One Global Wi-Fi Network and OpenRoaming
1.2 Enterprise WiFi
OpenRoaming is an open industry standard that automates device roaming between different WiFi networks. It is built upon enterprise WiFi technologies like Passpoint, which offers similar security as cellular networks.
1.2.1 Enterprise WiFi and Passpoint
Enterprise WiFi served the industry successfully for years before telcos tried looking into how WiFi can offer a 5G deployment alternative to small cells. Traditionally, enterprise WiFi has been referred to as “EPA-enterprise” and branded by the WiFi alliance as Passpoint, or sometimes “Hotspot 2.0.” Passpoint has been around since 2012 and is promoted by Telcos like AT&T, TMobile, etc for offloading cellular internet traffic to WiFi. Most mobile devices come pre- configured for Passpoint support. The technology itself contains three key components: IEEE802.1x and 802.11u standards, as well as the Extensible Authentication Protocol (EAP). Network side implementation is carried out by a Remote Authentication Dial-In User Service (RADIUS) system, which implements an AAA (authentication, authorization, and accounting) protocol for managing network access. RADIUS uses two types of data packets to manage the full AAA process: Access-Request, which manages authentication and authorization; and Accounting- Request, which manages accounting.
1.2.1.1 IEEE802.1x
IEEE802.1x is An IEEE (Institute of Electrical and Electronics Engineers) standard for port-based network access control (PNAC) for wired and wireless access points. 802.1x defines authentication controls for any user or device trying to access a LAN or WLAN. The authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop or cell phone) that wishes to attach to the LAN/WLAN. The authenticator is a network device that provides a data link between the client and the network, and that can allow or block network traffic between the two. This device could be an Ethernet switch or wireless access point, for example. The authentication server is typically a trusted server that can receive and respond to requests for network access, and can, based on different policies, tell the authenticator whether the connection is to be alloweds. Authentication servers typically run software supporting the RADIUS and EAP protocols. The authenticator acts like the security guard for a protected network. The supplicant is not allowed access through the authenticator to the protected side of the network until the supplicant's identity has been validated and authorized. With 802.1x port-based authentication, the supplicant must initially provide the required credentials to the authenticator - these will have been specified in advance by the network administrator and could include a username/password or a permitted digital certificate. The authenticator forwards these credentials to the authentication server to decide whether access is to be granted. If the authentication server determines the credentials are valid, it informs the authenticator, which in turn allows the supplicant (client device) to access resources located on the protected side of the network.
1.2.1.2 IEEE802.11u
IEEE802.11u defines the procedures related to hotspot connections and the authorization of clients by 3rd parties (for cellular network offloading). It includes airlink encryption, network discovery and selection (Access Network Query Protocol), Quality-of-Service (QoS) map distribution, etc. IEEE 802.11 is part of the IEEE 802 set of local area network (LAN) technical standards, and specifies the set of media access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) communication.
1.2.1.3 EAP
EAP is used on encrypted networks to provide a secure method of sending identifying information for the purpose of network authentication. EAP was developed by the IETF (Internet Engineering Task Force), and has been widely adopted by wired and wireless access networks. In enterprise WiFi, commonly used authentication methods implement EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled Transport Layer Security) and EAP-PEAP (Protected Transport Level Security).
1.2.1.4 RADIUS
RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP transport layer protocols. Network access servers, which control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1x authentication. A RADIUS server is usually a background process running on Linux or Microsoft Windows. A RADIUS server essentially acts as the “security guard” of an 802.1x network; as users connect to the network, the RADIUS authenticates their identity and authorizes them for network use. A user becomes authorized for network access after enrolling for a certificate from the PKI (Private Key Infrastructure) or confirming their credentials. Each time the user connects, the RADIUS confirms they have the correct certificate or credentials, and prevents any unapproved users from accessing the network.
