0000' in the 'Organization ID' field for the baseline 'Any identity' RCOI
  12. In the '3GPP Cellular Network' options, you can add mobile networks that will be able to use OpenRoaming on your network. 
    - Under 'Country Name', enter the appropriate country and mobile network description, e.g. 'AT&T United States'.
    - Under 'Country Code', enter the international dialcode (although this is not necessary).
    - Under MCC and MNC, provide the necessary values for the network specified.
    Important: Please note that currently, only a very limited number of mobile carriers on the planet support this optionThere is also no need for any MCC/MNCs, unless you specifically want to allow certain mobile operators to connect to your network. Your upstream OpenRoaming proxy has to be able to handle the 3gppnetwork.org domain associated with this kind of authentication (the Jisc OR proxy does). This usually is a list of value pairs consisting of a Mobile Country Code (MCC) and a Mobile Network Code (MNC). AT&T for example has two pairs, '310 280' and '310 410', while T-Mobile USA has one: '310 260'. The values can usually be derived from the '@wlan.mncXXX.mccYYY.3gppnetwork.org' username you see on a network, any 0 prefix can be dropped. To date we are aware that AT&T and T-Mobile configure their SIMs to use OpenRoaming if their MCC/MNC pair is advertised

...

  1. , but we're also aware that Swisscom should support this. 
  2. In the 'Domain List', add your realm name, click 'Add' to add it.
  3. In the 'Operator Friendly Name', provide your company name. This setting is not your Operator-Name attribute value. There is no ability to set this for the network.
  4. Set all the other various options for the network. 
  5. Under 'Security Protocol', choose the appropriate WPA Enterprise level (it should preselect 'WPA2 Enterprise').
  6. In the 'RADIUS Profile', select your RADIUS server you set up at the top. 
  7. Choose the right value for the NAS ID.
  8. Click 'Add WiFi Network' to create the network. 

Testing

Test your configuration with the following:

...