WISP Roaming Agreement Deployments
Updated: March 31, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In some circumstances, two or more wireless ISPs might find it beneficial to create a roaming agreement that allows customers from one WISP to connect to the Internet through the Wi-Fi hotspots owned and operated by the other WISP or WISPs.
For example, one WISP might operate Wi-Fi hotspots in the food court at an airport, while another WISP operates Wi-Fi hotspots at the boarding gates of the same airport. By entering into a roaming agreement, the WISPs provide their customers with the ability to sign up at the food court WISP, roam to the boarding gate WISP, and remain connected to the Internet.
The following two graphics illustrate how a roaming agreement works when two WISPs offer services to customers at the same physical location.
In the illustration below, a new customer connects to WISP_1 at a Wi-Fi hotspot located in the food court of an airport, then roams to the airport boarding gates and connects to an AP at a Wi-Fi hotspot owned and operated by WISP_2.
The following text describes the numbered process in the illustration above:
A new customer arrives at the airport food court and connects to WISP_1. The customer runs the sign-up wizard, and creates and pays for an account with WISP_1.
The customer is authenticated and authorized by the WISP_1 IAS server and is granted access to the Internet.
The WISP_1 customer walks from the airport food court to the airport boarding gates.
The WISP_2 AP SSID exists in the WISP_1 SSID XML subfile, and the WISP_1 customer’s computer associates with the WISP_2 AP. WPS technology on the client computer automatically begins the authentication process using credentials from the WISP_1 account created at the food court.
The WISP_2 IAS proxy is configured to forward access requests containing the WISP_1 realm name to the WISP_1 IAS server. The WISP_1 customer Access-Request message is therefore forwarded to the WISP_1 IAS server.
The WISP_1 IAS server authenticates and authorizes the user, and sends an Access-Accept message to the WISP_2 IAS proxy. The WISP_2 IAS proxy forwards the Access-Accept to the AP.
The WISP_1 customer is granted access to the Internet through the AP owned and operated by WISP_2.
If you have a WISP that you want to configure for use with WPS technology, you can use the scenarios depicted in this paper to deploy the technology. If you want to establish a roaming agreement with another WISP, you can perform the additional steps that follow.
Key roaming agreement configuration steps
If your WISP (WISP_1) has a roaming agreement with another WISP (WISP_2) that allows your customers to connect to the Internet through WISP_2 APs, perform the following steps:
Add SSIDs that are advertised by WISP_2 APs to your SSID XML subfile. For more information, see “Using the WPS Authoring Tool” at http://go.microsoft.com/fwlink/?LinkId=41067.
Configure the WISP_2 IAS proxy as a RADIUS client on your IAS server. When your customers connect to WISP_2 APs, the WISP_2 IAS proxy forwards authentication requests to your IAS server for authentication and authorization. For more information, see “To add RADIUS clients” at http://go.microsoft.com/fwlink/?LinkId=20031 and “To configure the Message Authenticator attribute and shared secret” at http://go.microsoft.com/fwlink/?LinkId=20032.
Configure IAS logging to provide session correlation so that you can effectively use the IAS logs for billing purposes. For more information, see “Remote Access Logging” at http://go.microsoft.com/fwlink/?LinkId=41038 and "Deploying SQL Server Logging with Windows Server 2003 Internet Authentication Service (IAS)" at http://go.microsoft.com/fwlink/?LinkId=41039.
WISP_2 allows customers of WISP_1 to connect to WISP_2 APs. WISP_2 uses IAS as a RADIUS proxy, including the use of connection request policy and a remote RADIUS server group, to identify WISP_1 customers and forward their access requests to the IAS server at WISP_1 for authentication and authorization.
If your WISP functions as WISP_2 in the roaming agreement scenario, perform the following steps:
Create a remote RADIUS server group that contains the IAS servers for WISP_1. In the IAS console, run the New Remote RADIUS Server Group wizard: in Connection Request Processing, right-click Remote RADIUS Server Groups, and then click New Remote RADIUS Server Group. After you have run the New Remote RADIUS Server Group wizard, the New Connection Request Policy wizard is automatically launched.
Create a connection request policy that forwards WISP_1 customer connection requests to the WISP_1 IAS server. In the IAS console, run the New Connection Request Policy wizard and create a new connection request policy that is configured to Forward connection requests to a remote RADIUS server for authentication. In Realm name, type the realm name of WISP_1. For example, if the realm name for WISP_1 is example.com, type example.com.