Every day, billions of people encounter the same frustrating ritual: arrive at a new location, search for the Wi-Fi network, navigate a captive portal, enter credentials or accept terms, and hope the connection actually works. This experience is so universally tedious that many users simply give up and consume mobile data instead.
OpenRoaming changes this completely. Built on Passpoint (Hotspot 2.0) technology and governed by the Wireless Broadband Alliance (WBA), OpenRoaming creates a global Wi-Fi roaming federation. Once enrolled, devices connect automatically and securely to participating networks worldwide - the same seamless experience you expect from cellular networks, now available for Wi-Fi.
What Is OpenRoaming?
OpenRoaming is an industry initiative that enables automatic, secure Wi-Fi connectivity across a global network of participating access points. Think of it as a "Wi-Fi roaming alliance" - similar to how your mobile phone seamlessly connects to partner networks when traveling internationally.
The system works through three key components:
- Identity Providers: Organizations that authenticate users and issue credentials (enterprises, carriers, identity services)
- Access Network Providers: Venues and operators that deploy OpenRoaming-enabled Wi-Fi (airports, hotels, stadiums, cities)
- Federation: The WBA-managed trust framework that connects identity and access providers
OpenRoaming by the Numbers
- Over 3 million hotspots worldwide
- 130+ countries with OpenRoaming coverage
- Major deployments in airports, stadiums, retail chains, and smart cities
- Supported natively on iOS, Android, Windows, and macOS
How OpenRoaming Works
The technology behind OpenRoaming builds on established standards, primarily Passpoint (Wi-Fi Alliance Hotspot 2.0) and RADIUS federation. Here's the connection flow:
- Device Discovery: When a device enters range of an OpenRoaming-enabled network, it detects the Passpoint-capable SSID and reads the network's credentials through ANQP (Access Network Query Protocol)
- Credential Matching: The device checks if it has valid credentials for any of the realm identifiers advertised by the network
- Automatic Connection: If credentials match, the device initiates a secure EAP-TLS or EAP-TTLS connection - no user interaction required
- Authentication: The access network routes the authentication request through the OpenRoaming federation to the user's identity provider
- Session Established: Upon successful authentication, the device receives a secure, encrypted connection with unique session keys
The entire process happens in seconds, completely transparently to the user. From their perspective, the device simply connects to Wi-Fi automatically whenever they enter a participating venue.
OpenRoaming vs. Traditional Captive Portals
The contrast between OpenRoaming and conventional captive portal Wi-Fi reveals why major venues are rapidly adopting federated authentication. For a detailed side-by-side analysis, see our Passpoint vs. Captive Portals comparison.
| Aspect | Captive Portal | OpenRoaming |
|---|---|---|
| User Experience | Manual login every visit | Automatic, instant connection |
| Security | Often unencrypted until login | Encrypted from first packet |
| Evil Twin Protection | Vulnerable - no server verification | Mutual authentication prevents spoofing |
| Cross-Venue Roaming | Separate login at each location | One enrollment, global access |
| Device Compatibility | Works on all devices | iOS, Android, Windows, macOS native |
| IoT Support | Difficult - requires browser | Headless devices supported |
| Data Collection | Per-venue registration | Privacy-preserving pseudonymous IDs |
The Security Advantage
OpenRoaming addresses fundamental security weaknesses inherent in open Wi-Fi networks and captive portals.
Encryption from Connection Start
Traditional captive portals transmit all traffic unencrypted until the user completes login - sometimes for several minutes while they navigate terms pages and enter credentials. During this window, an attacker can intercept DNS queries, inject malicious redirects, or capture sensitive data. OpenRoaming establishes WPA2/WPA3 encryption before any user data is transmitted.
Mutual Authentication
With captive portals, devices have no way to verify they're connecting to the legitimate network. An attacker can easily create an "evil twin" with the same SSID. OpenRoaming's Passpoint foundation requires the network to present a valid certificate that the device verifies before connecting - the same protection that HTTPS provides for websites.
Credential Protection
Captive portal credentials (email, phone, social login tokens) are often transmitted insecurely or stored with minimal protection. OpenRoaming uses enterprise-grade EAP authentication - credentials never leave the user's identity provider, and session tokens are cryptographically bound to each connection.
