Demystifying Hotspot 2.0, Passpoint and OpenRoaming the Pros and Cons
I have dedicated considerable time to exploring the use cases for Hotspot 2.0, Passpoint and OpenRoaming. One of the primary topics of discussion with our customers is guest access. They require a seamless and secure method for onboarding guests to their networks. We frequently hear about the challenges associated with open networks and captive portals, particularly inconsistent behavior across different mobile devices. These issues typically lead to increased operational overhead associated with end-user help desk tickets, troubleshooting and maintenance.
To illustrate this, let's consider a typical day. Most of us start our day at home, connected to our home Wi-Fi, checking emails, looking at our calendars, and possibly taking a few calls. As we leave the house and drive to the office, our phones disconnect from the home network and connect to the cellular network without any interaction on our part; this transition happens seamlessly in the background. We can still make calls, check emails, and browse the internet without interruption. Upon arriving at the office, our devices automatically switch to the corporate Wi-Fi, whether through a known guest network or a BYOD network, again seamlessly and transparently, with no loss of connectivity.
Let's say that while heading to the office, you decide to stop at your favorite coffee shop or have an on-site customer meeting that requires internet access. What happens next when you arrive? First, you may need to guess which SSID to join, then figure out the pre-shared key. Or you might get redirected to a website or portal This portal may not be using publicly signed certificates, and you get a warning about an insecure website in the browser. Once connected to the portal you may be asked to provide a lot of irrelevant information, or you may need to submit an email address and wait for a response. Unfortunately, you can't check your email because the cell service is poor.
Assuming you finally manage to connect, now what?
You might see warnings on your device about weak security and an unsecured network. Would you choose to connect under those circumstances? How does this impact the brand reputation of your favorite coffee shop? Do you feel different about your customer? Could this whole situation have been avoided? Let's explore that.
Hotspot 2.0 and Passpoint
The primary objective is to seamlessly, transparently, and securely onboard your guests to your wireless network. This can be achieved using several highly secure enterprise-grade authentication methods, with a focus on certificate-based authentication on both the server and client sides. Importantly, this process does not require the wireless network provider to manage its own Radius or Public Key Infrastructure (PKI).
This setup is facilitated through Radius Proxy, resulting in connections that utilize EAP-TLS, 802.1x-SHA256 with WPA3, and mandatory Protected Management Frames. In layman's terms, this is a highly secure enterprise-grade wireless connection.
*Note no weak or unsecured warnings
Hotspot 2.0 is not a new concept; it has been around since February 2011, when the 802.11u standard was released. It has undergone three major revisions, and the current version, R3, was released in 2019 and addresses WPA3. Hotspot 2.0 and Passpoint refer to the same technology. The goal of these advancements is to enable cellular and Wi-Fi networks to interact seamlessly without requiring users to manually re-authenticate at each location.
There are four primary participants in the Passpoint ecosystem:
- End User
These are consumers and business users, essentially you. - Access Provider
These providers offer the wireless infrastructure you connect to, such as your favorite coffee shop or workplace. - Ecosystem Broker
This entity provides interconnect services to identity and access providers. It includes certificate and registration authorities and organizations like the Wireless Broadband Alliance (WBA). Many Echosystem Brokers are available. - Identity Provider
This entity enables customers with credentials to connect to Passpoint-enabled Wi-Fi networks. Examples include mobile operators (like AT&T), cable operators, ISPs, brand-loyalty programs, device chipset manufacturers (like Samsung, Apple, and Cisco), and internet and social media providers (like Google and Apple). There are many identity providers, and they work in conjunction with the ecosystem brokers
OpenRoaming
It is important to understand that there are some key differences between Passpoint and OpenRoaming. One thing to remember is that OpenRoaming does not work without Passpoint. The underlying concepts are the same. If I had to pick one significant difference, it would be that Passpoint focuses more on eSIM or uSIM-enabled devices and seamless handoff from a mobile carrier. OpenRoaming is your solution when you need to onboard Laptops, Tablets, or even IOT devices to your network that are not SIM-enabled.
