OpenRoaming
OpenRoaming is a global Wi-Fi roaming federation that enables seamless, secure connectivity across participating networks worldwide. IronWifi provides complete OpenRoaming support as both Identity Provider (IdP) and Access Network Provider (ANP), with RadSec encryption for secure federation.
What is OpenRoaming?
OpenRoaming extends Passpoint (Hotspot 2.0) by creating a federated roaming ecosystem where:
- Users connect automatically to participating hotspots
- Single credential works everywhere - no per-network signup
- Enterprise-grade security via WPA2/WPA3-Enterprise
- Global reach - thousands of hotspots in airports, hotels, cafes, cities
How OpenRoaming Works
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Device │────▶│ Hotspot │────▶│ IronWifi │
│ (Roaming) │ │ (Visited) │ │ RADIUS │
└─────────────┘ └─────────────┘ └─────────────┘
│
▼
┌─────────────┐
│ OpenRoaming │
│ Hub │
└─────────────┘
│
▼
┌─────────────┐
│ Home IdP │
│ (Google/MS) │
└─────────────┘
- Device discovers OpenRoaming-enabled network
- Network queries OpenRoaming hub for authentication
- Hub routes request to user's identity provider
- Credentials verified, access granted
OpenRoaming Roles
Identity Provider (IdP)
Authenticates users and issues credentials. IronWifi can act as your IdP.
Access Network Provider (ANP)
Provides the Wi-Fi hotspot infrastructure. Your access points become part of the federation.
Roaming Hub
Routes authentication between IdPs and ANPs. WBA operates the main hub.
IronWifi OpenRoaming Features
IronWifi provides complete OpenRoaming support:
- Dual Role - Act as both IdP and ANP
- RadSec Support - Encrypted RADIUS for federation
- Automatic Configuration - Simplified setup for common vendors
- Analytics - Track roaming connections and usage
- Settlement - Support for settled and settlement-free roaming
Roaming Types
Settlement-Free
- No charges between networks
- Best for enterprise, education, municipal
- OI:
5A03BA0200
Settled
- Revenue sharing between providers
- For commercial hotspot operators
- OI:
5A03BA0000
Supported Identity Providers
OpenRoaming users can authenticate via:
- Google Account
- Apple ID
- Microsoft Account
- Samsung Account
- Enterprise credentials (IronWifi IdP)
Vendor Configuration Guides
Configure your access points for OpenRoaming:
| Vendor | OpenRoaming Guide | RadSec Support |
|---|---|---|
| MikroTik | MikroTik OpenRoaming | RadSec Guide |
| Ubiquiti UniFi | UniFi OpenRoaming | Via proxy only |
| Cisco Meraki | Meraki OpenRoaming | Via Cisco cloud |
| Juniper Mist | Mist RadSec | Native support |
| Fortinet FortiGate | FortiGate RadSec | Native support |
| Aruba Central | Aruba RadSec | Native support |
| Ruckus SmartZone | Ruckus RadSec | Native support |
| Cambium cnMaestro | Cambium OpenRoaming | Optional |
| TP-Link Omada | TP-Link OpenRoaming | Not available |
| Teltonika | Teltonika OpenRoaming | Not available |
Getting Started
As an Access Network Provider
- Enable OpenRoaming in IronWifi console
- Download RadSec certificates
- Configure your access points
- Test with OpenRoaming credentials
As an Identity Provider
- Set up user authentication in IronWifi
- Configure SCEP or credential provisioning
- Deploy profiles to user devices
- Users can roam to any OpenRoaming network
Roaming Consortium OIs
Configure these Organization Identifiers on your access points:
| OI | Description |
|---|---|
5A03BA0000 | WBA OpenRoaming (Settled) |
5A03BA0200 | WBA OpenRoaming (Settlement-free) |
004096 | Cisco OpenRoaming |
| Various | Carrier/provider specific |
NAI Realm Configuration
For IronWifi, use realm: ironwifi.com or your custom realm configured in the console.
Benefits
For Network Operators
- Join global Wi-Fi federation instantly
- Attract roaming users to your venue
- Monetization through settled roaming
- Reduce support burden
For Users
- Automatic, secure Wi-Fi everywhere
- No passwords or captive portals
- Same experience worldwide
- Privacy-respecting authentication
For Enterprises
- Extend corporate Wi-Fi globally
- Secure employee connectivity on travel
- Reduce cellular data costs
- Consistent security policies
Security
OpenRoaming provides:
- WPA2/WPA3-Enterprise encryption
- EAP-TLS or EAP-TTLS authentication
- RadSec (RADIUS over TLS) for federation
- Mutual authentication between networks
Testing OpenRoaming
Verification Tools
Use these tools to verify your OpenRoaming deployment:
| Tool | Purpose |
|---|---|
| WiFi Analyzer apps | Verify 802.11u/Hotspot 2.0 beacons |
wpa_cli | Query ANQP information on Linux |
| OpenRoaming test devices | iOS/Android with known-good credentials |
| IronWifi Console Logs | Monitor authentication attempts |
Test Procedure
- Verify Passpoint beacons - Use WiFi analyzer to confirm Hotspot 2.0 is advertised
- Check ANQP responses - Verify roaming consortium OIs are visible
- Test authentication - Connect with OpenRoaming credentials
- Monitor logs - Verify successful RADIUS exchanges in IronWifi console
FAQ
What's the difference between Settled and Settlement-free?
- Settlement-free (
5A03BA0200): No charges between network operators. Ideal for enterprises, education, and municipal networks. - Settled (
5A03BA0000): Revenue sharing between providers. For commercial hotspot operators.
Which devices support OpenRoaming?
- iOS 14+: Native Passpoint support, auto-connects with Apple ID
- Android 11+: Native Passpoint support, auto-connects with Google account
- Windows 10/11: Passpoint supported, requires profile installation
- macOS: Passpoint supported via profiles
Do I need RadSec?
RadSec (RADIUS over TLS) is recommended for production deployments because it:
- Encrypts all RADIUS traffic
- Uses certificate-based authentication
- Is required for OpenRoaming federation compliance
Standard RADIUS works but provides less security.
Can I use both Settled and Settlement-free OIs?
Yes, configuring both OIs (5A03BA0000 and 5A03BA0200) allows connections from both types of roaming users.