search icon
Demystifying WiFi OpenRoaming 1

Demystifying Wi-Fi OpenRoaming


Improving and securing the experience of connecting to a public Wi-Fi hotspot has been one of the biggest challenges that the Wi-Fi industry is trying to tackle.

As per Cisco Annual Internet Report(2018-2023), globally, there will be 628 million public Wi-Fi hotspots by 2023, up from 169 million hotspots in 2018, which is a fourfold increase. An exponential increase in smartphone usage and an “Always-On” digital lifestyle have led to the increased use of public Wi-Fi hotspots.


The Public Wi-Fi Connectivity Experience

Some of the issues that consumers face while connecting to Public WiFi are as follows:

Cumbersome Onboarding Process:

Joining a public Wi-Fi network involves a cumbersome manual process. Before we can use the internet, we often need to find the available Wi-Fi networks, pick one of them, open a browser, input login information, and agree to the terms of service. Due to this time-consuming process that gets repeated every time the end-user tries to connect to a network, consumers often end up using their own cellular network.

Different Wi-Fi networks implement different strategies for onboarding into their networks. One of the most popular sign-up processes involves the use of captive portals that demands inconsistent information such as email, phone number, room number, airport coupon, or hard-to-remember passwords.

Security Issue:

Most public Wi-Fi networks are inherently insecure. According to Norton Cybersecurity Insights report, more people are afraid of using public Wi-Fi networks than public toilets. Hackers can easily intercept online traffic, infect our devices with malware and access our personal information. Therefore, it is inevitable to protect the end-user’s devices before connecting with public Wi-Fi. Some public Wi-Fi hotspots use an older encryption protocol that is weak and raises security risks. In some cases, unaware end-users end up joining a rogue network specifically created by attackers for man-in-the-middle attacks. All this has led to a lot of resentment in end-users against public wi-fi hotspots.


Disconnections in Between Handovers:

Connectivity must be supported while moving from one Access Point to another inside a Wi-Fi Hotspot zone. Having an efficient handover between APs is important for enabling a seamless experience.

Balancing Network Traffic:

Public wi-fi keeps disconnecting end-users when the network overloads. This hurts both productivity and the user experience. As a result, people believe it is right to avoid using a free public Wi-Fi connection when performing vital tasks.

Advertisements without User Consent:

Multiple advertisements that pop up randomly affect the user experience, especially when the users have not provided their consent.

Ambiguous Privacy Terms and Conditions:

Users must be explicitly made aware of the terms and conditions and have the option to consent to the use of their data because service providers do not always safeguard the privacy of each user’s online behaviour. Such openness and flexibility will undoubtedly improve the user experience.

Hotspot 2.0 and Passpoint®

The Wi-Fi Alliance (WFA) introduced Hotspot 2.0 (aka Passpoint®) as a specification to bring the Wi-Fi connection experience at par with cellular connectivity. It is an industry-wide solution that aids in network finding and auto-connection securely.

Hotspot 2.0 (aka Passpoint®) is a fundamental ingredient to global Wi-Fi OpenRoaming standards and reflects the depth and breadth of that collaboration as a great solution for end-users and service providers. By using Hotspot 2.0, the end-users are identified and authenticated using the credentials that are stored in the network. They just need to download a profile onto their device to sign into the network. The devices would automatically discover, select, and securely connect to an authorized Wi-Fi network in the vicinity. The device vendors act as a medium for realizing the value of Hotspot 2.0. It has been the most important piece of the puzzle to enable seamless Wi-Fi roaming across different networks.

As a global connectivity solutions provider, Hughes Systique has been a front-runner in utilizing the Hotspot 2.0 technology to enhance the Wi-Fi connectivity experience and power the idea of Wi-Fi roaming and monetization.

WBA OpenRoaming

The Wireless Broadband Alliance (WBA) is a global organization that connects individuals to the most recent Wi-Fi developments. WBA OpenRoamingTM is a framework for enabling a seamless and secure Wi-Fi roaming experience globally. WBA assumed control from Cisco and launched OpenRoaming in May 2020. It was done to overcome the above-mentioned fundamental Wi-Fi connectivity issues.

Why was OpenRoaming needed?

End-users were looking for a seamless wi-fi connectivity experience when moving from one network to another without constantly registering or signing in.

