OpenRoaming: master thesis

Description

This repository contains all the useful materials developed for my master thesis on OpenRoaming. The thesis focuses on evaluating the potential of e-ID as an Identity Provider within the OpenRoaming federation and includes the implementation of a prototype.

Repository

A summary of the most important files can be found in this file tree.

openroaming/
├── freeradius/3.0/
│   ├── users
│   ├── certs/ (not shown in gitlab)
│   ├── clients.conf
│   ├── sites-enabled/
│   │    ├── inner-tunnel
│   |    └── tls
│   ├── mods-enabled/
│   |    ├── eap
│   |    └── rest
│   ├── ...
│   └── README.md (not shown in gitlab)
├── auth-server/
│   ├── build.gradle.kts
│   ├── src/main/kotlin/com/exemple/
│   |    └── Application.kt
│   ├── ...
│   └── README.md (not shown in gitlab)
├── mobile-app/
│   ├── app/
|   |    ├── src/main/java/com/exemple/firebaseauth
│   │    |    ├── auth/
│   |    |    ├── navigation/
│   |    |    ├── ui/
|   |    |    ├── utils/
│   |    |    └── MainActivity.kt
|   |    ├── build.gradle.kts 
|   |    ├── google-services.json (not shown in gitlab)
|   |    └── ...
│   ├── build.gradle.kts 
│   └── README.md (not shown in gitlab)
├── latex
│   └── OpenRoaming.pdf
└── README.md

freeradius/3.0 folder

The goal of the EAP/RADIUS server is to set up REST and an EAP-TTLS tunnel with PAP over RADSEC (RADIUS over TLS) on FreeRADIUS. Note that it run on the server marie.tiedie.io (185.48.12.253).

Only modified files are provided in this repository. The other files are provided when FreeRADIUS is installed and are unchanged.

Install FreeRADIUS

Update your package list and install FreeRADIUS along with the REST module:

sudo apt-get update
sudo apt-get install freeradius freeradius-utils
sudo apt-get install freeradius-rest

Run FreeRADIUS in Debug Mode

To start FreeRADIUS in debug mode, use the following command:

freeradius -fxx -l stdout

auth-server folder

The auth server has an embedded database that allows one to manage users and their credentials. It handles incoming requests from users that want to gain access to a network and thus need their credentials to be verified, and stores user tokens when they authenticate to the IDP. It has 3 endpoints.

Only modified files are provided in this repository. The other files are provided when the Kotlin project is set up.

Create a New Application

1. Create a new project directory:

   mkdir auth-server
   cd auth-server

2. Initialize the project with Gradle for a Kotlin application:

   gradle init --type kotlin-application

3. Create the directory structure:

   mkdir -p src/main/kotlin/com/example

4. Create the main application file:

   nano src/main/kotlin/com/example/Application.kt

Install RocksDB Tools

apt install rocksdb-tools

Build and Run the Application

1. Clean the build directory:

   ./gradlew clean

2. Build the project:

   ./gradlew build

3. Run the application:

   ./gradlew run

mobile-app folder

The mobile application that will be installed on the user’s device and that must allow the user to authenticate with the IDP using either Google credentials or e-ID credentials. When authenticated successfully, it must be able to download the OpenRoaming profile that will allow the device to seamlessly connect to the OpenRoaming-enabled networks.

Android Studio was used to develop this mobile application. Only modified files are provided in this repository. The other files are provided when the project is set up via Android Studio.

latex folder

This folder simply contains the generated PDF from the latex files. This PDF is the submitted report for this thesis.

Abstract

In an era of growing need for network connectivity, traditional public Wi-Fi infrastructures face major limitation as they are either insecure or inconvenient if they require manual logins. To address these security and accessibility challenges, many Wi-Fi networks are now integrating with Identity Providers (IDP) and Access Network Providers (ANP). The IDP securely manages user identities and credentials, enabling more reliable and secure Wi-Fi access using user authentication, while the ANP manages network resources. OpenRoaming is a federation that enables easy Wi-Fi access across IDPs and ANPs. The goal of this project is to evaluate how e-ID, the Belgian electronic identity card, can become an IDP in the OpenRoaming federation so that citizens can get seamless and secure Wi-Fi access using their e-ID credentials. This integration enables citizens who authenticate with their e-ID credentials via a mobile application to gain secure Wi-Fi access in government buildings and private venues without any manual configuration or interaction with their phone’s Wi-Fi settings. The project consists of three phases: (1) a theoretical study of OpenRoaming, e-ID, and related technologies, (2) the evaluation of potential approaches to integrate e-ID as an IDP, and finally (3) the development of a prototype. The components involved in this prototype include (a) a mobile application for the user to authenticate with e-ID, (b) an access point for managing Wi-Fi connections and forwarding authentication requests from the users, (c) a AAA server that includes an EAP/RADIUS server to communicate with the access point and a back-end server that will communicate with the IDP, and finally, (d) the IDP. The final prototype demonstrates a secure and user-friendly system in which an Android device, after successfully being authenticated via the mobile application, seamlessly connects to previously unknown Wi-Fi networks in a safe environment. This is achieved through a robust configuration involving WPA2 Enterprise, EAP-TTLS with PAP over a RADSEC tunnel, OpenID Connect, and the use of certificates across all components. This project successfully highlights how e-ID can become a reliable IDP in the OpenRoaming federation, addressing modern connectivity challenges while ensuring a secure user experience. Keywords: OpenRoaming; e-ID, Identity Provider, Wi-Fi.