You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Here's how to set up a Meraki MR series cloud-managed AP for OpenRoaming.

Prerequisites

First check that your MR-series AP supports Hotspot 2.0. If in doubt, contact Meraki Support (or your Meraki vendor) and check.

Next, go to your 'Wireless' menu and check that you have 'Hotspot 2.0' listed as an option. If you do not, contact Meraki support and ask them to enable Hotspot 2.0 for you. If it's there already, excellent!

Settings

  1. Under 'Wireless', to go 'SSIDs', and set up the SSID that you're going to use for OpenRoaming. Call it whatever you like. Many OpenRoaming visited operators (ANPs) use a variation of the OpenRoaming name (like 'Ontix-OpenRoaming') or the name 'OpenRoaming' itself. 
      - You can set the option 'Hide SSID' to avoid broadcasting it to all and sundry, maybe that's useful 😉
  2. Security is 'Enterprise with my RADIUS server', select 'WPA2 Only' for the time being, although you could select 'WPA3 only' but it'll reduce the number of devices that can test.
  3. For the Splash Page, you can add the 'click-through' splash page, and simply add something like the below on it:

    <p>Congratulations! Welcome to the [Insert your Organisation Name here] OpenRoaming Hotspot via a Settlement-Free identity like your Samsung, Google, or Apple account or Cisco's OpenRoaming app, or an educational identity like your eduroam account.  This page means that your authentication was successful! Hooray!</p><p>Access to this service is subject to OpenRoaming terms and conditions and privacy policy at: https://wballiance.com/openroaming/toc/ and https://wballiance.com/openroaming/privacy-policy/</p><p>Click on through to where you wanted to go in the first place!

    Or, you can leave out the splash page, it's all your choice 😉

  4. Add your upstream RADIUS server details. This could be your own server or the OpenRoaming proxy details.
     - You can contact the eduroam Ops Team for the eduroam Europe OpenRoaming proxy by emailing Paul Dekkers, who manages the proxy, and ask for the OR proxy details. The European eduroam OR proxy accepts both RADIUS (over UDP/1812) and RadSec (with eduPKI certificates, over TCP/2083).
     - You can also contact eduroam UK for the UK proxy by emailing eduroamuk at jisc.ac.uk  and asking for the OR proxy details. Like the eduroam Europe proxy, the UK proxy accepts both RADIUS and RadSec (with eduPKI certificates) traffic.
  5. No RADIUS accounting servers are needed at this time (it is required for OpenRoaming Settled), don't tick any of the three options beneath that for the time being.
  6. Under the Advanced RADIUS Settings:
     - Leave Called-Station-ID and NAS ID at 'AP MAC Address' followed by 'SSID name' and 'SSID number' respectively.
     - Set Server Timeout to '10' seconds, retry is '3', and RADIUS fallback is 'Off'.
  7. Client IP and VLAN is probably 'Meraki AP assigned NAT Mode'. 😊
  8. Save your settings.
  9. Under the 'Wireless' menu, choose 'Hotspot 2.0',then choose your SSID you created.
  10. Set 'Operator Name' to something that identifies your organisation:
    - The European eduroam OR proxy will re-set it to '4EDUROAM' before it gets sent to the OpenRoaming world.
    - The UK eduroam OR proxy will prefer an operator name suffixed with 'EDUROAM.JISC:GB'. An operator name will be assigned to you.
  11. The 'Venue Name' should be set to '<your location>', the Venue Type to 'University or College' (or 'Research and Development Facility', if you prefer)
  12. 'Network Type' should probably be set to 'Test or experimental' (which it is)
  13. 'Domain List' probably should be set to '[your domain]' and any other domains you might have.
  14. In 'Roaming Consortiums', set the following: 
    001BC50460 (eduroam)
    5A03BA0000 (Baseline 'Any identity' RCOI)
    5A03BA0800 (Baseline education RCOI)
    004096 (Legacy RCOI - many devices and apps for OpenRoaming on-boarding will still use this)
  15. There's no need for any NAI realms, unless you want to handle yours locally.
  16. There is also no need for any MCC/MNCs, unless you specifically want to allow certain mobile operators to connect to your network. Your upstream OpenRoaming proxy has to be able to handle the 3gppnetwork.org domain associated with this kind of authentication (the Jisc OR proxy does). This usually is a list of value pairs consisting of a Mobile Country Code (MCC) and a Mobile Network Code (MNC). AT&T for example has two pairs, '310 280' and '310 410', while T-Mobile USA has one: '310 260'. The values can usually be derived from the '@wlan.mncXXX.mccYYY.3gppnetwork.org' username you see on a network, any 0 prefix can be dropped. To date we are aware that AT&T and T-Mobile configure their SIMs to use OpenRoaming if their MCC/MNC pair is advertised. 

Save your configuration.

Testing

Test your configuration with the following:

  • Samsung identity - This is built into all recent Samsung Galaxy S series (and some Galaxy A series) phones, although the IdP can be spotty at times. Make sure that 'Hotspot 2.0' is enabled in the advanced Wi-Fi settings. The Wireless Broadband Alliance is aware and encouraging Samsung to fix this, so your mileage may vary
  • Google identity - This is built into all recent Google devices, but it has to be enabled by selecting 'OpenRoaming' in the Wi-Fi networks settings. You will be asked to agree to the OpenRoaming Terms and Conditions. Google's IdP is pretty rock-solid based on recent statistics
  • Cisco OpenRoaming app - This allows you to use either Google or Apple identities on either Android or iOS to connect to OpenRoaming networks. The app will prompt you to agree to the Terms and Conditions. This app still only sets a requested RCOI of 00-40-96. 
  • GlobalReach's Globalro.am app - This allows you to use Google, Apple or LinkedIn identities on either Android or iOS to connect to OpenRoaming networks. The app will prompt you to agree to the Terms and Conditions. 
  • geteduroam with your eduroam ID - Your eduroam CAT profile has to have OpenRoaming enabled (for the eduroam RCOIs above), and if you want to use the other RCOIs, have additional 'Additional HS2.0 Consortium OI' entries (one for each additional RCOI). Your IdP should support receiving traffic via the 'classic' eduroam route for OpenRoaming.

Successful testing behaviour should be to not prompt you for credentials. It should simply connect if the AP is configured correctly and, if you set a Splash Page above, display the Splash Page in your browser.

If it fails to connect, your upstream OpenRoaming proxy operator (eduroam Europe or eduroam UK) should be able to check if your traffic has made it to them. If it has, your AP is correctly configured (even if if fails to connect you to the AP). If you're using a Samsung and it categorically refuses to connect, it's likely that it's the Samsung IdP being temperamental. Try another method of testing (such as the Cisco OpenRoaming app).


  • No labels