Why This Matters
Security researchers regularly demonstrate attacks on public Wi-Fi that exploit the captive portal model. From credential harvesting to session hijacking, the attack surface of traditional guest networks is substantial. OpenRoaming's federated authentication model eliminates entire categories of these vulnerabilities.
Enterprise Benefits of OpenRoaming
For organizations deploying Wi-Fi infrastructure, OpenRoaming offers operational advantages beyond improved user experience.
Reduced Support Burden
Captive portal issues generate significant support requests: login pages not loading, sessions expiring, credentials not accepted. OpenRoaming connections work automatically, eliminating this friction point. Venues report 70-80% reductions in Wi-Fi-related support tickets after OpenRoaming deployment.
Higher Network Utilization
When connection is frictionless, more users actually use the Wi-Fi. This increases the value of venue connectivity investments and reduces cellular offload failures. Airports implementing OpenRoaming see 40-50% increases in Wi-Fi adoption compared to captive portal systems.
Privacy-Compliant Data Handling
Traditional captive portals collect personal information (email, phone, name) that creates GDPR and privacy compliance obligations. OpenRoaming authenticates through pseudonymous identifiers - the venue knows a valid user connected but doesn't necessarily receive personally identifiable information. This simplifies compliance while maintaining accountability.
IoT and Headless Device Support
Connected devices without browsers - sensors, displays, kiosks, medical equipment - cannot navigate captive portals. These devices either require special network configurations or simply don't work on guest networks. OpenRoaming enables any device with proper credentials to connect automatically, expanding the use cases for venue Wi-Fi.
Implementing OpenRoaming
Organizations can participate in OpenRoaming as identity providers (issuing credentials), access providers (offering connectivity), or both. Here's what each role requires:
As an Access Network Provider
Venues wanting to offer OpenRoaming connectivity need:
- Passpoint-capable access points: Most enterprise-grade APs manufactured after 2018 support Passpoint
- RADIUS infrastructure: To route authentication requests to the OpenRoaming federation
- WBA membership: To join the federation and receive routing credentials
- Certificates: For mutual authentication with connecting devices
As an Identity Provider
Organizations issuing OpenRoaming credentials to users need:
- RADIUS server: To authenticate users against your identity store
- Provisioning system: To enroll devices with Passpoint profiles (often via MDM or OSU)
- WBA membership: To establish trust with access network providers
- User management: Integration with existing identity systems (AD, IdP, etc.)
Cloud-Based Options
Cloud RADIUS services can significantly simplify OpenRoaming deployment. Rather than building federation infrastructure in-house, organizations can leverage managed services that handle WBA integration, certificate management, and global routing automatically.
OpenRoaming Settlement and Business Models
One question frequently arises: who pays for OpenRoaming connectivity? The WBA framework supports multiple settlement models:
Settlement-Free Roaming
The most common model for enterprise deployments. Identity providers and access providers agree to mutual connectivity without financial settlement - each benefits from the expanded network without transaction costs. This works well when the value exchange is balanced (e.g., a hotel chain providing connectivity to its loyalty members).
Settled Roaming
For high-value connectivity scenarios, the federation supports financial settlement between providers. An identity provider might pay access providers for premium connectivity, or access providers might charge for bandwidth-intensive use cases. The WBA clearinghouse facilitates these transactions.
Sponsored Access
Enterprises can sponsor OpenRoaming access for their employees or customers across participating venues. This enables scenarios like "our corporate users connect automatically at any OpenRoaming airport" without per-venue agreements.
Device Enrollment Methods
Getting Passpoint profiles onto user devices is the main deployment consideration. Several approaches work:
MDM Deployment
For managed devices, Mobile Device Management platforms (Intune, Jamf, Workspace ONE) can push Passpoint profiles automatically. This is the most seamless approach for enterprise fleets - users receive credentials without any action required.
Online Sign-Up (OSU)
The Passpoint specification includes Online Sign-Up, a standardized method for users to self-enroll. When a device detects an OSU-capable network, it can guide the user through enrollment and provision credentials automatically. This works well for consumer-facing deployments.