However, due to the presence of millions of Wi-Fi hotspots offered internationally by different suppliers (including operators, venues, public places, and businesses) and their working in silos, it was hard to develop a scalable Wi-Fi roaming service of any size Thus, OpenRoaming came into play.

WBA OpenRoaming has three key elements:


OpenRoaming Network Architecture:

OpenRoaming is a straightforward yet effective idea. Through the WBA Roaming Federation, it unites Wi-Fi Access Network Providers (ANPs) and Identity Providers (IDPs) under a Public Key Infrastructure (PKI)-based trust architecture. Any Wi-Fi ANP, regardless of size, may join the federation and connect to IDPs securely using the PKI (Public Key Infrastructure) model.

Figure 3 below shows how OpenRoaming connects ANPs and IDPs seamlessly and securely, creating a network of global wi-fi networks. Users no longer must deal with complicated and time-consuming public Wi-Fi network connecting processes thanks to OpenRoaming. Instead, OpenRoaming uses Wi-Fi on mobile devices just like cellular connectivity by offering consumers a straightforward auto connection and seamless Wi-Fi access.


Figure 4 shows the technical architecture of the OpenRoaming network deployment. WBA considered various scenarios and worked on respective limitations such as the legacy deployments or small partners that are enabled via the larger Hubs either on the VNP (Visited Network Provider) or HSP (Home Service Provider) side.


Any partner can onboard the OpenRoaming framework, either directly or through Wi-Fi HUBs. The participating network providers and identity providers would be assigned a unique WBA-ID, which is mandated to set up the RadSec connection. The WBA is ensuring to have the presence and preserve the status of all partners in the WBA global database. The database is continuously updated by WBA Program Office, WBA certificate issuers, and Hubs for onboarding as well as deboarding members. This database would be accessed through an authorized API to ensure the validity of the peer entities.

How does OpenRoaming work?

Using OpenRoaming, one can create an easy-to-use, secure, plug-and-play architecture through a cloud-based roaming federation framework that uses PKI and standard legal frameworks. By doing this, Wi-Fi networks and devices remove the barriers to adopting roaming services.

Figure 5 below shows the steps involved in creating an OpenRoaming Framework. The steps detailing the preparation of IDPs, ANPs, and devices for participation in OpenRoaming as well as what happens when authenticating and connecting to a device, are mentioned below.


Identity Providers (IDP) Onboarding:

Any entity that can offer and confirm user identities can become an OpenRoaming IDP by applying to the WBA and agreeing to the terms of the OpenRoaming legal contract. A WBA-ID and an OpenRoaming federation certificate are then issued to the entity. These certificates ensure that the ANP will have faith in IDPs throughout the authentication procedure.

