...
- The contact information concerning the Identity Provider in the eduroam Operations Database MUST be complete and accurate, including at least email address, postal address and telephone number
- The Identity Provider MUST generate Chargeable-User-Identity attributes in authentication responses
The DNS zone for the Identity Provider's realm name MUST include a NAPTR record for their realm pointing to an eduroam OpenRoaming interchange proxy. The example below targets the general-purpose proxy operated by eduroam OT; the target host may be different for eduroam NROs who operate their own proxy:
realm.name. 43200 IN NAPTR 100 10 "s" "aaa+auth:radius.tls.tcp" "" _radsec._tcp.openroaming.eduroam.org.- End user devices need to be provisioned with the pertinent settings to recognise OpenRoaming hotspots - see section "End-User Device Settings" below
- The end users themselves need to be made aware that they are bound by the OpenRoaming End-User Terms and Conditions whenever they connect to OpenRoaming hotspots.
When your user is actually roaming with OpenRoaming, this is visible is in the RADIUS datagrams due to the RADIUS Attribute
...
where the string is the WBA Identifier of the organisation that operates the hotspot. If you are not a WBA member, you may not have a WBA Identifier. We're establishing how such identifiers can be made available., so you should probably use 4EDUROAM to indicate you are an eduroam member. Alternatively, if your NRO is a WBA member (the UK NRO Jisc is), they may assign a WBA sub-id to you.
End-User Device Settings
Starting with version 2.1, the eduroam onboarding toolset (eduroam CAT and eduroam Managed IdP) integrates Passpoint network definitions in general, and OpenRoaming settings in particular, in its standard workflow. This version is currently available for testing on https://cat-test.eduroam.org with a stale copy of production data.
...
For eduroam Managed IdP, eduroam Passpoint-based profiles are always installed alongside the SSID-based ones. This is expected to work throughout the product palette of Apple, and with no additional user interaction. OpenRoaming is not currently enabled on Managed IdP.
eduroam CAT Mobileconfig files will install OpenRoaming Passpoint profiles when enabled (all EAP types); it will however only install the eduroam Passpoint profile if the IdP's chosen EAP type is "EAP-TLS". This is because of known user nuisances regarding multiple username/password prompts for multiple SSID and Passpoint profiles which CAT minimises by omitting that extra prompt for eduroam Passpoint.
Geteduroam will install an OpenRoaming profile if the configuration exists.
Android
eduroam Passpoint profiles and the optional OpenRoaming Passpoint profiles can be installed only with the new geteduroam app (i.e. not with the predecessor "eduroamCAT"). geteduroam has varying support for Passpoint profiles depending on the Android version and whether the IdP chose "Ask" vs. "Always" - the "Always" variant currently has better support across all supported Android versions; "Ask" support needs special IdP workarounds.
Intrinsic support for OpenRoaming exists on later (read, newer) devices and versions of Android. For example, recent Google Pixel devices (Pixel 5 and later) show "OpenRoaming" as a network when a HS2.0 hotspot is detected. You then have the choice to enable roaming to this network by choosing to use your Google account associated with your Android phone. Apps like 'Cisco Openroaming' also enable an account on the same network. CAT profiles installed with geteduroam will show "<realm name> via Passpoint" instead but do not associate with the "OpenRoaming" SSID. On some Samsung devices, you may see "OpenRoaming available using Samsung Account" instead, which will function in a similar fashion as the Google Pixel.
Geteduroam will install an OpenRoaming profile if the configuration exists. It will show as 'your realm via Passpoint' in your Wi-FI network list.
Linux
Any recent version of wpa_supplicant supports Passpoint, provided it has been built with the CONFIG_INTERWORKING=y and CONFIG_HS20=y flags. Check your Linux distribution's build source configurations for confirmation. Instead of using a network {} block (as you would with a standard 802.1x network), you use the credential {} block.
...