OpenRoaming: simple, seamless, secure Wi-Fi access and why YOU need to know about it!

OpenRoaming

If you want to know if giving this article five minutes of your life is worth it watch a 60-second video of OpenRoaming in action here before reading on.

The future of Wi-Fi is private, secure, and always on. I invite you to visit the Wireless Broadband Alliance's website and educate yourself on how Wi-Fi will be used in 2022 and beyond, as well as how OpenRoaming will affect your industry.

This blog piece will present the following subjects:

1. What is OpenRoaming?
2. Where is OpenRoaming Today?
3. What I am doing with OpenRoaming?
4. How much does it cost?

What is OpenRoaming?

OpenRoaming is designed to provide seamless secure Wi-Fi access, which is an industry-wide issue since efforts to standardize how this should happen have not yet reached critical mass to support worldwide acceptance. OpenRoaming is a framework that enables these industry efforts to scale, resulting in a seamless, secure Wi-Fi experience connecting billions of users and things to millions of Wi-Fi networks worldwide.

OpenRoaming is supported by a?global alliance called the?Wireless Broadband Alliance (WBA) which has?developed the legal, legislative, and technical frameworks required to enable OpenRoaming’s?vision of seamlessly and securely?connecting billions of users and things to millions of Wi-Fi networks worldwide.

OpenRoaming allows Wi-Fi networks to dynamically discover and securely link a device or app to the identity provider that owns or has provisioned the device or app for the purpose of granting internet access to the device or app. OpenRoaming represents the security framework for an always-on Wi-Fi device experience no matter the network location.

Why is this important?

By guaranteeing that users are always connected, the mobile network (LTE) sets the standard for user experience. Wi-Fi is a different story. A negative first-time user experience when connecting a BYOD or IoT device to enterprise or guest Wi-Fi networks is a common occurrence. Manifested by an infuriating and repetitive user authentication process, onboarding issues, and the never-ending security standards showdown wreaking havoc on enterprise and guest Wi-Fi networks creates?a frustrating experience for BYOD users and IoT devices on non-next generation hotspot (NGH) Wi-Fi networks

OpenRoaming consists of over two decades of technology, alliances, standards, and vendor development efforts. Passpoint, Hotspot2.0, RADSEC, and device onboarding solutions are required in an OpenRoaming environment and all of the technologies described have only gained acceptance in niche markets, never reaching the heights their creators anticipated.

For?example,?did you know HotSpot2.0 has been around for ten years and is now on its third release however it is still unknown in the enterprise Wi-Fi market?

How does OpenRoaming work?

OpenRoaming consists of four parts:

1. Cloud Federation
2. Network side
3. Device Side
4. Identity Side

Cloud Federation

OpenRoaming allows two RADIUS servers to dynamically locate each other, connecting authenticating users or devices to the identity provider that owns or provisioned the device for OpenRoaming network connectivity.

Each cloud federation RADIUS server serves a specific purpose. Enterprise networks are linked to the OpenRoaming Cloud Federation via a roaming hub. While an identity provider (IDP) or IDP broker receives authentication requests from OpenRoaming hubs across the world to pass on to the identity stores to authenticate the user or device.

• Roaming Hub RADIUS services can be supplied by any RADIUS server that speaks RADSEC, while the IDP RADIUS service can be offered by any RADIUS server that speaks RADSEC and can connect to user or device identity?stores.

Each of the Cloud Federation's “RADIUS” server instances requires a WBA OpenRoaming certificate and must be capable of speaking RADSEC. To receive a WBA OpenRoaming certificate, a company interested in OpenRoaming must join the WBA, which starts at?$5KAUD per year depending on the membership outcome desired. A further separate business interaction is required to have the WBA PKI certificate provision by an Issuing Certificate Authority for the WBA.

Network Side

OpenRoaming employs hotspot 2.0 (HS2.0) to seamlessly connect users or devices. The good news for businesses is that HS2.0 is available on all major network infrastructure suppliers (Cisco, Aruba, Meraki, Mist, Huawei, CommScope Ruckus, etc..) meaning no additional infrastructure costs are needed to deploy OpenRoaming.

OpenRoaming requires a simple configuration on any current or new 802.1x SSID network and a valid OpenRoaming subscription to enable the service within a Wi-Fi network.

Device Side

Any device that can understand HotSpotS2.0 and has an OpenRoaming certificate provisioned by an identity provider is OpenRoaming enabled. The device's certificate searches for a Roaming Consortium Organisational Identifier (RCOI) within a Wi-Fi network SSID beacon, triggering an automatic authentication and roam request onto an OpenRoaming enabled network service.

Identity Side

The Identity store contains information for authenticating a device that's used to verify the user or device on an OpenRoaming network. An ID store can be anything from Microsoft Azure Active Directory to a locally maintained database. Importantly, databases stored in the cloud in a standardized, secure, and simple manner, such as Microsoft Azure AD, can easily inject identity provider services into OpenRoaming.

Putting it all together

When all parts of the OpenRoaming ecosystem are put together an end-to-end encrypted conversation is enabled between device and ID store.

