Here's how to set up a Meraki MR series cloud-managed AP for OpenRoaming.

Prerequisites

First check that your MR-series AP supports Hotspot 2.0. If in doubt, contact Meraki Support (or your Meraki vendor) and check.

Next, go to your 'Wireless' menu and check that you have 'Hotspot 2.0' listed as an option. If you do not, contact Meraki support and ask them to enable Hotspot 2.0 for you. If it's there already, excellent!

Settings

  1. Under 'Wireless', to go 'SSIDs', and set up the SSID that you're going to use for OpenRoaming. Call it whatever you like. Many OpenRoaming visited operators (ANPs) use a variation of the OpenRoaming name (like 'Ontix-OpenRoaming') or the name 'OpenRoaming' itself. 
      - You can set the option 'Hide SSID' to avoid broadcasting it to all and sundry, maybe that's useful 😉
  2. Security is 'Enterprise with my RADIUS server', select 'WPA2 Only' for the time being, although you could select 'WPA3 only' but it'll reduce the number of devices that can test.

  3. For the Splash Page, you can add the 'click-through' splash page, and simply add something like the below on it:

    <p>Congratulations! Welcome to the [Insert your Organisation Name here] OpenRoaming Hotspot via a Settlement-Free identity like your Samsung, Google, or Apple account or Cisco's OpenRoaming app, or an educational identity like your eduroam account.  This page means that your authentication was successful! Hooray!</p><p>Access to this service is subject to OpenRoaming terms and conditions and privacy policy at: https://wballiance.com/openroaming/toc/ and https://wballiance.com/openroaming/privacy-policy/</p><p>Click on through to where you wanted to go in the first place!

    Or, you can leave out the splash page, it's all your choice 😉

  4. Add your upstream RADIUS server details. This could be your own server or the OpenRoaming proxy details.
     - You can contact the eduroam Ops Team for the eduroam Europe OpenRoaming proxy by emailing Paul Dekkers, who manages the proxy, and ask for the OR proxy details. The European eduroam OR proxy accepts both RADIUS (over UDP/1812) and RadSec (with eduPKI certificates, over TCP/2083).
     - You can also contact eduroam UK for the UK proxy by emailing eduroamuk at jisc.ac.uk  and asking for the OR proxy details. Like the eduroam Europe proxy, the UK proxy accepts both RADIUS and RadSec (with eduPKI certificates) traffic.
  5. No RADIUS accounting servers are needed at this time (it is required for OpenRoaming Settled), don't tick any of the three options beneath that for the time being.
  6. Under the Advanced RADIUS Settings:
     - Leave Called-Station-ID and NAS ID at 'AP MAC Address' followed by 'SSID name' and 'SSID number' respectively.
     - Set Server Timeout to '10' seconds, retry is '3', and RADIUS fallback is 'Off'.
  7. Client IP and VLAN is probably 'Meraki AP assigned NAT Mode'. 😊
  8. Save your settings.
  9. Under the 'Wireless' menu, choose 'Hotspot 2.0',then choose your SSID you created.
  10. Set 'Operator Name' to something that identifies your organisation:
    - The European eduroam OR proxy will re-set it to '4EDUROAM' before it gets sent to the OpenRoaming world.
    - The UK eduroam OR proxy will prefer an operator name suffixed with 'EDUROAM.JISC:GB'. An operator name will be assigned to you.
  11. The 'Venue Name' should be set to '<your location>', the Venue Type to 'University or College' (or 'Research and Development Facility', if you prefer)
  12. 'Network Type' should probably be set to 'Test or experimental' (which it is)
  13. 'Domain List' probably should be set to '[your domain]' and any other domains you might have.
  14. In 'Roaming Consortiums', set the following: 
    001BC50460 (eduroam)
    001BC5046F (eduroam)
    5A03BA0800 (Baseline education RCOI)
    5A03BA0000 (Baseline 'Any identity' RCOI)
    004096 (Legacy RCOI - many devices will still use this)
  15. There's no need for any NAI realms or MCC/MNCs, unless you specifically want to allow certain mobile operators to connect to your network (and your upstream proxy has to be able to handle the 3gppnetwork.org domain associated with this).

Save your configuration.

Testing

Test your configuration with the following:

  • Samsung identity - This is built into all recent Samsung phones, although the IdP can be spotty at times. The Wireless Broadband Alliance is aware and encouraging Samsung to fix this, so your mileage may vary
  • Google identity - This is built into all recent Google devices, but it has to be enabled by selecting 'OpenRoaming' in the Wi-Fi networks settings. You will be asked to agree to the OpenRoaming Terms and Conditions. Google's IdP is pretty rock-solid based on recent statistics
  • Cisco OpenRoaming app - This allows you to use either Google or Apple identities on either Android or iOS to connect to OpenRoaming networks. The app will prompt you to agree to the Terms and Conditions. This app still only sets a requested RCOI of 00-40-96. 
  • geteduroam with your eduroam ID - Your eduroam CAT profile has to have OpenRoaming enabled (for the eduroam RCOIs above), and if you want to use the other RCOIs, have additional 'Additional HS2.0 Consortium OI' entries (one for each additional RCOI). Your IdP should support receiving traffic via the 'classic' eduroam route for OpenRoaming.

Testing behaviour should be to not prompt you for credentials. It should simply connect if the AP is configured correctly and, if you set a Splash Page above, display the Splash Page in your browser.

If it fails to connect, your upstream OpenRoaming proxy operator (eduroam Europe or eduroam UK) should be able to check if your traffic has made it to them. If it has, your AP is correctly configured (even if if fails to connect you to the AP). If you're using a Samsung and it categorically refuses to connect, it's likely that it's the Samsung IdP being temperamental. Try another method of testing (such as the Cisco OpenRoaming app).


  • No labels