RADIUS is commonly used to facilitate roaming between networks belonging to different ISPs. Thus, it allows for a single global set of credentials that are usable on many public networks. It also lets independent but collaborative institutions issue their own credentials to their own users, allowing visitors of new networks to be authenticated by their home institution, such as with eduroam. Eduroam has RADIUS servers working as proxies using RADSEC, or “RADIUS over TLS.” The RADIUS server can authenticate the user’s status at their home university via their home service provider (HSP), and grant them secure network access at a different university they are currently visiting, through the access network provider (ANP).
RADIUS facilitates this using realms, which identify where the RADIUS server should forward the AAA requests for processing. Realms can also be compounded using both prefix and postfix notation, to allow for complicated roaming scenarios; for example, somedomain.com\username@anotherdomain.com could be a valid username with two realms. Although realms often resemble domains, it is important to note that realms are in fact arbitrary text and need not contain real domain names. Realm formats are standardized in RFC4282 and RFC7542, which define a Network Access Identifier (NAI) in the form of 'user@realm'. In that specification, the 'realm' portion is required to be a domain name. However, this practice is not always followed.
RadSec is an 802.11x protocol for transporting RADIUS datagrams through TCP (Transmission Control Protocol) and TLS (Transport Layer Security), which themselves are protocols. RadSec is not to be confused with RADIUS using EAP-TLS, which refers to RADIUS authenticating for the certificate-based 802.1x protocol.
A RADIUS system that allows users to login with a username and attributes instead of a password is critical for attracting them to use public infrastructure for authentication and authorization purposes. Otherwise, they would hire someone to manage their backend, or they would do it by themselves. EAP-TLS is passwordless, but it requires both client and server sides to have certificates, which is very cumbersome for the server side to manage. As a result, EAP-TTLS and EAP-PEAP are most used for public WiFi infrastructure, but both still require passwords.
1.2.2 OpenRoaming and Wireless Broadband Alliance
Essentially, OpenRoaming is a roaming federation service enabling an automatic and secure WiFi experience globally. The key is to allow users to access ANPs via their HSP and RADIUS proxy, and to establish a commercial term among these ANPs and HSPs. OpenRoaming was developed by Cisco for years until the Wireless Broadband Alliance (WBA) took over development in the beginning of 2020. From the start, the WBA and the WiFi Alliance (WFA) worked together to develop the standards OpenRoaming used (primarily WiFi CERTIFIED PasspointTM and Wireless Roaming Intermediary Exchange [WRIX]).
While Passpoint is able to provide local roaming and direct network partnerships, OpenRoaming targets a broader geographical area. Instead of using local networks as an intermediary to reach the HSP’s RADIUS server, OpenRoaming utilizes federated directories to allow trusted networks to authenticate the user locally. Essentially, the goal of OpenRoaming is to develop one Global WiFi network. The roaming process can be divided into different functional components: firstly, configuring the network and the subscriber devices to allow roaming; secondly, creating the technical interconnections between the partnering companies/network providers, which allows for all real-time activities, such as authentication and accounting, to be performed; and finally, establishing the commercial framework for roaming, which includes billing and settlement agreements between the relevant companies.
1.2.2.1 Wireless Broadband Alliance (WBA)
The WBA is the global organization that connects people with the latest Wi-Fi initiatives. Founded in 2003, the vision of the Wireless Broadband Alliance (WBA) is to drive seamless, interoperable service experiences within the global wireless ecosystem via WiFi. The WBA’s mission is to enable collaboration between service providers, technology companies, cities, regulators, and organizations to achieve that vision. The WBA’s members include those major operators, identity providers, and leading technology companies across the WiFi ecosystem who share a common vision. Currently, it is supported by nearly all the largest players in the field.
The WBA undertakes programs and activities designed to address business and technical issues as well as opportunities for member companies. The alliance’s work areas include standards development, industry guidelines, trials, and certification and advocacy. Its key programs include NextGen Wi-Fi, OpenRoaming, 5G, IoT, Testing & Interoperability, and Policy & Regulatory Affairs, with member-led Work Groups dedicated to resolving standards and technical issues in order to promote end-to-end services and grow business opportunities.