Where is OpenRoaming Today?

The WBA launched its version of?OpenRoaming with four identity providers (IDPs) - Apple, Google, Samsung, and Android – in July 2020. To promote the OpenRoaming standard, the four largest phone manufacturers and mobile OS vendors pre-configured handsets to connect to OpenRoaming automatically – effectively onboarding the device for OpenRoaming.

If an Apple, Google, Samsung, or Android mobile identifies an OpenRoaming network, the user will be instantly connected without user intervention provided they have self-onboarded via a one-time two-click process.

The WBA OpenRoaming User Experience

To use the WBA OpenRoaming service, a user must accept one-time terms and conditions page before completing the device's lifetime membership to OpenRoaming.

For all but one of the following IDPs, connecting to OpenRoaming networks is a breeze. The Google Pixel, Samsung S10+, and Android 11+ all have one-time two-click user onboarding experience scenarios.

For example, here are two videos of the OpenRoaming onboarding process for Samsung and Android devices:

·????????Android

·????????Samsung

Apple devices presently require the OpenRoaming App to self-onboard to the OpenRoaming service. This App is considered legacy and is rumored that it will be replaced by native operating system support in Q1 2022. Hopefully, this support extends across the entire Apple product ecosystem.

What am I Doing with OpenRoaming?

Since launching a global OpenRoaming hub service and product in June, I've met with 60 clients to talk about?OpenRoaming solutions, and to date, I have?deployed seven pilots of the WBA OpenRoaming solution in three countries.

Overall, the markets' response to OpenRoaming has been one of fascination. In a nutshell, the enterprise and public market desire the ability to use their own enterprise identity in OpenRoaming (Passpoint mixed with OpenRoaming) or the presence of additional identity providers within OpenRoaming in order to take on an OpenRoaming service.

• A passpoint solution provides the same seamless authentication and roaming experience as OpenRoaming, but the device identity used to connect to the Wi-Fi network cannot be utilized outside the enterprise Wi-Fi network footprint.

To realize its vision, OpenRoaming requires Wi-Fi network coverage footprint and a large number of identity providers to leverage that network coverage footprint. For this reason and in line with the AU market demand, I've spent the last four months developing a solution architecture capable of injecting any organization, application, or device's IDP into OpenRoaming to meet the market demand seen when I was out in the field selling OpenRoaming.

• Intel and Cisco are working on a similar project to mix passpoint with OpenRoaming and have called the initiative Federated Onboarding for OpenRoaming. I like the term and will refer to the above market demand for more OpenRoaming identities as Federated Onboarding for OpenRoaming for the rest of this post.
• AT&T has already mixed passpoint with OpenRoaming by provisioning their subscriber SIM cards with an OpenRoaming passpoint profile.

For instance, an organization may find value in providing its employees with a passpoint service to simplify access to Wi-Fi network services at corporate sites and employing the same passpoint identity to roam onto OpenRoaming Wi-Fi networks in destinations where the employee may do business. Consider Wi-Fi inter-hospital roaming, in which OpenRoaming serves as the secure Wi-Fi ecosystem inside the hospital that connects the traveling doctor or nurse's device identity to the matching identity provider that onboarded the device. Simply arrive, roam, and work. No apps, no captive portals, no timeouts – just an always-on secure experience no matter the location.

Another example is a telecommunications provider who wishes to offer LTE offloading to its subscribers in brand A's shopping centers across the country. OpenRoaming hubs connect all of brand A's shopping centers to the OpenRoaming ecosystem, thereby providing the network coverage footprint required for the telecommunications provider to offer LTE offloading to its subscribers.

The strategy to deploy indoor 5G services is going to require Wi-Fi to maintain the high-speed experience users are going to be accustomed to on 5g enabled handsets. OpenRoaming LTE offloading reduces the cost to roll out 5G services across a market and increases speed to market for new 5G service offerings once locked away by the slow and expensive rollout of traditional LTE infrastructure. OpenRoaming in this instance also generates revenue for the shopping center.

Federated Onboarding for OpenRoaming

In conjunction with a global onboarding and cloud radius provider, we are developing a Federated Onboarding for OpenRoaming solution to leverage OpenRoaming's global network footprint and associated framework to expand the reach of passpoint deployments and to offer device manufacturers a new simple, secure, and standardized way to connect your devices to customer networks.

The Federated Onboarding for OpenRoaming solution will enter the piloting phase in late October with productization happening in November. Commercial Federated Onboarding for OpenRoaming will be available either in late November or early December.

The following is the high-level solution architecture of how Federated Onboarding for OpenRoaming (OpenRoaming and Passpoint) work together.

How much does it cost?

An OpenRoaming service via Cirrus Networks is charged via AP number present on a network per year or per three-year contract basis.

For enterprises, device makers, and/or telecommunications providers that want to utilize the Federated Onboarding Service for OpenRoaming with their own subscriber and device ecosystenm, the cost of the service is calculated based on the number of subscribers or devices.

Get in touch with Cirrus Networks to talk about OpenRoaming pricing.

Thanks in advance for your time.

Gianni Frigenti