Planning for adoption

There are benefits of convergence towards a single ICB wide roaming solution and disbenefits of using multiple solutions. A common solution provides a consistent user experience across all sites and provides economies of scale in licensing costs. A mixed economy creates a more complex architecture to support and maintain, increases support costs, and requires users to authenticate to different networks in different ways representing a suboptimal user experience which creates inefficiencies as a result.

Consequently, this report assumes that an ICB will choose to implement a common Wi-Fi roaming solution across NHS and partner organisations. The report has identified two candidate solutions and has provided a comparison of the two to enable ICBs to evaluate which best meets their functional and non-functional requirements. Implementing either of the two candidate Wi-Fi roaming solutions is not an insignificant task.

The two key prerequisites to implementing either Wi-Fi roaming solution are:

• the existence of a secure ‘corporate grade’ Wireless Local Area Network at every location in scope (as opposed to a ‘consumer grade’ network that may be found in a small care home or service user’s home) and,
• the organisational capability and capacity to implement and manage the roaming solution chosen

Simple, conceptual model of Govroam

Each ICB joining govroam as a federation is required to:

• establish the necessary infrastructure for govroam and ensure that it is maintained according to the technical specification and code of practice at regional and organisational levels.
• establish a user support service for its end users
• provide information required for the govroam database
• establish and maintain a website, including information with respect to the participating organisations in the region, as well as practical information on how to use govroam
• comply with govroam security requirements and ensure that the participating organisations are fully aware of their responsibility to establish an appropriate level of security

Govroam is implemented over the top of a corporate graded Wireless Local Area Network. Govroam operates a decentralised authentication model. Therefore, additional infrastructure is required which consists of:

• a repository of credentials (for example AD or LDAP).
•  a RADIUS IDP server to perform identity management using these credentials
• a RADIUS server to act as a proxy for sending and receiving radius requests
• a connection to the Internet (with standard services such as DHCP and DNS)
• a Web Server to publish information about the govroam service to users

At the simplest level this could be one wireless AP, a server running Microsoft AD and NPS, with NPS configured to perform both authentication and proxying, and an internet connection. Authenticated govroam users’ devices are expected to be put into a suitable VLAN and assigned an IP address from which they can access the internet. Govroam's terms and conditions require sites to log authentication information for a number of months for audit purposes.

To discuss implementing govroam in your organisation or ICB, please contact Jisc via the following email address:[email protected]

Simple conceptual model of GovWifi

Once installed, organisations must manage the GovWifi service as follows:

Advertise GovWifi.

• support GovWifi users in buildings
• manage acceptable use
• monitor and log traffic
• look out for updates from the GovWifi team
• establish a user support service for end users
• routine maintenance following GovWifis annual server certificate rotation

GovWifi is implemented over the top of a corporate graded Wireless Local Area Network. GovWifi operates a centralised authentication model. Therefore, no additional infrastructure is required.

For GGovWif ito work alongside an existing Wi-Fi infrastructure:

• the Wi-Fi infrastructure must use WPA2-Enterprise (AES) encryption or newer
• the wireless LAN controllers need to be able to point to two or more central GovWifi RADIUS servers
• the network must be able to use one or more public IP addresses for connecting to the RADIUS servers
• the firewall must allow RADIUS protocol to connect to the GovWifi authentication servers for authentication requests
• it is important to allow authenticated users to connect to virtual private networks (VPNs) as well as standard internet protocols

To discuss implementing GovWifi in your organisation or ICB, please contact GDS via their online form.