Currently, the WBA is managing OpenRoaming technical architecture, guidelines, standardization, and validation. It defines for service providers the best practices for roaming set- up, and outlines the reasons for providing roaming services while offering suitable strategies to foster adoption. Moreover, the WBA maintains a database of Operators’ roaming-related data, including data on their Unique Organization Identifier(s) (WBAID), which are solely provided and maintained by the WBA.
1.2.2.2 Technical Architecture
The diagram above describes the architectural framework for supporting the WBA’s Policy- Enabled WiFi Federation. Together the WBA’s Certificate Policy, Federation Terms of Service, and Database operations procedures define this federation’s operations.
The key is how to onboard users to a federation of multiple identity providers (IdPs) and multiple venues. Initially designed for a venue to form an auto-onboarding agreement with a small set of carriers, OpenRoaming has rapidly grown, allowing consortiums of multiple carriers and other IdPs to form relationships for auto-onboarding with multiple venues. As adoption increased, this multi-to-multi relationship surfaced complexities and challenges that a smaller scale design was not made to address. The WBA OpenRoamingTM solution aims to bridge that need by recommending how these elements could be used in the context of an OpenRoaming network or regular Passpoint deployment (non-OpenRoaming network).
To provide Wi-Fi roaming services, the ANP and IDP must have interoperability mechanisms in place which are defined by WRIX. OpenRoaming is built on a foundation of RadSec secured using the WBA’s PKI (private key infrastructure), which requires all OpenRoaming participants to be identified using their WBAID. All ANPs shall support RADIUS Accounting for all OpenRoaming sessions, irrespective of which RCOIs (roaming identifiers) are supported, i.e., for both settled and settlement free service.
The WBAID consists of two parts, a mandatory “WBA Primary Member ID” which is assigned by the WBA when a company joins the WBA, and an optional prepended SubID that is allocated by a WBA Agent. WBAID is defined as follows: <Operator ID>:<country code>. It is included in the IDP and ANP identifiers in the usage exchange records as well as the financial information managed by the WRIX. Besides being used in the end to end communication and RADIUS attribute ‘Operator Name’, it is also used in the attribute ‘Chargeable User Identity’, combined with the user information and the WBAID Access-Accept in the Identity-Provider Vendor Specific Attribute. Other supporting processes, such as when requesting a PKI or during the exchange of configuration details, also require the WBAID.
3GPP 23.003 defines the sub-domain to be used with EAP-SIM, EAP-AKA and EAP-AKA’ methods. The NAI realm is of the format:
wlan.mnc<MNC>.mcc<MCC>.3gppnetwork.org, where <MNC> and <MCC> are the MNC and MCC of the Mobile Network Operator (MNO).
The 3gppnetwork.org domain is operated by the GSMA. GSMA permanent reference document IR.67 describes the guidelines associated with the domain, including the operation of delegated zones by individual MNOs. In order to enable 3GPP defined NAI realms to continue to be used in Passpoint enabled devices, while avoiding impacting the security associated with the GSMA- defined DNS guidelines, those OpenRoaming systems that are not connected to the GSMA’s inter- PLMN backbone and want to resolve any NAI realm of the form:
xxx.mnc<MNC>.mcc<MCC>.3gppnetwork.org
shall perform the DNS query using the modified realm:
xxx.mnc<MNC>.mcc<MCC>.pub.3gppnetwork.org
Similarly, those MNOs that have joined the OpenRoaming federation should provision the corresponding sub-domain in their DNS. This lets them identify the AAA peer used to authenticate their subscribers when using the OpenRoaming federation [9].
1.2.2.3 Onboarding Policy Control
The key to OpenRoaming is policy control once the exchange hub and proxy are established. The realization of policy controls for the OpenRoaming federation entails striking a balance between what’s required for fine grain policy enforcement, and what’s required to minimize the potential negative impacts of policy enforcement on user experience.
