WBA OpenRoaming and Extreme Networks – A Departure from Captive Portals!


Most of us have experienced the tedium of connecting to Wi-Fi in public spaces—be it at stores, coffee shops, airports, or various other locations. From time to time, we really need to use public Wi-Fi access - sometimes it's due to poor cellular coverage, while other times it's to conserve our cellular data. However, the process usually involves grappling with Captive Portals, demanding anything from a simple acceptance of terms to sharing copious personal details. And the frustration doesn't end there—most public networks forget us the moment we leave. While our devices might retain the SSID, until we undergo the authentication process again, internet access remains elusive. Captive portals are unanimously agreed upon as cumbersome.

Adding to this inconvenience, most Captive Portals operate on Open SSID, leaving the communication between our devices and the infrastructure vulnerable. Despite relying on application-level encryption like HTTPS, our online activities remain visible. Some opt for VPNs to secure their communication, but the hassle of toggling it on for each network connection dissuades many from using it regularly.

Enter the Wireless Broadband Alliance (WBA) with a game-changer—OpenRoaming. This innovative technology offers seamless, secure Wi-Fi access without the hassle of Captive Portals or manual password entries.

How Does OpenRoaming Work?

For end-users, it's remarkably simple. They install an OpenRoaming profile on their device's operating system (OS) - be it MacOS, Windows, Android, iOS, or Linux. Once installed, this profile grants access to any WBA OpenRoaming SSID worldwide, regardless of the name of the SSID. The profile typically remains valid for multiple years until its certificate expires. And while it's hoped that future OS updates might include an OpenRoaming profile by default, this hasn't been implemented at the time of writing.

For companies offering Wi-Fi access through WBA OpenRoaming, understanding the basics of the technology is key to getting started:

  • Identity Providers (IDPs): Services that handle user authentication and authorization, generating unique user identities for authentication on different Wi-Fi networks. The profile installed on a client device is generated by the IDP.
  • Access Providers (APs): Wi-Fi networks that provide internet access to users, are registered with the WBA OpenRoaming federation and are compliant with its protocols and security measures. For instance, ExtremeCloud IQ Controller serves as an Access Provider.
  • Federation Hub: The central component facilitating OpenRoaming, acting as a mediator between IDPs and APs, ensuring seamless connectivity between users and Wi-Fi networks. The WBA OpenRoaming Federation serves as the Federation Hub. 

WBA OpenRoaming Federation Graphic

Key Components of WBA OpenRoaming

  • IEEE 802.11u / Passpoint (Hotspot 2.0) : This industry-standard amendment, a part of the Wi-Fi Certified Passpoint program (or Hotspot 2.0), offers automatic network discovery and selection, seamless hotspot-to-hotspot roaming, and enhanced WPA3™ security.
  • Dynamic Peer Discovery (DPD): Simplifies roaming onto public Wi-Fi networks by allowing Access Network Providers to dynamically discover servers and agents operated by Identity Providers, reducing configuration complexities significantly.
  • WBA OpenRoaming PKI: Joining WBA OpenRoaming involves purchasing OpenRoaming PKI certificates, enabling a centralized policy authority that fosters collaboration between identity providers and Wi-Fi network providers, delivering a secure Wi-Fi experience to users.
  • RADSEC: Also known as RADIUS over TLS, it establishes a secure communication tunnel between the network infrastructure (like wireless controllers or access points) and the WBA OpenRoaming federation, ensuring encrypted transmission of RADIUS packets.

User Data Protection with WBA OpenRoaming

OpenRoaming utilizes TLS encryption, safeguarding user data from unauthorized access as well as following GDPR practices.

Certificate-based authentication ensures secure communication, verifying the identity of users, IDPs, and APs, thereby creating a complete end-to-end secure communication framework.

In essence, WBA OpenRoaming bids farewell to the hassles of Captive Portals, providing a seamless, secure Wi-Fi experience for users globally.

A video tutorial explaining steps to configure WBA OpenRoaming with Extreme Cloud IQ Controller in addition to client-side configuration details is available here: 

About the Author
Yury Ostrovsky Headshot
Yury Ostrovsky
Sr. Product Manager, Alliance PLM

Yury Ostrovsky is a Sr. Product Manager in the Extreme Alliance. Yury helps sales teams with technical solutions all over the globe.

Full Bio