1. BEYOND EDUROAM: Combining eduroam, (5G)
SIM authentication and OpenRoaming
FUNET Technical Days, 27th of May 2021
Karri Huhtanen (Radiator Software)

2. (5G) SIM authentication for Wi-Fi/eduroam

3. Background
● SIM authentication for Wi-Fi is nothing new.
● Called Wi-Fi off-loading and used already around the world
in higher subscriber density areas, undergrounds, homes to
enhance mobile network capacity and coverage.
● eduroam trials with operators in Netherlands (SURFnet)
● In Finland operators have not been interested
● Now using SIM authentication with OpenRoaming is getting
foreign operators and device manufacturers interested.

4. Remember this?
Tue May 25 08:18:59 2021 trace_id='8de2b9a0'
user='1244052162460469@wlan.mnc005
.mcc244.3gppnetwork.org'
outer-request-user='' cuid=''
client='10.0.10.17/CLIENT-MGMT-KARRIN-NET'
nas='10.0.10.17/02ecda15035e'
handler='HANDLER-PROXY-TO-ROAM-FI'
calling-station='E8-91-20-A9-29-4F'
called-station='02-EC-DA-15-03-5E:roam.fi'
operator-name='' reason='Request Denied'
result='FAIL'

5. MNC and MCC values identify the operator / IdP
Tue May 25 08:18:59 2021 trace_id='8de2b9a0'
user='1244052162460469@wlan.mnc005
.mcc244.3gppnetwork.org'
outer-request-user='' cuid=''
client='10.0.10.17/CLIENT-MGMT-KARRIN-NET'
nas='10.0.10.17/02ecda15035e'
handler='HANDLER-PROXY-TO-ROAM-FI'
calling-station='E8-91-20-A9-29-4F'
called-station='02-EC-DA-15-03-5E:roam.fi'
operator-name='' reason='Request Denied'
result='FAIL'
Finland Elisa

6. SIM authentication routing needs to ensured
● Test networks have their own MNC and
MCC values.
● wlan.mnc???.mcc???.3gppnetwork.org
realm makes it possible to route the
requests to responsible IdP.
● SIM authentication realms must not be
filtered in the organisations in between.
● OpenRoaming requires SIM
authentication to pass-through

7. Source: https://wiki.govroam.uk/lib/exe/fetch.php?media=public:high_level_architecture.pdf
Any
organisation
filtering
3gppnetwork.o
rg realm will
break SIM
authentication
and roaming
For SIM authentication to work, the routing of 3gppnetwork.org
must be ensured in the whole federation.

8. (5G) SIM authentication in roam.fi
● MobileFunet meeting introduced us (Radiator
Software) to 5G test network in Aalto and Tampere
University and to Cumucore
● Both universities are already roam.fi members and
we have an active research project with Tampere
University
● We have cleared with roam.fi coordinator to enable
SIM authentication for testing.
● We only need to connect to SIM AAA IdPs from
roam.fi root servers, ensure realm routing and 5G
test network coverage are can be extended and
complemented with roam.fi network enabling 5G
<-> Wi-Fi handover testing etc.

9. (5G) SIM authentication in eduroam
● roam.fi is based on eduroam technology, so
enabling similar arrangement in Finnish eduroam
can be done the same way.
● CSC needs to greenlight the arrangement.
● More configuration and testing needs to be done
for root servers due to more complex current
configuration.
● There are also more organisations, who need to
check and verify that their configurations do not
filter 3gppnetwork.org realm.
● => more time is needed for eduroam but if there
is interest, it can be done

10. OpenRoaming

11. OpenRoaming: Background
(https://wballiance.com/openroaming/)
● Basically eduroam for all, coordinated by
Wireless Broadband Alliance
● Based on eduroam technologies such as
DNSRoam, RadSec and peer-to-peer
RadSec server connections combined with
Passpoint
● Compliant roaming networks identified by
roaming consortium organisation identifier
(RCOI) instead of Wi-Fi network name such as
eduroam => Wi-Fi network names do not
matter anymore

12. OpenRoaming: Benefits
● eduroam/Geant, Radiator Software are RCOI
owning members among many others
● Samsung, Google, Apple from device vendors
support OpenRoaming in mobile devices *AND*
are already IdPs => OpenRoaming works out of
the box with Samsung S9 and Google Pixel
Android 11 forwards, Apple with separate
profile
● Combining OpenRoaming to roam.fi or eduroam
enables automatic guest login without captive
portals or open, unauthenticated Wi-Fi

13. OpenRoaming: Organisation requirements
(Service Provider use case)
If federation top-level (roam.fi,
eduroam) supports OpenRoaming,
allowing OpenRoaming users to
access organisation network may
require only adding
Passpoint/Hotspot 2.0/RCOI
configuration for existing Wi-Fi
network SSID (roam.fi, eduroam).

14. OpenRoaming: Organisation requirements
(Identity Provider use case)
To be an IdP, the roaming
confederation or the
organisation needs to have
RCOI (sub)ID, RadSec capable
public server, suitable
certificates and proper DNS
configuration for it.

15. OpenRoaming with roam.fi
● OpenRoaming trial setup with roam.fi top level
servers has already started and should be ready
during the summer.
● OpenRoaming can then be enabled for Service
Provider use case in roam.fi member networks
by only adding Passpoint/Hotspot 2.0
configuration to organisation roam.fi network
● IdP use case to be configured and enabled after
this.
● With OpenRoaming all OpenRoaming eduroam
organisations can use roam.fi networks
automatically.

16. OpenRoaming with eduroam
● OpenRoaming with eduroam needs to follow
eduroam setup and guidelines
● The setup options are likely to be same as for
roam.fi.
● Which level of the eduroam
(confederation/federation) connects to
OpenRoaming?
● Who issues and delivers (sub)RCOIs and
certificates for RadSec?
● DNS and Wi-Fi configuration is done by
organisations themselves

17. So why is this beyond eduroam?

18. So why is this beyond eduroam?
● Reference to eduroam future technology presentations years ago,
where DNSRoam, RadSec and SIM authentication were presented
● For devices using OpenRoaming/Passpoint Wi-Fi profiles, the
name of the network (eduroam, roam.fi, govroam …) does not
matter anymore => roaming capabilities identified by RCOI
● Identity of the roaming or guest users will come outside
organisation and outside of particular federation (device vendor
IDs, SIM cards etc.)
● OpenRoaming is an opportunity for roaming federations and Wi-Fi
networks to grow beyond their original community, area while at
the same time reducing effort needed to onboard users.

19. Thank you. Any questions?

20. For more information
Slideshare (Karri): www.slideshare.net/khuhtanen
Slideshare (Radiator): www.slideshare.net/radiatorsoftware