OpenRoaming
- OpenRoaming is a Wireless Broadband Alliance (WBA) standard that extends Passpoint (Hotspot 2.0) into a global WiFi roaming federation -- users connect automatically to participating hotspots worldwide with a single credential.
- IronWiFi can act as both Identity Provider (IdP) and Access Network Provider (ANP), giving you full flexibility in how you participate in the OpenRoaming ecosystem.
- All OpenRoaming connections use WPA2/WPA3-Enterprise encryption with RadSec (RADIUS over TLS, defined in RFC 6614) for secure inter-provider federation.
- Two roaming models are available: settlement-free (no charges between operators, ideal for enterprise and education) and settled (revenue sharing, for commercial hotspot operators).
- OpenRoaming supports authentication via Google Account, Apple ID, Microsoft Account, Samsung Account, and enterprise credentials provisioned through IronWiFi.
OpenRoaming is a Wireless Broadband Alliance (WBA) standard that creates a global WiFi roaming federation, allowing users to automatically and securely connect to participating hotspots worldwide using a single set of credentials. Built on top of Passpoint (Hotspot 2.0) and RadSec (RADIUS over TLS), OpenRoaming eliminates the need for per-network signup or captive portal interaction.
IronWiFi provides complete OpenRoaming support as both Identity Provider (IdP) and Access Network Provider (ANP), with RadSec encryption for secure federation.
What is OpenRoaming?
OpenRoaming extends Passpoint (Hotspot 2.0) by creating a federated roaming ecosystem where:
- Users connect automatically to participating hotspots
- Single credential works everywhere - no per-network signup
- Enterprise-grade security via WPA2/WPA3-Enterprise
- Global reach - thousands of hotspots in airports, hotels, cafes, cities
How OpenRoaming Works
- Device discovers OpenRoaming-enabled network
- Network queries OpenRoaming hub for authentication
- Hub routes request to user's identity provider
- Credentials verified, access granted
OpenRoaming Roles
Identity Provider (IdP)
Authenticates users and issues credentials. IronWiFi can act as your IdP.
Access Network Provider (ANP)
Provides the WiFi hotspot infrastructure. Your access points become part of the federation.
Roaming Hub
Routes authentication between IdPs and ANPs. WBA operates the main hub.
IronWiFi OpenRoaming Features
IronWiFi provides complete OpenRoaming support:
- Dual Role - Act as both IdP and ANP
- RadSec Support - Encrypted RADIUS for federation via RADIUS over TLS
- Automatic Configuration - Simplified setup for common vendors
- Analytics - Track roaming connections and usage
- Settlement - Support for settled and settlement-free roaming
Roaming Types
Settlement-Free
- No charges between networks
- Best for enterprise, education, municipal
- OI:
5A03BA0000
Settled
- Revenue sharing between providers
- For commercial hotspot operators
- OI:
BAA2D00000
Supported Identity Providers
OpenRoaming users can authenticate via:
- Google Account
- Apple ID
- Microsoft Account
- Samsung Account
- Enterprise credentials (IronWiFi IdP)
Vendor Configuration Guides
Configure your access points for OpenRoaming:
| Vendor | OpenRoaming Guide | RadSec Support |
|---|---|---|
| MikroTik | MikroTik OpenRoaming | RadSec Guide |
| Ubiquiti UniFi | UniFi OpenRoaming | Via proxy only |
| Cisco Meraki | Meraki OpenRoaming | Via Cisco cloud |
| Juniper Mist | Mist RadSec | Native support |
| Fortinet FortiGate | FortiGate RadSec | Native support |
| Aruba Central | Aruba RadSec | Native support |
| Ruckus SmartZone | Ruckus RadSec | Native support |
| Cambium cnMaestro | Cambium OpenRoaming | Optional |
| TP-Link Omada | TP-Link OpenRoaming | Not available |
| Teltonika | Teltonika OpenRoaming | Not available |
Getting Started
As an Access Network Provider
- Enable OpenRoaming in IronWiFi console
- Download RadSec certificates
- Configure your access points
- Test with OpenRoaming credentials
As an Identity Provider
- Set up user authentication in IronWiFi
- Configure SCEP or credential provisioning
- Deploy profiles to user devices
- Users can roam to any OpenRoaming network
Roaming Consortium OIs
Configure these Organization Identifiers on your access points:
| OI | Description |
|---|---|
| WBA OpenRoaming (Settlement-free) |
| WBA OpenRoaming (Cloud ID - Settlement-free) |
| WBA OpenRoaming (Settled) |
| Cisco OpenRoaming |
| Various | Carrier/provider specific |
NAI Realm Configuration
For IronWiFi, use realm:
ironwifi.com
Benefits
For Network Operators
- Join global WiFi federation instantly
- Attract roaming users to your venue
- Monetization through settled roaming
- Reduce support burden
For Users
- Automatic, secure WiFi everywhere
- No passwords or captive portals
- Same experience worldwide
- Privacy-respecting authentication
For Enterprises
- Extend corporate WiFi globally
- Secure employee connectivity on travel
- Reduce cellular data costs
- Consistent security policies
When to Use OpenRoaming
OpenRoaming is most valuable when your network serves users who also visit other participating venues, or when you want to attract roaming visitors to your network. The following guidelines help determine whether OpenRoaming is the right fit.
