Configuration details for eduroam SP support for PassPoint / Hotspot 2.0 (preliminary)
Industry support for Passpoint is developing at varying speeds across vendors, both on the end-user device side and Wi-Fi networking gear side. This page contains both generic information and configuration hints for various eduroam SP gear. WARNING: these things may change over time. Be sure to check back regularly to see if your setup is still up-to-date and conforms to the then-current recommendations.
Generic Information
eduroam SPs (in Wi-Fi Alliance lingo: "hotspots") need to set up a number of configuration parameters so that well-configured end-user devices recognise the hotspot as a) Passpoint compliant and b) as a hotspot that supports connecting to with eduroam credentials. This requires some information elements to be sent out by the eduroam SP equipment. The following list enumerates the current recommendations.
Element Name | Recommended Value | Remarks |
---|---|---|
Consortium OI | 00-1B-C5-04-60 | The organisation ID 00-1B-C5-04-6 is assigned to GEANT (former TERENA); GEANT has assigned the suffix 0 for eduroam. Further assignments for other consortia such as govroam are possible. |
NAI Realm List | eduroam.org | In one reading of the specification, every realm that a consortium supports should be listed. This is however not only unpractical for eduroam with its thousands of realms, it is also not required by typical end-user devices: the name seen in the Wi-Fi beacon does not have to match the realm of the client-side credential - it rather matches a configured NAIRealm item in the device. We recommend end-user devices be configured with the same static "eduroam.org" value so that the comparison between client device and beacon is a match. |
Access Network Type | 1 (private network with guest access) | This value is from an enumeration and is the closest match to a typical eduroam SP. |
Domain |
| According to the specification, end-user devices can detect if they are "home" or "roaming", and to display this in UI to the user. This appears to be detected by matching this "Domain" parameter with the realm of the client-side credential. There is no UI evidence that the distinction is really made and displayed on any end user device we know of though. |
Venue Name | Contact information of the eduroam SP (multiple languages possible, at least English is recommended) | This is free-text information. Support phone numbers or mail addresses, or directions to an offline help desk booth appear reasonable choices. eduroam SPs should keep in mind that this info is also displayed to roaming users (language barrier, ability to diagnose roaming user problems, ...) |
IP address type availability | two classifiers (IPv4/IPv6) from IEEE 802.11-2012, tables 8-186 and 8-187 | according to deployed reality. Examples:
|
Venue Information | classifier from IEEE 802.11-2012 Table 8-52 and 8-53 (also see Location data in eduroam DB v2.0.1) | according to the actual type of eduroam SP organisation. Typical values are:
|
Operator Name | set to 1 suffixed with the primary realm of the SP (as per RFC5580) e.g. 1camford.ac.uk | Whilst the intended use of Operator Name in Hotspot 2.0 is a friendly operator name e.g. (Camford University) it appears that the value entered is then added into RADIUS request using the Operator-Name RADIUS attribute. Therefore for eduroam purposes this should follow the RFC5580 standard. |
Configuration of some Wi-Fi Controllers
LANCOM Systems (WLC)
The configuration is rather complex and involves a hierarchy of elements. The following picture illustrates which configuration items need to be in place to arrive at a Wi-Fi config which has all the required bits in it.
Most of these items are available on a single page, the WLAN Controller -> 802.11u page:
It is strongly suggested to start with the buttons on the right end of the schema above; they are the "leaf nodes" of the configuration. Once all necessary leaves are configured, the higher-order profiles and functions are edited, referencing the now-configured leaves. Example screenshots of the three relevant leaves below (eduroam configuration does not need the "Cellular Networks" and "Network Authentication Types" leaves:
(the consequence of the "EAP method" bit is yet unclear; it does not seem to have any effect, even when logging in to the network with a different EAP type)
After configuring the leaves, work your way up to the second level, which is "Hotspot 2.0 Profile", "ANQP Profile" and "Venue Profile":
Now, reference the two first ones in the 11u profile settings:
Then, enable 11u in the logical network profile for an SSID of your choice:
And finally, in the WLAN profiles, bind the logical network and the venue information together:
Cisco Wireless Lan Controller (8.3)
First, create a standard WLAN with 802.1X authentication. Then from the 'WLANs' configuration page click on the drop-down arrow and click on '802.11u'
On the '802.11u Parameters' page tick the box to enable '802.11u Status' and then click 'Apply' in the top right corner. (Note: you must enable 802.11u first before making other parameter changes)
Set the '802.11u General Parameters' accordingly for you WLAN:
- 'Internet Access' box should be ticked.
- 'Network Type' should be set to 'Private Network with Guest Access'
- 'Network Auth Type' should be 'Not Configured'
- 'HESSID' should be '00:00:00:00:00'
- 'IPv4 Type' should be set accordingly for your local network configuration
- 'IPv6 Type' should be set accordingly for your local network configuration
Add the eduroam Roaming Consortium OI to the OUI list. Enter '001BC50460' in the OUI field, ensure 'Is Beacon' is checked then click the 'Add' button.
If you are an Idp (as well as an SP) add the realms you authenticate to the domain list. Enter each realm in the 'Domain Name' field and click the 'Add' button.
Add 'eduroam.org' to the NAI Realm list. Enter 'eduroam.org' in the NAI Realm field and click 'Add'.
Click 'Apply' in the top right corner and then click 'WLANs' in the left menu to return the wlan selection screen.
From the 'WLANs' configuration page click on the drop-down arrow for the eduroam wlan and click on 'Hotspot 2.0'
On the 'WLAN > Hotspot 2.0' configuration page tick the box to enable 'HotSpot2' then click 'Apply' in the top right corner.
In the 'Operator Name List' add your operator name (1realm) with the 3 letter Language Code and click 'Add'
Click 'Apply' in the top right corner.
Finally, connect to the wireless controller via ssh or telnet and run the following command:
'config advanced hotspot anqp-4way enable'
Venue Information can be added at a per Access Point level or by editing an AP Group (802.11u Tab). (Make sure the correct operating classes are set for your network configuration)
Ubiquiti Unifi controller (8.4+)
We'll assume you already set up a RADIUS profile for eduroam.
(also see Ubiquiti UniFi OpenRoaming configuration snippet)
Note that Ubiquiti specifies a minimum version of the Network application and AP firmware at their help topic: Setting Up Passpoint on UniFi Network
Currently not all access points (notable U6 Lite) have release firmware available that support Passpoint. However, the early access versions of 'UniFi Access Point 6.6.77/6.6.78' should provide this functionality.
The controller will warn you after you select Passpoint if you have selected any APs that don't support it.
You can then either try to update them, or limit the Wi-Fi network to access points that have support for Passpoint.
You will not be able to save the Wi-Fi network if you have any APs without Passpoint support selected.
Create a new Wi-Fi network and set the following:
- Name: #Passpoint (this will be the SSID, you can set this to whatever you like)
- Network: The network authenticated users will be connected to, choose your guest network here
- Advanced: Manual
Hotspot 2.0: Passpoint
- Venue Name: See generic Information at the start of this page
- Venue Type: See generic Information at the start of this page
Network Type: Private Network with Guest Access
- IP Address Type Availability: See generic Information at the start of this page
NAI Realm: eduroam.org
Roaming Consortium List
- Name: eduroam
Organization ID: 001BC50460
Operator Friendly Name: Your operator name (1realm)
- Security Protocol: WPA2 Enterprise
- RADIUS Profile: The RADIUS profile for eduroam that you set up earlier
- Other settings you can set as you wish