OpenRoaming: Wi-Fi as Secure and
Seamless as Cellular

The word "Open" implies roaming without control. But OpenRoaming does not have to be that open. WBA has incorporated access policies, so-called Closed Access Group policies (CAG), into the OpenRoaming specification.
RADIUS datagrams over TCP and TLS. In OpenRoaming, it is used to maintain integrity and secure communication between the AAA servers.

4. DPD - Dynamic Peer Discovery

Dynamic peer discovery (DPD), specified in RFC 7585, allows ANPs to dynamically discover the AAA servers operated by an IDP through Domain Name System (DNS) lookups. (See Figure 3 below)

With OpenRoaming and DPD, the access network no longer needs a particular configuration for each roaming partner. DPD is a game-changer for Wi-Fi roaming and a prerequisite for the OpenRoaming federation.


The Wireless Roaming Intermediary eXchange (WRIX) Framework has been developed by the WBA Roaming Work Group. Support for WRIX is a prerequisite only for the settled service, and ANPs / IDPs can outsource this function to an ANP/IDP hub provider.

OpenRoaming Needn't be that Open

The word "Open" implies roaming without control. But OpenRoaming does not have to be that open. WBA has incorporated access policies, so-called Closed Access Group policies (CAG), into the OpenRoaming specification. These allow Identity Providers and Access Network Providers to control the characteristics of a roaming partner.

As discussed, the OpenRoaming base RCOI(s) is a 36-bit value. The last 12 bits are encoded to reflect the CAG policies. These policies include whether an Identity Provider will provide the user’s identity or whether the user should be anonymous. Another important CAG policy is the level of quality of service (QoS) that an access network provider offers (and an IDP accepts).

Figure 3.
Source: Enea Whitepaper: All You Need To Know About OpenRoaming Seamless and Secure Wi-Fi Everywhere

The baseline QoS for an ANP is service availability of over 90 percent and providing each user with 256 Kbit/s sustained speed. This is the minimum requirement for participating in the OpenRoaming federation and, therefore, considered baseline.

All baseline CAG policy bits have zero (0) as the value. If an ANP and IDP do not use the CAG policy extension (last 12 bits), they are perceived to support only the baseline, and all 12 bits are assumed to be zero (00-00).

One of the benefits of encoding policies in the RCOI is that they are applied before the authentication. If there is a policy mismatch (RCOI not matching), there is no reason to send an authentication request, which the ANP authentication server (AAA) will reject immediately. This approach will not overwhelm the AAA with unnecessary authentication attempts.

Another benefit of using the RCOI for policy control is that it is not a new standard dependent on device support. Passpoint has been around since 2012, and nearly all devices active today support this standard if they have installed a Passpoint profile such as the one for OpenRoaming.

The CAG policy RCOI extensions do not have an implicit logic. It is just a matter of matching the exact RCOIs between the IDP and the ANP. As a result, IDPs and ANPs must use multiple RCOIs to cover all cases. ANPs and IDPs must use the RCOI (with its CAG policy extension) to state what they provide and RCOIs for all tiers below. They must also use RCOIs to state what they require and all tiers above.

Let’s make this more understandable with a few examples.

An ANP offering a settlement-free OpenRoaming service with Silver QoS (Over 95 percent availability, 512 Kbit/s, 5 Mbit/s for video, less than 150 ms latency) must advertise RCOIs that cover both the Silver QoS and the baseline QoS.

An IDP offering to provide the user’s identity to the ANP must use RCOIs in the device’s OpenRoaming Passpoint profile, covering this case as well as the anonymous user; otherwise, the IDP will only roam with ANPs that insist on getting the user identity.

Given that two additional CAG policies are not covered in this article, and all RCOIs with the CAG policy bit values can be combined in many ways, there is a need to use many, in some cases, tens of RCOIs. But fear not. Provisioning RCOIs is a one-time task for both the IDP and ANP, and it is not that difficult.



Latest Updates

Subscribe to our YouTube Channel