Here's how to set up a Meraki MR series cloud-managed AP for OpenRoaming.
Prerequisites
First check that your MR-series AP supports Hotspot 2.0. If in doubt, contact Meraki Support (or your Meraki vendor) and check.
Next, go to your 'Wireless' menu and check that you have 'Hotspot 2.0' listed as an option. If you do not, contact Meraki support and ask them to enable Hotspot 2.0 for you. If it's there already, excellent!
Settings
- Under 'Wireless', to go 'SSIDs', and set up the SSID that you're going to use for OpenRoaming. Call it whatever you like. Many OpenRoaming visited operators (ANPs) use a variation of the OpenRoaming name (like 'Ontix-OpenRoaming') or the name 'OpenRoaming' itself.
- You can set the option 'Hide SSID' to avoid broadcasting it to all and sundry, maybe that's useful 😉 - Security is 'Enterprise with my RADIUS server', select 'WPA2 Only' for the time being, although you could select 'WPA3 only' but it'll reduce the number of devices that can test.
For the Splash Page, you can add the 'click-through' splash page, and simply add something like the below on it:
Code Block <p>Congratulations! Welcome to the [Insert your Organisation Name here] OpenRoaming Hotspot via a Settlement-Free identity like your Samsung, Google, or Apple account or Cisco's OpenRoaming app, or an educational identity like your eduroam account. This page means that your authentication was successful! Hooray!</p><p>Access to this service is subject to OpenRoaming terms and conditions and privacy policy at: https://wballiance.com/openroaming/toc/ and https://wballiance.com/openroaming/privacy-policy/</p><p>Click on through to where you wanted to go in the first place!
Or, you can leave out the splash page, it's all your choice 😉
- Add your upstream RADIUS server details. This could be your own server or the OpenRoaming proxy details.
- You can contact the eduroam Ops Team for the eduroam Europe OpenRoaming proxy by emailing Paul Dekkers, who manages the proxy, and ask for the OR proxy details. The European eduroam OR proxy accepts both RADIUS (over UDP/1812) and RadSec (with eduPKI certificates, over TCP/2083).
- You can also contact eduroam UK for the UK proxy by emailingeduroamuk at jisc.ac.uk
and asking for the OR proxy details. Like the eduroam Europe proxy, the UK proxy accepts both RADIUS and RadSec (with eduPKI certificates) traffic. - No RADIUS accounting servers are needed at this time (it is required for OpenRoaming Settled), don't tick any of the three options beneath that for the time being.
- Under the Advanced RADIUS Settings:
- Leave Called-Station-ID and NAS ID at 'AP MAC Address' followed by 'SSID name' and 'SSID number' respectively.
- Set Server Timeout to '10' seconds, retry is '3', and RADIUS fallback is 'Off'. - Client IP and VLAN is probably 'Meraki AP assigned NAT Mode'. 😊
- Under 'Hotspot 2.0', choose your SSID you created.
- Set 'Operator Name' to something that identifies your organisation:
- The European eduroam OR proxy will re-set it to '4EDUROAM' before it gets sent to the OpenRoaming world.
- The UK eduroam OR proxy will prefer an operator name suffixed with 'EDUROAM.JISC:GB'. An operator name will be assigned to you. - The 'Venue Name' should be set to '<your location>', the Venue Type to 'University or College' (or 'Research and Development Facility', if you prefer)
- 'Network Type' should probably be set to 'Test or experimental' (which it is)
- 'Domain List' probably should be set to '[your domain]' and any other domains you might have.
- In 'Roaming Consortiums', set the following:
001BC50460 (eduroam)
001BC5046F (eduroam)
5A03BA0800 (Baseline education RCOI)
5A03BA0000 (Baseline 'Any identity' RCOI)
004096 (Legacy RCOI - many devices will still use this) - There's no need for any NAI realms or MCC/MNCs, unless you specifically want to allow certain mobile operators to connect to your network (and your upstream proxy has to be able to handle the 3gppnetwork.org domain associated with this).
Save your configuration.
Testing
Test your configuration with the following:
...