The Roaming Consortium Organization Identifier (RCOI) integrates with the Access Network Query Protocol (ANQP) to provide additional information to the ANP. This is the preferred approach for realizing ANP based authorization policy. If the ANP does not want to authorize all users associated with a particular RCOI, it will avoid broadcasting that RCOI and instead use an “allow list” of permitted NAI-realms to define the subset of authorized users associated with a particular RCOI. The normal rules for Passpoint access network selection thus ensure that OpenRoaming users will not attempt to authenticate to a network for which they are not authorized, and hence that they will not suffer any degraded connection experience associated with implementing authorization controls.
OpenRoaming defines the use of multiple RCOIs to facilitate the implementation of policies across the federation.
Where ‘xx-xx’ refers to the 12 bit extension, RCOI examples include:
OpenRoaming-Settled: BA-A2-D0-xx-xx
OpenRoaming-Settlement-Free: 5A-03-BA -xx-xx
1.2.2.4 Quality matrix
It is worth highlighting that the RCOI also identifies the Quality_of_Service (QoS) level of the given WiFi network, which is essential to ensuring a great user experience.
This OpenRoaming specification, referred to as Baseline QoS, defines the minimum WLAN and network requirements necessary for an access network to join the OpenRoaming federation. ANPs shall ensure that the following minimum requirements are provided when accessing on all its supported RCOIs, including, when configured, OpenRoaming-Settlement-Free:
The ANP shall ensure that the availability of Service when used to access the Internet, measured during scheduled operations across the ANP’s network, shall exceed 90% over any one month period.
The ANP shall ensure that the aggregate bandwidth used to receive Internet service on the ANP’s network shall be sufficient to enable each and every authenticated and authorized End User to receive a sustained 256 kilobits per second connection.
In addition to these minimum requirements, OpenRoaming defines two advanced service levels indicating an ANP’s enhanced capabilities and configuration. Only those ANPs that support the necessary service level capabilities are permitted to broadcast OpenRoaming RCOIs with context identifiers signaling their corresponding QoS fields. The detailed definition of Silver and Gold tier is specified in ref [9]. In general, the definition sets the requirements for availability (percentage over any one month period), aggregate bandwidth for every authenticated and authorized end user, stream downlink speed (5 megabits per second measured over one-minute intervals for Silver tier) and end-to-end stream latency.
1.2.2.5 OpenRoaming Deployment
If a legacy ANP has not deployed OpenRoaming, it can still be deployed by an ANP Hub provider to support the 4 different IDP use cases.
The current OpenRoaming federation maintains a security chain based on a minimum of 4 protection levels:
Level 1: OpenRoaming Root
Level 2: OpenRoaming Policy I-CA
Level 3: OpenRoaming Issuing I-CA
Level 3: Optional Registration Authority (RA) (e.g., WRIX Agent)
Level 4: End-Entity
The level 2 Policy I-CA is operated as a neutral federation service. The Level 3 issuing I-CA is intended to be operated by providers of OpenRoaming services, including those businesses that provide certificate services to WRIX agents, as well as other providers that have integrated OpenRoaming into their product/service offerings. The operator of the Level 1 and Level 2 Federation service will be determined by the WBA. Operators of Level 3 services will need to enter into an agreement with WBA for providing these services. Following such an agreement, the WBA shall ensure that the Level 2 operator signs the issuing I-CA certificate(s) for the Level 3 operator.
Other federations which want to interface with the OpenRoaming federation may use dynamic discovery with distinct NAPTR application service tags to facilitate integration. Specifically, eduroam plans to operate one central interchange point with OpenRoaming. By updating their DNS NAPTR records with the OpenRoaming defined service tags, an institution which is a member of the eduroam federation may permit its users to connect via an ANP supporting OpenRoaming.
Whereas the current eduroam service providers will use the eduroam defined “x-eduroam” application service tag to discover the home institution’s RadSec peer for authentication, the OpenRoaming ANPs will use the WBA defined “aaa+auth” tag to discover a separate RadSec peer that can be defined for handling all inter-domain authentications.
