We will only give a technical overview of OpenRoaming here and what it could mean in the Wi-Fi offloading context. For deeper insights about OpenRoaming and exactly how the Roaming Consortium Organization Identifiers (RCOIs) are encoded, please read our White Paper, All You Need to Know About OpenRoaming.

OpenRoaming is a groundbreaking initiative by the Wireless Broadband Alliance (WBA) that aims to revolutionize how we connect to Wi-Fi networks worldwide. Enea is a member of the WBA.

OpenRoaming is growing fast. In May 2022, the OpenRoaming federation had around 1 million hotspots globally. In February 2023, the count was over 3 million. It may become the silver bullet for neutral host Wi-Fi offloading.

There are two different roles in the OpenRoaming federation:

Access Network Providers (ANP)

An ANP provides the Wi-Fi network, and they can be anything from major Wi-Fi service providers to hotel chains, malls, airports, or congress centers. Any organization with a Wi-Fi network can apply to be part of the OpenRoaming federation.

Identity Providers (IdP)

An IdP authenticates and authorizes users for the OpenRoaming service offered by ANPs. Anyone providing a user account can apply to join the OpenRoaming federation. An excellent example is device manufacturers. Both Samsung and Google are identity providers. But in the Wi-Fi offloading context, the IdP will, of course, be the mobile operator.

Ubiquitous Wi-Fi Roaming

The beauty of the OpenRoaming federation is that any IdP and ANP can roam with each other without even being aware that the other party exists. Roaming is enabled by well-established technology standards, including Passpoint, Dynamic Peer Discovery (DPD), Public Key Infrastructure (PKI), and RADIUS over TLS (RadSec).

Both an IdP and an ANP can control the characteristics of a roaming partner by implementing so-called Closed Access Group policies (CAG). An IdP can, for example, choose to only roam with ANPs that provide a specific Quality of Service (QoS). The CAG is an optional part of the Passpoint Roaming Consortium Organization Identifier (RCOI) for OpenRoaming. However, Wi-Fi offloading is a use case that may drive adoption as MNOs acting as IdPs may only want to cooperate with Wi-Fi networks of a certain quality.

There are two base Passpoint Roaming Consortium Organization Identifiers (RCOIs) for OpenRoaming:

OpenRoaming-Settled: BA-A2-D0-xx-xx

OpenRoaming-Settlement-Free: 5A-03-BA -xx-xx

The last 12-bit extension (xx-xx) of the base RCOI is used to implement Closed Access Group Policies (CAG). The RCOIs are provisioned in the device’s OpenRoaming Passpoint profile(s) and advertised in the Wi-Fi Access Point beacon. If there are more RCOIs to be advertised than what fits in the beacon, a list of available RCOIs can be sent through the Passpoint Access Network Query Protocol (ANQP) messages.

Only IdPs and ANPs with fully matching RCOIs, including the CAG, will roam.

RCOI Extensions for Closed Access Group Policies

Let’s now move into the more advanced use cases of OpenRoaming using the last 12-bit extension in the OpenRoaming RCOIs to encode the Closed Access Group (CAG) policies. The aim is to deliver an equivalent functionality to the CAG policies encoded in 3GPP using one or more CAG-IDs.

Currently, WBA has defined the following CAG policy fields:

Note that there is no implicit logic behind the RCOI extensions. It is just a matter of matching the exact RCOIs between the IdP and the ANP. As a result, IdPs and ANPs must advertise multiple RCOIs to cover all cases. This, even if it might feel superfluous to, e.g., explicitly say that you accept users with Permanent IDs if you want to allow anyone, including anonymous users, onto your network.

It is vital for ANPs and IdPs to also include the tiered CAG policies that go above their minimum requirement and below what they provide:

There are many high-quality Wi-Fi networks in the OpenRoaming federation that mobile operators could utilize to achieve indoor coverage for their subscribers.

A mobile operator IdP can, for example, decide to roam only with ANPs fulfilling at least the Silver QoS level by using the corresponding Closed Access Group (CAG) policies.

By doing so, the mobile operator will ensure the quality of service for the offloaded user is good enough for, e.g., Wi-Fi Calling and video. This is crucial for settlement-free use cases where they may roam with ANPs with which they have no relationship.

A venue such as a shopping mall could advertise the settled RCOI and make bilateral commercial agreements with multiple mobile operators acting as IDPs.

The shopping mall can even prioritize the mobile operators’ subscribers over other users if they comply with the advertised QoS level for all. This will allow the shopping mall to charge more for the offloaded users.

It is not a problem that the user may have multiple installed OpenRoaming profiles on the device, such as one from the mobile operator and one from the device manufacturer. The shopping mall can utilize the Home Service Provider preference functionality defined in Passpoint to prioritize the mobile operators over other IdPs.

It should be noted that the CAG policies are based on trust between the different actors in the OpenRoaming federation, so the QoS level is not verified independently. Some ANPs may also only advertise the base RCOI without any CAG policies. However, if OpenRoaming advances to become the go-to solution for neutral host Wi-Fi offloading, this could lead to significant changes. For instance, OpenRoaming might evolve to deliver consistent, verified QoS levels across all ANPs.

The Dynamic Peer Discovery (DPD) mechanism is used in OpenRoaming to find the IdP authentication server by looking up the IdP’s realm in DNS. This is a problem when the mobile operator acts as an IdP as the 3gppnetwork. org realm, which all mobile operators use, is not publicly resolvable by DNS because of security concerns.

The remedy is to use the subdomain pub.3gppnetwork.org for DPD, which 3GPP specifies for public use and is thus resolvable by DNS.

Mobile Operators in the OpenRoaming federation must provision their public subdomain in DNS. In the example of Swisscom, that would be:

wlan.mnc001.mcc228.pub.3gppnetwork.org

The public subdomain enables DPD-based discovery of their SIM-Authentication server (3GPP AAA) used to authenticate subscribers in the OpenRoaming federation.

However, the authentication request from a user with a mobile operator Passpoint profile will likely come in the form used by mobile operators, i.e., without the pub subdomain, e.g., <user>@wlan.mnc<MNC>.mcc<MCC>.3gppnetwork.org.

The <user> is the subscriber’s international mobile subscriber identity (IMSI).

As discussed, the DNS-based DPD cannot resolve this realm, so the ANP must dynamically add “pub” in the DNS lookup.

Once the ANP’s and the IdP’s AAA servers have established communication through RADIUS over TLS (RadSec), it is business as usual, and the user can be authenticated using the user credentials from the OpenRoaming Passpoint profile.