Govroam

From RFC3580:

3.20.  Called-Station-Id

   For IEEE 802.1X Authenticators, this attribute is used to store the
   bridge or Access Point MAC address in ASCII format (upper case only),
   with octet values separated by a "-".  Example: "00-10-A4-23-19-C0".
   In IEEE 802.11, where the SSID is known, it SHOULD be appended to the
   Access Point MAC address, separated from the MAC address with a ":".
   Example "00-10-A4-23-19-C0:AP1".

This isn't required as part of the Govroam Tech Spec but it is a very useful attribute to have sent to the NRPS. The MAC can be used in debugging to identify the type of wireless system being used but the most important information is the SSID appended to the MAC.

The SSID has to be 'govroam' verbatim. SSIDs are case sensitive. “Govroam” is not the same as “govroam”. We monitor this to ensure compliance. This is particularly important with Federations. All RADIUS systems should be configured to proxy requests with filters set to allow the CSI to pass through.

Sites with wireless systems broadcasting govroam should configure the wireless system to send the CSI with the RFC3580 format (hyphen separated, upper case letters and the SSID appended with a colon separator).

1. In the WLAN SSID configuration wizard, click the Security tab.
2. In Security Level, select Open.
3. From the Key Management drop-down list, select Open or Enhanced Open.
4. Click Advanced Settings
5. Click Next.

aaa authentication-server radius <rad_server_name>
called-station-id type
  {ap-group | ap-macaddr | ap-name | ipaddr | macaddr | vlan-id}
  [delimiter {colon | dash | none}] [include-ssid {enable |disable}]

eg.

called-station-id type macaddr delimiter dash include-ssid enable

or:

To configure the Called-Station-ID, navigate to Configuration > Security > Authentication > Servers

Select the radius server and configure the Called-Station-ID

1. Set csid_type to 'macaddr'
2. Set include_ssid to 'enable'
3. Set csid_delimiter to 'colon'

From Cisco's documentation: “Configure the format of the RADIUS Called-Station-ID attribute with additional information. The default format is APMAC:SSID. The option for this attribute varies depending on the WLC code version. This field can be used to provide location-based authentication using AP location information that endpoint associated for initial authentication.”

(WLC) >config radius callStationIdType ap-macaddr-ssid

Or:

1. Log in: Access the Cisco WLC's web interface.
2. Navigate to AAA: Go to Security > AAA > RADIUS Authentication.
3. Set the type: Find the “Auth Called Station ID Type” option and select your desired value from the drop-down menu: AP MAC Address:SSID
4. Apply changes: Click Apply to save the configuration.

Via CLI (ZoneDirector)

1. Log in to the controller as an administrator.
2. Enter privileged EXEC mode by typing en.
3. Enter configuration mode by typing conf.
4. Navigate to the specific WLAN configuration by typing wlan “<wlan_name>” (e.g., wlan “test”).
5. Change the called-station-id-type to ap-mac by typing called-station-id-type ap-mac.
6. Exit and save the configuration by typing end.

Via GUI (SmartZone or other platforms)

1. Log in to the controller's web interface.
2. Navigate to the WLAN or Wi-Fi configuration settings.
3. Find the specific WLAN you want to configure and look for a networking or RADIUS settings tab.
4. Locate the “Called Station ID” or “RADIUS Called Station ID” option.
5. Choose the desired format from the available options: “APMAC:SSID”.
6. Save the changes.

https://documentation.meraki.com/Wireless/Design_and_Configure/Configuration_Guides/Access_Control/MR_Meraki_RADIUS_2.0

HiveManager GUI

1. Navigate to Security > RADIUS in the left-hand menu.
2. Go to Authentication to find the “Auth Called Station ID Type” setting.
3. Select the format you want from the dropdown menu:
   1. AP MAC Address:SSID