OpenRoaming

OpenRoaming with Central NAC

CrispyLeave a comment

This will be a day long remembered

In only a few minutes you can setup HPE Aruba Networking Central NAC to allow anyone with an OpenRoaming profile to connect to your Wi-Fi network.

Central NAC will perform the Access Network Provider (ANP) role in the OpenRoaming ecosystem, functioning as a RadSec proxy for authentication to the user’s home Identity Provider (IDP).

This will be a short post because it literally took me five mins to setup and test this after hearing it is now possible.

When in Roam

I already had the Purple OpenRoaming profile installed on my phone, but any OpenRoaming profile will do.

See my previous blog post for more info: Purple offers OpenRoaming for free (as in beer!)).

If you’re an iOS user you can download the OpenRoaming App from the app store, or for Android you can connect with a native Google account profile straight from your device.

There is also OpenRoaming Connect that you can use to try out OpenRoaming.

Hold my beer

1. Create a WLAN Profile, the SSID can be called anything you like (literally that, if you want).

Pick WPA3-Enterprise (because friends don’t let friends configure WPA2-Enterprise), select Central NAC and check Air Pass.

2. Like the small ‘i’ says, head over to Air Pass in Central NAC and create an Air Pass Profile.

Select the built-in OpenRoaming (All) provider, select your Network and Site from the drop-down menu, enter your domain name, select site type and click Create.

You can also create a custom Air Pass Provider with

You can also create a new Air Pass Provider with a custom RCOI and Realm list if you’d prefer.

3. And you’re done. I’ll have my beer back now thanks.

PCAPs or it didn’t happen

A good post wouldn’t be complete without a packet capture using the famous MetaGeek Colouring Profile.

Here you can see my device authenticating using EAP-TTLS with an anonymous outer identity courtesy of Purple.

The green EAP Success pretty much sums it up.

Wi-Fi, Wi-Fi, Wi-Fi the Explorer

Here is another screenshot from Wi-Fi Explorer Pro for good measure:

Closing Time

For more information, head to HPE Aruba Networking Central Online Help.

Purple offers OpenRoaming for free (as in beer!)

Crispy1 Comment
How to Watch Jeremiah Johnson and Pretend You Knew Robert Redford Was the Nodding Guy the Whole Time

Roam if you want to

If you operate a network that offers free public access, please consider enable OpenRoaming as another way to connect. You can learn more about OpenRoaming itself here. It is hands-down the BEST way to offer fast, frictionless, free and secure Wi-Fi for users.

In an effort to accelerate global adoption of OpenRoaming, Purple is has recently started offering it as part of their free subscription tier for any business to use.

https://www.globenewswire.com/news-release/2025/11/21/3192859/0/en/Purple-s-free-initiative-to-accelerate-OpenRoaming-adoption-for-businesses.html

You can use this in one of two ways:

  1. Advertise an OpenRoaming capable SSID, using Purple’s authentication servers (Purple is performing the ANP function).
  2. Provision your device with an credential profile allowing it to connect to OpenRoaming networks all over the world (Purple is performing the IDP function).

Access Network Provider (ANP) setup

If you want to support OpenRoaming, here’s what you need to do:

  1. Sign up for a Purple Connect account here
  2. Setup a new Location
  3. Add your AP MAC Addresses and model

4. View the manual and follow the instructions for ‘PurpleConnex’ (the Purple app which supports OpenRoaming)

To summarise, you need to configure:

  • An SSID that supports WPA2/3 Enterprise authentication
  • Hotspot 2.0 / Passpoint configuration with Purple’s NAI Realm and EAP configuration
  • Purple authentication servers using RadSec
  • Enable RADIUS Accounting
  • Include the AP’s MAC Address as Called Station ID
  • Purple’s RadSec Server Root CA certificate (this wasn’t in the HPE Aruba instructions, but necessary)

Once configured, any OpenRoaming device that is configured to use either of the below RCOIs will be able to connect!

Here is what my test SSID looks like:

Using Purple credentials to connect to an existing OpenRoaming network

If you want to provision your device using Purple as an IDP to connect to an existing OpenRoaming network, here’s what you need to do:

  1. Download the PurpleConneX app on your device
  2. Create and login with a free account
  3. Accept the prompt to add a new network profile to your device

Your device will then automatically connect to any SSID that advertises the WBA RCOI (5A03BA).

Here is a packet capture showing a PurpleConneX provisioned device connecting to an SSID using the WBA OpenRoaming RADIUS test server.

Challenge to networking vendors

Purple have made the first move by offerring OpenRoaming for free.

I believe all cloud managed networking vendors should offer a drop-down option to enable OpenRoaming on an SSID with a hosted RadSec Proxy / ANP for no additional licensing cost.

Also Apple and Microsoft, please include device native OpenRoaming functionality as an option to use the account that is signed into the device. This is already possible with a Google account on Android.

Only when OpenRoaming is free for users, simple for administrators to deploy, and simple to use will we see the uptake of this awesome technology.