...
Some vendors only make Hotspot 2.0 features available on request. One example is Meraki, where you must contact support through the Meraki online management portal to request that Hotspot 2.0 is enabled.
RADIUS Server
Your own RADIUS server can be anything, but if you have a RADIUS server that can speak Radsec, you'll be well on your way there. Radsecproxy is arguably the most well-known open-source Radsec server (and you can put it in front of other non-Radsec servers like Microsoft's NPS) and it is actively supported by the eduroam community; FreeRADIUS 3.2.x has vastly improved Radsec support over earlier versions (you're strongly encouraged to move to the v3.2 branch). Radiator, Cisco ISE and Aruba ClearPass are paid-for solutions that support Radsec, with Radiator very well-suited to do dynamic routing. If you know of other software that supports Radsec, let us know!Radiator very well-suited to do dynamic routing. If you know of other software that supports Radsec, let us know!
If you are a WBA member, populate the Operator-Name RADIUS attribute with your WBA ID in this format: 4<WBA ID>, e.g. 4EDUROAM, or 4JISC:GB
If you are not a WBA member, you will not have a WBA Identifier, so you should probably use 4EDUROAM to indicate you are an eduroam member. Alternatively, if your NRO is a WBA member (the UK NRO Jisc is), they will likely assign a WBA sub-id to you.
You are required to pop a Chargeable-User-Identity request into your Access-Requests. If you are unable to do this, your uplink can potentially do this. The UK OpenRoaming proxy does this by default.
Beacon Settings
In order to signal that eduroam users are welcome, a set of these RCOIs can be used. Below are two common choices. Note that the SSID for the network is then arbitrary but SHOULD NOT be "eduroam" as there are known side-effects on supplicants when the network configuration matches both by SSID and by RCOI.
...
In order to be able to communicate with OpenRoaming, you have to either set yourself up as an OpenRoaming service provider (called an ANP in OpenRoaming land) by applying for a certificate from the Wireless Broadband Alliance (WBA), or you have to connect your server to an uplink (a proxy that gets you access to the Openroaming OpenRoaming network).
- Third-party hotspots which are onboarded in the OpenRoaming ecosystem by a third party need to take no further action. An OpenRoaming ANP uses the normal NAPTR discovery for users from an eduroam realm. This means that eduroam IdPs will need to publish a NAPTR record (see further down) and have it point to an eduroam ↔ OpenRoaming ANP proxy. (eduroam OT provides one such proxy for all eduroam participants; eduroam NROs may provide their own for their own institutional user base).
- Existing eduroam hotspots wishing to make use of eduroam infrastructure as their OpenRoaming uplink provider currently need to connect the Wi-Fi network that has these RCOIs to a proxy run by the eduroam Ops Team - contact points for this are Paul Dekkers and Stefan Winter.Stefan Winter. Alternatively, contact the UK NRO Jisc, who also operate an eduroam ↔ OpenRoaming ANP proxy.
- If you intend to be an ANP, depending on your network access provision conditions, you may need to arrange for additional network provision that allows you to route network traffic that does not comply with your existing provision conditions. For example, organisations receiving network access through the UK JANET network must ensure that non-research/educational users are not routed over the existing network connection, but via separate network access (such as a broadband connection from a commercial provider).
- Also, if you intend to be an ANP, you must forward accounting requests to your uplink, and they are required to send those on to the identity provider.
...
where the string is the WBA Identifier of the organisation that operates the hotspot. If you are not a WBA member, you may not have a WBA Identifier, so you should probably use 4EDUROAM to indicate you are an eduroam member. Alternatively, if your NRO is a WBA member (the UK NRO Jisc is), they may assign a WBA sub-id to you.
End-User Device Settings
...