Set up GovWifi in your organisation
Technical teams should follow this implementation guide to deploy GovWifi in government buildings.
The GovWifi service is currently in private beta, which means we’re still testing and improving it. It’s available only in government organisations taking part in the private beta. Request to take part by emailing email@example.com.
This guidance from Common Technology Services sets out how to add GovWifi to your infrastructure. Government Digital Service (GDS) has designed the service so end users can sign up via email or SMS.
- the replacement for user.wifi
- a secure way for staff and visitors to connect to wifi services in government buildings
- run by GDS
- an encrypted database of user credentials hosted in the public cloud
Participating wifi services access the database securely using the RADIUS open standard.
Create a new wifi installation
Your wifi installation must meet the requirements defined in sharing workplace wireless networks, including:
- a wifi infrastructure that is able to point to one or more RADIUS servers
- WPA2-Enterprise (AES) encryption
- one or more internet connections with static IP addresses
- an internet firewall that allows RADIUS to connect to the GovWifi authentication servers - port 1812/User Datagram Protocol (UDP) for authentication requests and optionally 1813/UDP for accounting requests
- client isolation to prevent someone with an account from attacking other users’ devices
Step 1 - Become an authorised administrator
Send a request to firstname.lastname@example.org. Include your individual email address, your mobile phone number and the organisation or group you represent.
You must also provide a shared email address. GovWifi support will send service notifications to this address.
Step 2 - Establish your public IP addresses
RADIUS traffic usually originates from the management interface of your wifi controller. Find out if you have an existing network address translation (NAT) rule, or whether a new one is required. If you have multiple internet connections it may be possible for traffic to originate from a different IP address in the event of a primary link failure. Ensure you add all your IP addresses if you have multiple internet connections.
Step 3 - Register the site for GovWifi
First ensure your email system doesn’t block encrypted attachments.
Send an email from the individual email address you registered in step 1 to email@example.com - this is an automated service. In the subject field, write the first line of the building’s street address. In the body of the email, write the list of public IP addresses that your RADIUS requests will originate from, one on each line.
You will receive an encrypted PDF via email which contains configuration details and the RADIUS key to configure in your wireless infrastructure. The password to decrypt this file will be sent to your phone.
If you add a new internet connection with a new IP address, send an additional request with exactly the same text in the subject field and the additional IP address on the first line. This ensures that a new secret key is not generated. You will receive an encrypted PDF file which contains a list of all IP addresses at that site.
The service will recognise a new site the day after you register it because all changes are applied out of hours.
Step 4 - Configure your infrastructure
- Create a firewall rule to allow traffic on UDP ports 1812 and 1813 to the list of IP addresses you received when you registered the new site.
- Create a NAT rule if one doesn’t exist so your wifi controller (or access points for cloud-managed devices) can reach the internet.
Create a service set identifier (SSID) with:
- name: GovWifi
- type: WPA2-Enterprise (AES encryption)
- Configure the RADIUS servers and secret key. Follow the instructions given in the encrypted PDF you received when you registered your site.
Logs and reports
Send an email to firstname.lastname@example.org with the type of report you want in the subject field (the body text is ignored). Use one of the following:
|Email subject field (type of report):||Returns:|
||All authentications for your organisation (default report)|
||All log entries for a named site|
|topsites||All wifi deployments ordered by number of users|
|sitelist||A list of sites participating in GovWifi|
||The activity for a specific username|
GDS will send you an encrypted PDF report by email and the password to access it in a text message.
Site configuration information
Send an email to email@example.com with the name of the site in the subject field. You will receive the current RADIUS secret and authorised IP addresses for that site.
Log traffic, detect malware and block users
GovWifi provides a set of private credentials to a user which is used to generate a unique encryption key. This protects the user’s privacy and prevents their device from attack.
Traffic monitoring and logging is performed by the organisation providing the wireless access points or gateway. You must ensure that traffic logging and monitoring complies with your organisation’s internal legal and operational guidance.
You can request logs for specific users and, if necessary, deny service to them by blocking their hardware address on your infrastructure. In the event of a serious issue contact GovWifi support for assistance.
Contact GovWifi support
GDS supports GovWifi centrally for technical teams. GDS does not provide direct support to end users. Technical teams in organisations must support their end users.
You can contact the GovWifi support team by email or telephone.
Telephone: 0800 061 4675
GovWifi support is available from 8:30am to 10pm 7 days a week.
Advertise the service
Tell users how to sign up to GovWifi in your organisation. GDS will send you a poster when you register your site.
Withdraw legacy services
After you’ve successfully deployed GovWifi, consider removing less secure guest wifi services.
Find out more
IT teams should set up managed end user devices to automatically connect to Govwifi.
End users should follow the instructions to connect to GovWifi.
Published: 13 December 2016