Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Under 'Wireless', to go 'SSIDs', and set up the SSID that you're going to use for OpenRoaming. Call it whatever you like. Many OpenRoaming visited operators (ANPs) use a variation of the OpenRoaming name (like 'Ontix-OpenRoaming') or the name 'OpenRoaming' itself. 
      - You can set the option 'Hide SSID' to avoid broadcasting it to all and sundry, maybe that's useful 😉
  2. Security is 'Enterprise with my RADIUS server', select 'WPA2 Only' for the time being, although you could select 'WPA3 only' but it'll reduce the number of devices that can test.
  3. For the Splash Page, you can add the 'click-through' splash page, and simply add something like the below on it:

    Code Block
    <p>Congratulations! Welcome to the [Insert your Organisation Name here] OpenRoaming Hotspot via a Settlement-Free identity like your Samsung, Google, or Apple account or Cisco's OpenRoaming app, or an educational identity like your eduroam account.  This page means that your authentication was successful! Hooray!</p><p>Access to this service is subject to OpenRoaming terms and conditions and privacy policy at: https://wballiance.com/openroaming/toc/ and https://wballiance.com/openroaming/privacy-policy/</p><p>Click on through to where you wanted to go in the first place!

    Or, you can leave out the splash page, it's all your choice 😉

  4. Add your upstream RADIUS server details. This could be your own server or the OpenRoaming proxy details.
     - You can contact the eduroam Ops Team for the eduroam Europe OpenRoaming proxy by emailing Paul Dekkers, who manages the proxy, and ask for the OR proxy details. The European eduroam OR proxy accepts both RADIUS (over UDP/1812) and RadSec (with eduPKI certificates, over TCP/2083).
     - You can also contact eduroam UK for the UK proxy by emailing eduroamuk at jisc.ac.uk  and asking for the OR proxy details. Like the eduroam Europe proxy, the UK proxy accepts both RADIUS and RadSec (with eduPKI certificates) traffic.
  5. No RADIUS accounting servers are needed at this time (it is required for OpenRoaming Settled), don't tick any of the three options beneath that for the time being.
  6. Under the Advanced RADIUS Settings:
     - Leave Called-Station-ID and NAS ID at 'AP MAC Address' followed by 'SSID name' and 'SSID number' respectively.
     - Set Server Timeout to '10' seconds, retry is '3', and RADIUS fallback is 'Off'.
  7. Client IP and VLAN is probably 'Meraki AP assigned NAT Mode'. 😊
  8. Save your settings.
  9. Under the 'Wireless' menu, choose 'Hotspot 2.0',then choose your SSID you created.
  10. Set 'Operator Name' to something that identifies your organisation:
    - The European eduroam OR proxy will re-set it to '4EDUROAM' before it gets sent to the OpenRoaming world.
    - The UK eduroam OR proxy will prefer an operator name suffixed with 'EDUROAM.JISC:GB'. An operator name will be assigned to you.
  11. The 'Venue Name' should be set to '<your location>', the Venue Type to 'University or College' (or 'Research and Development Facility', if you prefer)
  12. 'Network Type' should probably be set to 'Test or experimental' (which it is)
  13. 'Domain List' probably should be set to '[your domain]' and any other domains you might have.
  14. In 'Roaming Consortiums', set the following: 
    001BC50460 (eduroam)
    5A03BA0000 (Baseline 'Any identity' RCOI)
    5A03BA0800 (Baseline education RCOI)
    004096 (Legacy RCOI - many devices and apps for OpenRoaming on-boarding will still use this)
  15. There's no need for any NAI realms, unless you want to handle yours locally.
  16. There is also no need for any MCC/MNCs, unless you specifically want to allow certain mobile operators to connect to your network. Your upstream OpenRoaming proxy has to be able to handle the 3gppnetwork.org domain associated with this kind of authentication (the Jisc OR proxy does). This usually is a list of value pairs consisting of a Mobile Country Code (MCC) and a Mobile Network Code (MNC). AT&T for example has two pairs, '310 280' and '310 410', while T-Mobile USA has one: '310 260'. The values can usually be derived from the '@wlan.mncXXX.mccYYY.3gppnetwork.org' username you see on a network, any 0 prefix can be dropped. To date we are aware that AT&T and T-Mobile configure their SIMs to use OpenRoaming if their MCC/MNC pair is advertisedSee the mobile network wireless offload topic for more information on these settings

Save your configuration.

...