1 of 10

U-M eduroam Passpoint Proof of Concept

2 of 10

U-M Wi-Fi Landscape

  • Ann Arbor and Dearborn: Aruba
    • Interest in Passpoint for all buildings where there is no cellular DAS
  • Flint: Juniper Mist
  • Michigan Medicine: Cisco
    • Interest in Passpoint for outlying clinical buildings

3 of 10

Background

  • In early 2022, we learned of a few universities starting to implement Passpoint to authenticate smartphones using carrier SIMs on a trial basis
  • We had a long series of conversations with Aruba and peer universities on the Airpass solution and Michigan Medicine on the Cisco OpenRoaming solution
  • By late 2022, we decided to do a proof of concept as a Passpoint network operator - a learning opportunity!

4 of 10

PoC Questions

  • Can we do a direct Passpoint auth flow with a major carrier?
  • Can we avoid proliferating a new SSID across campus?
  • Can we do this in a vendor-neutral way?
  • Is this approach scalable?

5 of 10

PoC Status

  • Did direct RADIUS peering between U-M and SingleDigits
  • Deployed AT&T Passpoint authentication over eduroam SSID, issuing eduroam-visitor role to Passpoint devices
  • Seven U-M buildings - four public facing + ITS offices
  • 14,193 unique host MACs successfully authed in March 2023
  • Verizon expressing renewed interest

6 of 10

Passpoint Auth Architecture

https://www.researchgate.net/figure/LTE-network-architecture-The-MME-and-the-HSS-are-in-the-control-plane-and-the-S-GW-and_fig1_326155249

7 of 10

PoC Architecture

Internet

AT&T Cellular Core (HSS/P-GW)

SingleDigits RADIUS clearinghouse/proxy

UMnet

Aruba Clearpass RADIUS cluster

Aruba WC cluster

APs

RadSec

RadSec

Smartphones

8 of 10

Current Challenges

  • We don’t have a path to three carriers today
  • Scalability is a challenge - maintaining multiple Clearpass configs over time with multiple carrier clearinghouses
  • No uniform approach to using eduroam for this purpose

9 of 10

Proposal/Statement of Need

  • Is there interest in Internet2/eduroam providing a Passpoint clearinghouse function similar to what SingleDigits does for AT&T?
  • What if there were an “OpenRoaming for R&E” - enabling institutions to opt-in to allow cellular carrier identity providers onto eduroam - inverse from allowing OpenRoaming providers to become eduroam SPs
  • Doing direct bilateral authentication with every cellular carrier/SIM auth provider is not scalable
  • The hope is to avoid vendor lock-in and create a single RadSec tunnel to Internet2 for proxying on to third party identity providers

10 of 10

Hypothetical Design Idea

Internet2 R&E clearinghouse/proxy

Carrier X Cellular Core (HSS/P-GW)

OpenRoaming or carrier RADIUS clearinghouse/proxy

UMnet

Aruba Clearpass RADIUS cluster

Aruba WC cluster

APs

RadSec

RadSec

Smartphones

Carrier Y Cellular Core (HSS/P-GW)

Carrier Z Cellular Core (HSS/P-GW)