Technical teams should follow this implementation guide to deploy GovWifi in government buildings.
GovWifi, developed by GDS, is currently in public beta. This means we’re still testing and improving it. It’s only available in government organisations taking part in the public beta. Request to take part by emailing firstname.lastname@example.org.
Before reading the steps below to create a new wifi installation, make sure your organisation meets the technical requirements and recommendations.
Create a new wifi installation
Step 1 - Become an authorised administrator
Send a request to email@example.com. Include your individual email address, your mobile phone number and the organisation or group you represent.
You must also provide a shared and monitored email address. The GovWifi support team will send service notifications to this address.
You’ll receive a document to complete and electronically sign before the GovWifi team can approve your application to create a new installation. You need to return your completed document to firstname.lastname@example.org before you move on to step 2.
Step 2 - Establish your public IP addresses
Remote Authentication Dial-In User Service (RADIUS) traffic usually originates from the management interface of your wifi controller. Find out if you have an existing network address translation (NAT) rule, or whether you need a new one. If you have multiple internet connections it may be possible for traffic to originate from a different IP address in the event of a primary link failure. Make sure you add all your IP addresses if you have multiple internet connections.
Step 3 - Register your site for GovWifi
Send an email from the individual email address you registered in step 1 to email@example.com - this is an automated service. If you have more than one site, register each site in a separate email.
Your email must include:
- the first line of your government building’s street address - put this in the subject field
- the list of public IP addresses that your RADIUS requests will originate from (one on each line) - put this in the body of the email
- in a separate line, under the IP addresses, write your postcode in the format: Postcode: XXXX XXX
Before you send the email, make sure your email system doesn’t block encrypted attachments.
You’ll receive an encrypted PDF via email that contains configuration details and the RADIUS key to configure your wireless infrastructure. The password to decrypt this file will be sent to your phone in a text message.
You can start using the service the day after you register your site, because the RADIUS servers update overnight.
Get confirmation of your current settings
If you need confirmation of your current settings, send an email from the individual email address you registered in step 1 to firstname.lastname@example.org - this is an automated service.
Your email must include:
- exactly the same subject line as your original request
- a blank body field
You’ll receive a new encrypted PDF which contains your settings via email. The password to decrypt this file will be sent to your phone in a text message.
Add a new IP address to an existing site
You can add multiple IP addresses to a single site. For example, if you change internet service provider and have a new IP to use. To add a new address, send a request from the individual email address you registered in step 1 to email@example.com - this is an automated service.
Your email must include:
- exactly the same text in the subject field as the email you sent in step 3
- the additional IP address on the first line
By using the same text, the service will use the same secret key as your other IP addresses You’ll receive an email with an encrypted PDF file which contains a list of all IP addresses at that site, including the new IP addresses. The password to decrypt this file will be sent to your phone in a text message.
Step 4 - Configure your infrastructure
- Create a firewall rule to allow traffic on UDP ports 1812 and 1813 to reach the RADIUS IP addresses you received in the encrypted PDF.
- Create a NAT rule if one doesn’t already exist so your wifi controller (or access points for cloud-managed devices) can reach the internet via the IP addresses you specified when you registered your site.
Create a service set identifier (SSID) with:
- name: GovWifi
- type: WPA2-Enterprise (AES encryption)
- inner encryption: MsChapV2
Configure your Network Access Server (Access Point) to ensure username privacy.
- if permitted by your infrastructure vendor, set the Network Access Identifier (NAI) for your outer tunnel to be anonymous
- see RFC 7542 for full details of permitted NAI syntax
- Configure the RADIUS servers and secret key. Follow the instructions in the encrypted PDF you received when you registered your site.
Technical requirements and recommendations
To make sure GovWifi provides a consistent user experience across all locations, your organisation’s wifi must:
- meet the 9 administrator requirements listed below
- work towards the hardware recommendations below
- Your wifi access controllers must be able to point to one or more RADIUS servers.
- Your wifi infrastructure must use WPA2-Enterprise (AES) encryption.
- Your network must have one or more internet connections with static IP addresses.
- Your internet firewall must allow RADIUS to connect to the GovWifi authentication servers - port 1812/User Datagram Protocol (UDP) for authentication requests and optionally 1813/UDP for accounting requests.
- Your network must use client isolation to prevent rogue devices from attacking legitimate users.
- You must provide authenticated users access to all TCP/UDP ports to cater for visitors who need to connect to legitimate virtual private network (VPN) services.
- You must provide an internet connection with a basic content filtering service to all wifi users. The UK public sector DNS is an appropriate solution.