  1. Domain Name System (DNS) Registration: The IDP registers itself with the OpenRoaming Domain Name System (DNS) after obtaining its certificate so that the ANPs can discover it automatically. Any IDP may easily access the OpenRoaming framework by using OpenRoaming DNS, which eliminates the complexity of roaming. The ANPs can quickly identify the OpenRoaming IDPs during authentication, resulting in the creation of a straightforward, reliable world of OpenRoaming networks.
  2. Access Network Provider (ANP) Onboarding: Any organization/entity which has a Wi-Fi network can become an OpenRoaming ANP. The entity needs to apply with WBA and accept the legal contract. After Onboarding, they are issued a WBA-ID and OpenRoaming Federation Certificate.
  3. Roaming Consortium OI (RCOI) configuration: After receiving the certificate, the ANP configures its access points (APs) with OpenRoaming RCOI, which is a global identifier that is advertised in beacons sent by Wi-Fi APs for OpenRoaming networks.
    Mobile devices can easily discover and connect to the network thanks to RCOI, which allows ANPs to show they are part of OpenRoaming. It is independent of the ANPs Service Set Identifier (SSID) and allows devices to connect to the global OpenRoaming Wi-Fi network easily.
  4. Mobile Device Onboarding: As part of the one-time onboarding process, Wi-Fi profiles are created for mobile devices to auto-connect to Wi-Fi networks. An efficient way of onboarding is using the Passpoint mechanism, which offers an effortless way of downloading the profile. Without relying on an ANPs online sign-up mechanism, OpenRoaming enables device manufacturers to make their products ready for the one global OpenRoaming Wi-Fi network right out of the box. OpenRoaming provides the legal framework for creating the acceptance of terms and conditions applicable for its usage. These terms and conditions are presented to users when the devices are first turned on, ending the need to ask them to accept them each time they try to connect to a Wi-Fi network.
  5. OpenRoaming Network Discovery and Authentication: The mobile device becomes ready for OpenRoaming network connection when it receives an OpenRoaming profile from OpenRoaming IDP. Through the RCOIs (Roaming Consortium OI), the device can find nearby OpenRoaming Wi-Fi networks and start a secure authentication process with the access network using the information from the OpenRoaming profile. The IDP’s network access identifier (NAI) realm is then transmitted from the device to the ANP.
  6. IDP discovery by the ANP: The ANP queries the OpenRoaming DNS to confirm the information it has received from the NAI realm of IDP. ANPs may dynamically obtain the trusted IDP AAA server path for authentication because the OpenRoaming IDPs are already registered with the DNS. Without any prior roaming relationships, OpenRoaming offers a safe framework for ANPs to trust the IDPs that are a part of it. Without having to cope with the difficulties of limited roaming enablement mechanisms, OpenRoaming enables ANPs to plug and play with any of the OpenRoaming IDPs on a global scale.
  7. RadSec-based Authentication: ANP, after discovering the IDP using OpenRoaming DNS, reaches out to IDPs AAA. Since both the ANP and IDP have an OpenRoaming issued certificate, they may create a RadSec tunnel to conduct the authentication process. Without RadSec, the roaming partners’ previously transmitted information would need to be used to configure the two endpoints to build an IPsec tunnel.

The device can create a secure connection to the ANP’s Wi-Fi network once the IDP validates the information the device sent to the ANP. Each of these processes is safe and easy for the user to use, making it possible for quick and simple access.

Benefits of OpenRoaming

For End-Users:

OpenRoaming significantly enhances the wi-fi connectivity experience for users. With OpenRoaming, users just need to download the profile and get instantly and securely connected to any participating OpenRoaming network around the world.

For Mobile Device Vendors:

Vendors can get their products ready for OpenRoaming out-of-the-box. They have the choice to pre-install and configure devices with WBA-ID and OpenRoaming federation certificates.

For ANPs:

In addition to offering Wi-Fi access when users join an ANP’s network, the ANP can also engage with the users directly and discover useful insights. Additionally, ANPs have the choice to become an IDP for OpenRoaming and offer their clients other services.

For IDPs:

Any organization that can authenticate users and supports customer relationships are eligible to join the OpenRoaming IDP program. Any company may quickly join the OpenRoaming federation and benefit from its size when providing services.


OpenRoaming: Attracting Diverse Verticals

OpenRoaming appeals to a wide range of industry verticals. Every industry offers Wi-Fi for varied reasons, but the majority do so to provide secure connectivity to customers.

For instance, a retail establishment that wants everyone to use its application can charge nothing for a Wi-Fi connection to achieve a high attach rate. Good Wi-Fi makes shopping more enjoyable and encourages customers to browse longer and spend more time in the store and eventually buy more. It helps venue owners as well, enabling them to run their operations smoothly with the help of data and visitor analytics. It improves user experience and helps venues engage with customers better. It helps stadium visitors order food and watch replays. For enterprises that believe Wi-Fi authentication via Captive portals is the best way to engage customers, Passpoint took it one step higher and allowed the enterprises to send venue-specific information to the customers as well. Samsung even demonstrated a live OpenRoaming IDP service at MWC Barcelona, allowing Galaxy S9 and S10 devices to connect to the MWC’s venue Wi-Fi automatically and securely.

Consumers and businesses alike will notice a significant improvement in the Wi-Fi experience thanks to WBA OpenRoamingTM and Hotspot 2.0(aka Passpoint®). These technologies are creating new opportunities for broadband and Internet of Things (IoT) connectivity in a variety of business sectors, including retail, hospitality, education, smart cities, automotive, and aviation, among others.

We will get back to you!
We will get back to you!

More Blogs


Enquire Now

We will treat any information you submit with us as confidential

arrow back top