Use OpenRoaming when
- You want automatic connectivity for visitors from other networks -- Hotels, airports, conference centers, and retail chains benefit from attracting users who already have OpenRoaming credentials from their employer, carrier, or identity provider.
- Your organization has multiple locations or partners -- OpenRoaming enables employees to seamlessly connect at partner sites, coworking spaces, or any participating venue without separate credentials.
- You want to reduce captive portal friction -- OpenRoaming users bypass splash pages entirely, connecting automatically with enterprise-grade encryption.
- Revenue from WiFi connectivity is a goal -- Settled OpenRoaming (OI ) supports revenue sharing between network operators and identity providers.
BAA2D00000 - You are building a smart city or campus network -- Municipal WiFi and large campus deployments benefit from the global interoperability that OpenRoaming provides.
OpenRoaming may not be needed when
- Your network serves only internal users -- If only your employees connect to your WiFi and they already have 802.1X credentials, standard WPA2/WPA3-Enterprise without OpenRoaming is simpler.
- Your access points lack Passpoint (802.11u) support -- OpenRoaming requires Passpoint-capable hardware and, for federation compliance, RadSec (RADIUS over TLS) support.
- You need data capture before granting access -- OpenRoaming authenticates silently; there is no opportunity to display terms of service or collect marketing data during the connection process.
A university joins the OpenRoaming federation as both an Identity Provider and Access Network Provider. Students and staff connect automatically at campus buildings, and their credentials also work at cafes, airports, and partner universities worldwide. Visiting researchers from other OpenRoaming-enabled institutions connect to the university WiFi without any enrollment process. IronWiFi manages the RadSec certificates and federation configuration.
Security
OpenRoaming provides:
- WPA2/WPA3-Enterprise encryption
- EAP-TLS or EAP-TTLS authentication
- RadSec (RADIUS over TLS) for federation
- Mutual authentication between networks
Testing OpenRoaming
Verification Tools
Use these tools to verify your OpenRoaming deployment:
| Tool | Purpose |
|---|---|
| WiFi Analyzer apps | Verify 802.11u/Hotspot 2.0 beacons |
| Query ANQP information on Linux |
| OpenRoaming test devices | iOS/Android with known-good credentials |
| IronWiFi Console Logs | Monitor authentication attempts |
Test Procedure
- Verify Passpoint beacons - Use WiFi analyzer to confirm Hotspot 2.0 is advertised
- Check ANQP responses - Verify roaming consortium OIs are visible
- Test authentication - Connect with OpenRoaming credentials
- Monitor logs - Verify successful RADIUS exchanges in IronWiFi console
FAQ
What's the difference between Settled and Settlement-free?
- Settlement-free (): No charges between network operators. Ideal for enterprises, education, and municipal networks.
5A03BA0000 - Settled (): Revenue sharing between providers. For commercial hotspot operators.
BAA2D00000
Which devices support OpenRoaming?
- iOS 14+: Native Passpoint support, auto-connects with Apple ID
- Android 11+: Native Passpoint support, auto-connects with Google account
- Windows 10/11: Passpoint supported, requires profile installation
- macOS: Passpoint supported via profiles
Do I need RadSec?
RadSec (RADIUS over TLS, defined in RFC 6614) is recommended for production OpenRoaming deployments because it:
- Encrypts all RADIUS traffic using TLS, replacing the shared-secret model with certificate-based mutual authentication
- Uses X.509 certificates for both client and server identity verification
- Is required for WBA OpenRoaming federation compliance -- the WBA mandates RadSec for inter-provider RADIUS traffic
- Eliminates the security limitations of UDP-based RADIUS (RFC 2865), where the shared secret provides limited protection
Standard RADIUS (UDP) works for testing but does not meet OpenRoaming federation requirements for production use.
Can I use both Settled and Settlement-free OIs?
Yes, configuring both OIs (
5A03BA0000
BAA2D00000
Related Topics
Was this page helpful?