- You must provide a suitable amount of internet bandwidth for the anticipated number of users. Plan for 50% of the AP vendor’s recommended client device count per AP radio. Stay well under the vendor’s published maximum figure (for example, one access point per block of 20 users, located in the middle of each group).
- You must ensure there’s enough uplink bandwidth from APs to the building switch infrastructure to allow full use of the internet bandwidth by all users.
GovWifi is intended to work with your existing hardware. However, if you choose to refresh your hardware, follow the recommendations below.
On your network infrastructure:
- upgrade bandwidth using commodity internet services
- use transparent caching technologies to minimise the impact of software updates
- use 802.11at - type 2 capable switches to power the access points and allow easier upgrade to future wireless technologies
- use Wi-Fi Voice Enterprise or equivalent if voice support is required
Deploy centrally managed access point (AP) hardware, each with at least 5 GHz frequency band and 802.11ac support. Configure your wireless APs to:
- use a high minimum basic data rate
- disable lower data rates to encourage clients to roam to APs with stronger signals and increase capacity for all clients
- support ac wave 2 and multi-user multiple input multiple output (MIMO)
- have no more than 4 SSIDs per band per site; each SSID will use up some bandwidth with beaconing, probe requests and probe responses
- selectively disable SSIDs at places and frequencies where they aren’t required
- selectively disable 2.4 GHz radios on APs in large open plan areas with more than 3 APs to reduce interference between APs on the same frequency; 5 GHz has considerably more channels and is better at providing non-contending overlapped coverage
- manage channel width by designing 802.11n/ac using 40 MHz width channels; you may enable wider channels (channel bonding) on a best effort basis for 802.11ac though you should configure them to fall back to a non-overlapping channel
- manage channel selection (radio frequency) and reduce power if necessary to minimise contention and overlapping; use the automatic channel selection features in enterprise wifi management systems rather than manual configuration
Use common standards and protocols on your wireless APs to ensure you:
- disable low-bandwidth wifi, like 802.11a and 802.11g protocols on the 5 GHz band, which should only support 802.11n, 802.11ac or faster; confine legacy clients to the 2.4 GHz band
- enable dynamic frequency selection (DFS) or 802.11h for 5 GHz band, which provides for a larger number of channels to be made available; with DFS enabled, sudden changes may occur in response to detection of radar signals by wifi APs
- enable ‘band steering’ which works by regulating probe responses to clients and making 5 GHz channels appear more attractive to clients by delaying probe responses to clients on 2.4 GHz
- support smoother roaming for devices on the move using 802.11r
Logs and reports
Send an email to firstname.lastname@example.org with the type of report you want in the subject field (the body text is ignored). You’ll receive a reply based on what you have included in your subject field.
|Email subject field (type of report):||Returns:|
||All authentications for your organisation (default report)|
||All log entries for a named site|
|topsites||All wifi deployments ordered by number of users|
|sitelist||A list of sites participating in GovWifi|
||The activity for a specific username|
You’ll receive an encrypted PDF file which contains the report you requested. The password to decrypt this file will be sent to your phone in a text message.
Site configuration information
Send an email to email@example.com with the name of the site in the subject field. You’ll receive the current RADIUS secret and authorised IP addresses for that site.
Log traffic, detect malware and block users
GovWifi provides a set of private credentials to a user which is used to generate a unique encryption key. This protects the user’s privacy and prevents their device from attack.
Traffic monitoring and logging is performed by the organisation providing the wireless access points or gateway. You must ensure that traffic logging and monitoring complies with your organisation’s internal legal and operational guidance.
You can request logs for specific users and, if necessary, deny service to them by blocking their hardware address on your infrastructure. In the event of a serious issue contact GovWifi support for assistance.
Contact GovWifi support
GDS supports GovWifi centrally for technical teams. GDS does not provide direct support to end users. You must support your end users.
You can contact the GovWifi support team by email or telephone.
Telephone: 0800 061 4675
GovWifi support is available from 8:30am to 10pm 7 days a week.
Advertise the service
Tell users how to sign up to GovWifi in your organisation. GDS will send you a poster when you register your site.
Withdraw legacy services
After you’ve successfully deployed GovWifi, consider removing less secure guest wifi services.
Find out more
IT teams should set up managed end user devices to automatically connect to Govwifi.
End users should follow these instructions to connect to GovWifi.
Published: 21 April 2017
Updated: 1 September 2017
- Change to step 4 to include additional step to secure usernames.
- Change to step 1 to indicate the document site administrators need to complete and return before moving to step 2.
- First published.