App-Based Provisioning
Mobile applications can install Passpoint profiles after user authentication. This suits scenarios where users already have a relationship with the identity provider through an app (loyalty programs, membership organizations, carriers).
QR Code Enrollment
Physical QR codes can trigger profile installation on compatible devices. This bridges digital enrollment with physical spaces - a hotel could display QR codes at check-in that provision guests with credentials valid for their stay.
Deploy OpenRoaming with IronWiFi
IronWiFi provides cloud-based OpenRoaming infrastructure for both identity providers and access networks. Get started with global Wi-Fi roaming without building federation infrastructure.
OpenRoaming RADIUS OpenRoaming OSUReal-World OpenRoaming Deployments
OpenRoaming adoption is accelerating across multiple verticals:
Airports
Major airports including Singapore Changi, London Heathrow, and dozens of US airports offer OpenRoaming. Frequent travelers can move between terminals and airports without repeated logins - their devices connect seamlessly as they move through the facility.
Stadiums and Arenas
Large venues with tens of thousands of simultaneous users benefit enormously from eliminating captive portal bottlenecks. OpenRoaming spreads connection load evenly and reduces the login surge that occurs when gates open.
Smart Cities
Municipal Wi-Fi deployments use OpenRoaming to provide seamless connectivity across parks, transit, and public spaces. Citizens enrolled once can connect anywhere in the city network automatically.
Hospitality Chains
Hotel groups are deploying OpenRoaming to provide consistent connectivity across properties. Loyalty program members receive credentials that work at any affiliated property - a significant differentiator for business travelers.
Enterprise Campus
Organizations with multiple locations use OpenRoaming to enable employees to roam between facilities without VPN reconnection or network reconfiguration. Combined with certificate-based authentication, this provides both security and convenience.
The Future of OpenRoaming
Several developments are expanding OpenRoaming's capabilities and reach:
Carrier Integration
Mobile operators are increasingly participating in OpenRoaming, offering their subscribers automatic Wi-Fi offload at participating venues. This reduces cellular network load while providing better indoor coverage for users.
Wi-Fi 6E and Wi-Fi 7
New spectrum in 6 GHz bands provides even more capacity for OpenRoaming networks. Combined with higher speeds and lower latency, this makes federated Wi-Fi viable for applications that previously required dedicated connections.
Converged Identity
As enterprises adopt unified identity platforms (Azure AD, Okta, Google Workspace), OpenRoaming credentials can be tied directly to corporate identity. Employees connecting to any participating network are authenticated against the same identity system that controls their application access.
IoT Credential Management
Standards for managing OpenRoaming credentials on headless IoT devices are maturing. This will enable scenarios like deployed sensors automatically connecting to available networks as they're moved between locations.
Getting Started with OpenRoaming
For organizations evaluating OpenRoaming, the deployment path depends on your role in the ecosystem:
If you operate venues with Wi-Fi: Start by assessing your current access point capabilities for Passpoint support. Most enterprise equipment from major vendors supports Hotspot 2.0. Then evaluate cloud RADIUS options that include OpenRoaming federation - this avoids the complexity of direct WBA integration.
If you want to provide credentials to users: Consider whether MDM-based provisioning or self-service enrollment fits your use case. For managed device fleets, MDM integration provides the smoothest deployment. For broader user populations, Online Sign-Up portals enable self-enrollment.
If you want both: Many organizations benefit from being both identity and access providers. Your employees get seamless access at your facilities, and you can extend the same convenience to partner locations through the federation.
Conclusion
OpenRoaming represents a fundamental shift in how we think about Wi-Fi connectivity. Rather than treating each network as an isolated island requiring separate credentials, OpenRoaming creates a global mesh where authentication happens once and access follows the user.
For users, this means the end of captive portal friction - devices simply connect wherever they go. For enterprises, it means reduced support burden, better security, and the ability to offer connectivity that matches modern expectations.
The infrastructure exists, the standards are mature, and adoption is accelerating. The question for organizations isn't whether OpenRoaming is ready - it's whether you're ready to leave captive portals behind.