Open Roaming was initially developed and launched by Cisco. Cisco has since transitioned this technology to the Wireless Broadband Alliance (WBA), which currently oversees, promotes, and manages OpenRoaming as an industry standard.
- Passpoint and OpenRoaming capabilities can be configured within a Single SSID.
- Once a device is joined it can join any of the networks that publish the OpenRoaming capability.
Considerations
If you need to positively identify users on your guest network. Don't worry this could be done. However, there are many additional steps required to gain visibility, and there will still be some limitations. Below are some examples of usernames you may see on your network.
Passpoint Authenticated User:
2Pn3EcSTP+vprj83Vk7YcAQ@wlan.mnc280.mcc310.3gppnetwork.org
From the credentials, you can see that this device was SIM enabled as noted by domain 3gppnetwork.org. You can also tell that this device is an AT&T device as noted by the Mobilie Network Code 280 (MNC) and the Mobile County Code 310 (MCC)
OpenRoaming Authenticated User:
D3Jp8@idp.openroamingconnect.org
or
159bdf73-1912-4c13-b40b-76d109526ad6@apple.openroaming.net
The credentials show that the domain name was authenticated via openroamingconnect.org. This is the Wireless Broadband Alliance, or WBA. In the second example, you notice open roaming net. This is also the WBA, but the user was authenticated using an Apple ID.
Support across Mobile Carriers
Not all carriers support Passpoint of the 3 major carriers in the US including AT&T, T-Mobile and Verizon. Verizon is the only carrier not providing support today. There is some good news if you are a healthcare provider in that Verizon has shown a willingness to work within that vertical. If you are a Verizon customer, I encourage you to ask them to support this as they represent a significant market share of the mobile devices deployed today.
Support Across the mobile device manufacturers
Several device manufacturers support Passpoint / OpenRoaming natively. Samsung and Google are good examples. However, this feature needs to be enabled.
Apple requires an application or a profile to be installed on the device.
Enabling or Installing profiles for Passpoint / OpenRoaming functionality
There is some good news here, and there are several methods to accomplish this. One of the best methods is to embed this into your loyalty application. Several OEMs provide SDKs to assist in accomplishing this. A benefit of this effort may be increasing your mobile application adoption while providing transparent, seamless, and secure guest access.
Advantages
- Potential DAS Replacement?
- DAS can be an expensive solution to implement and manage, and it is not financially viable for most if not all, branch environments. Implementing Passpoint is certainly worth considering.
- Increasing wireless attach rates
- Can reduce the burden on your wireless network and increase airtime and efficiencies, especially in large venues
- Advanced wireless analytics can now be collected. Such as:
- Number of Visits (Occupancy)
- Number of repeat visits
- Dwell Times
- Peak Busy Hours, Days, Weeks
- Pathing Data
- This information is not typically available from cellular providers even when a DAS system is deployed
- Increase the value of data in loyalty applications
- Many customer loyalty applications only capture 20-30% of footfall. Increasing Wi-Fi adoption by seamless onboarding can help adopters fill this gap.
- Decrease help desk calls involving guest access and operational overhead.
- Guests are authenticated via a highly resilient and redundant cloud-based environment.
- Eliminate the need for complex radius and PKI environments for guest access.
- Increase in brand reputation
- QOS policies can be embedded in profiles
In summary
Guest access can be a complicated issue with several challenges in its implementation. One primary concern is adhering to organizational policies, which can include legal requirements. For instance, does your organization need acceptable use agreements? Should guest access be subject to content filtering? Are there requirements for maintaining records that uniquely identify each guest user?
Another important factor is managing guest traffic flow. Do you need to route this traffic back to a central data center, or can direct internet access be utilized at each location? Additionally, it's crucial to consider how to effectively separate guest traffic from your corporate network.
Supporting guest access also brings operational overheads, including increased bandwidth needs, the requirement for additional networking equipment, and potential impacts on end-user support and help desk resources.
In conclusion, there are various methods of providing guest access. Remember that it should be seamless, user-friendly, and, most importantly, secure. Options like Passpoint and OpenRoaming are effective solutions that address many of these concerns. These technologies are also supported by all Wi-Fi original equipment manufacturers (OEMs).