On-Campus Roaming

Available for: Android 2.6.0 and later clients

If On-Campus Roaming (OCR) is enabled, users can log in to a corporate network with an 802.1x connection. Although Wi-Fi is ubiquitous, security and authentication standards may widely vary from location to location. OCR enables users to be more productive on a far-flung corporate campus, and allows easy access for guests and contractors, without needing to use multiple connection managers.

Campus hotspots are automatically detected and presented as Wi-Fi networks. Users can log in using their regular Open Mobile credentials. Open Mobile sets the proper SSID and security method.

In order for a user to connect to an 802.1x network, the network must be included in a custom directory, and the directory included in an Open Mobile profile installed on the user's device.

Open Mobile for Android supports the PEAP-MSCHAPV2 and TTLS-MSCHAPV2 authentication types (both with and without certificate authentication) for use with OCR.

OCR networks will be displayed in Open Mobile with the custom networks icon:

Forced Auto-Connect: If the Forced Auto-Connect option is enabled for the directory, users will automatically be connected to the 802.1x network if it is within range (and their credentials have been saved).

Ordinarily, Open Mobile will only display, and permit connections to, local 802.1x networks that are specified in a custom network directory. However, if a user connects to one of these networks using the native Android connection setting, Open Mobile will display the connected network in the list of Available Network. However, it will not facilitate disconnection and will serve as a display-only observer for the network.

Configuring OCR for an Android Profile

The process of configuring OCR for an Open Mobile for Android profile is as follows:

  1. Create (or choose) a profile for which to enable OCR.
  2. Download the sample directory file, and customize the sample directory to specify the settings for a single 802.1x network.
  3. Upload the custom directory to the Open Mobile Portal.
  4. If connectivity will include certificate validation, upload the certificate as a profile attachment.
  5. Publish the profile to test, and then distribute the test profile to your test users.
  6. After testing is complete, publish the profile to production and distribute it to your user base.

Creating an OCR 802.1x Directory

An OCR 802.1x directory must be a validly formatted XML file that describes a single 802.1x network. You will need to determine values for the network parameters in the file, and then specify them in the XML file settings. To specify more than one 802.1x network, use a separate directory file for each one.

An annotated sample OCR directory can be downloaded here. Edit and save it to create your own 802.1x directory. The sample directory includes instructions for customizing the file with your own network information.

You should use an XML editor to edit the file.

To create an OCR 802.1x directory for a single 802.1x network,

  1. Open the file in an XML editor of your choice.
  2. Following the annotations in the file, edit the file as needed for a single network.
  3. To enable certificate authentication, in the XML file, ensure that the ValidateCertificate flag is set to true, and replace the value myrootCAcert.cer with the name of your actual certificate file.
  4. Save the file with the desired filename.

Enabling OCR for a Profile

Enabling OCR for an Android 2.6.0 or later profile involves uploading the directory file to the Open Mobile Portal to make it available for assignment, and then actually assigning it to a profile. In addition, to enable certificate authentication, the certificate file must be attached to the selected profile.

Uploading the Directory File

To upload an OCR directory file to the Open Mobile Portal,

  1. Log into the Open Mobile Portal.
  2. Under Client Configuration, pick Upload Networks.
  3. Under Wi-Fi Networks Directories, click Manage.
  4. On the Wi-Fi Directories page, click Import Directory.
  5. On the Import Wi-Fi Directory page, in Display Name, enter the name of the directory as it will be displayed in the Portal (for example, Corporate HQ Directory).
  6. Click Browse. Select the directory XML file you have previously created. The directory will now be available to add to profiles.

Assigning the Directory to a Profile

To add an uploaded OCR directory file to a profile,

  1. Under Client Configuration, pick Manage Profiles.
  2. Select (or create) an Android 2.6.0 or later profile to which you will add the customer directory.
  3. Under Actions, pick Manage.
  4. Under Networks and Policies, click Configure.
  5. For Wi-Fi, under Actions, click Configure.
  6. Under Available Lists, the OCR directory you have previously uploaded will be displayed. Select it, and then click the right arrow to assign it to the profile.
  7. To enable Forced Auto-Connect for the directory, click Authentication Settings. Select the directory in the list of assigned directories. Under Forced Auto-Connect, select Yes. Then, click Back.
  8. Continue assigning other directories if needed, repeating Steps 6-7.
  9. Click Save to save your directory assignments.

Attaching the Certificate

If you choose to enable certificate authentication for your selected OCR authentication type, the certificate must be included in the OCR-enabled profile as a profile attachment. (You may attach multiple certificates to a profile if necessary.)

  1. Under Client Configuration, pick Manage Profiles.
  2. Select the Android 2.6.0 or later profile to which you have previously assigned the OCR directory.
  3. Under Actions, pick Manage.
  4. Under Custom Profile Attachments, click Configure.
  5. On the Custom Profile Attachments page, click Attach File.
  6. Locate the certificate file you wish to upload, and pick Open. The file is now attached to the profile. (Note that the name of the selected certificate file must match the name of the certificate you specified in the custom directory XML file.)
  7. Continue to upload other certificates as needed.

Next Steps

You can now continue to edit the selected profile as needed with any other desired settings. When complete, publish the profile to Test and distribute it to your test users. Perform thorough testing on your OCR-enabled profile. After testing, the profile may be published to production and distributed to your user base.

Enabling the Security Certificate on an Android Device

If On-Campus Roaming has been enabled for a device, and you have chosen to attach a security certificate to the profile, then when first launching Open Mobile, the user will be required to install the certificate. The user will also be prompted to set a lock screen PIN or password for the device, if one has not been previously set.

  • On Android OS 2.2 or 2.3, the user should follow the prompts to enable the lock screen PIN or password for the device. Do not rename any certificate filename; use the default name. The certificate filename is presented, but the user should use the default name and not rename the file.
  • On Android 4.0 and later versions, this procedure is called Enabling Credential Storage. The user can follow the prompts to enable credential storage on the device, as well as to set the lock screen PIN or password. The certificate filename is presented, but the user should use the default name and not rename the file.

Go to: Open Mobile for Android

 

©2015 iPass Inc. All rights reserved. Terms of Use