Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

What is Passpoint?

Simply put, Passpoint is a protocol developed by the Wi-Fi alliance to allow users to easily transition between partner networks. The vision is that people using mobile devices like smartphones and laptops will have reduced reliance on mobile data and be able to seamlessly transition between Wi-Fi networks as they travel.

When your phone automatically connects to a new Wi-Fi network without your intervention, it was probably due to Passpoint’s influence.

Passpoint vs Hotspot 2.0

While the two terms are sometimes used interchangeably, that’s not quite accurate. Hotspot 2.0 is a commercial product passed off Passpoint’s first release (r1). While r1 networks are still prevalent, there have been a couple new generations of Passpoint since then and it wouldn’t be accurate to also call them Hotspot 2.0.

How does Wi-Fi Passpoint work?

If a device has Passpoint enabled, all it needs to do is connect to the Passpoint Wi-Fi network once. After that, it will connect automatically whenever the user is in range of the network again without any need for re-entering credentials.

In essence, Passpoint works because all of the participants adhere to the same protocols and use “industry-agreed uniform mechanisms for discovering and creating secured connections to hotspots.”

The uniform nature of participants’ Wi-Fi networks makes it easy for people to connect to jump between Wi-Fi-certified Passpoint networks automatically, never noticing the transition from SSID to SSID.

Passpoint expands its reach (and coverage area) when organizations agree to conform to the standard and get their networks Passpoint certified. It benefits not just their employees but anyone who uses their Wi-Fi – guests, contractors, clients, and customers can all connect to Passpoint-enabled Wi-Fi APs automatically once they’re onboarded.

Is Passpoint Wi-Fi Secure?

Security is always a foremost concern in networking, and the developers at the Wi-Fi Alliance are responsible for working on some of the protocols the entire industry uses to keep safe.

Passpoint adheres to the EEE 802.11u specification – a version of 802.1x. It’s restricted to access points and devices capable of WPA2 and WPA3 authentication, specifically the EAP authentication protocol. That’s the current industry standard for network security.

While most Passpoint Wi-Fi networks use credential-based authentication, it does support digital certificates through EAP-TLS, which dramatically increases the security of the network.

What is Passpoint Secure Wi-Fi?

Organizations that qualify can have their network certified by the Wi-Fi Alliance to use the Passpoint protocol and name, so it’s not uncommon to see SSIDs with “Passpoint” in them. One of the more commonly seen variations is “Passpoint Secure Wi-Fi”. It’s not any more secure than other Passpoint networks, it just happens to be an unimaginative SSID from Boingo –  the company that provisions internet in many airports and airplanes around the world.

Should I Enable Passpoint?

Wi-Fi Passpoint was designed to make it easier for users to connect to networks by simplifying the process of accessing said networks – it connects you automatically without the need for entering your credentials. With the protection of WPA2, it also safeguards your data. In short, it’s not a bad idea to enable it, especially if you’re going to be roaming regularly.

How do I connect to Passpoint Wi-Fi?

Connecting to passpoint is pretty simple, and only requires a few steps:

  1. Enable Wi-Fi on your device.
  2. In the Wi-Fi Menu, check the Advanced or More options and locate the Passpoint box.
  3. Make sure the box is checked.

Keep in mind that not all devices will have this option available. You need to be in a location with a Passpoint network in order to take advantage of it, and some providers will also require you to have a subscription or account with them in advance.

Ultimately, you need to have an appropriate network profile already configured on your device to connect to a Passpoint network. This is accomplished through a few different methods: by purchasing a device that already has the network profile configured, by using an onboarding solution such as our JoinNow MultiOS that configures the device for you, or by manually configuring your device through various device-specific methods. The process can vary based on the operating system.

Passpoint Releases

Passpoint  has been updated twice for a total of 3 Passpoint releases (referred to as r1, r2, and r3).

Passpoint r1 – The initial release of Passpoint established all of the basic features that characterize the technology, but the focus of the release was introducing Hotspot 2.0. Adopters were able to identify other Passpoint-enabled networks and automatically connect to the strongest signal.

Passpoint r2 – The first major update to Passpoint improved many of the preexisting features but made the great leap of adding OSU, simplifying the onboarding process for end users and standardizing credential management for the network.

Passpoint r3 – The latest update to Passpoint has continued to improve on its foundations while concentrating on security and liability, as well as adding WPA3 support. An important addition is support for single SSID OSU, which vastly simplifies the user experience

There are also several new ANQP elements:

  • Operator Icon Metadata
  • Venue URL
  • Advice of Charge

Another added functionality is the ability to implement Terms and Conditions pages into OSU. It might feel like a step back from an end-user perspective, but is a valuable shield against liability for the operator.

SecureW2 is one of the first cybersecurity companies to adopt and implement Passpoint r3. If you need help with deploying it, contact us here.

What is Passpoint OSU?

OSU stands for Online Signup, a rather unassuming name for an impressive service. One of the greatest challenges in deploying any end user-facing service is the task of onboarding. You have to make the user experience as simple and as streamlined as possible to reduce the number of drop-offs (and thus support tickets).

SecureW2 is a leader in the automatic onboarding field and we have been thoroughly impressed with the implementation of Passpoint OSU. It creates an uninterrupted browsing experience for the internet in the same way your cell signal switches from cell tower to cell tower as you travel. It’s a significant step towards a seamless, universal wireless network.

What is a Passpoint Remediation Server?

No matter how good your onboarding, there will always be some users that fail to be authorized. Oftentimes, it’s neither your fault nor theirs – they just happen to have devices that aren’t configured correctly.

That’s where Passpoint Remediation Servers come in handy. When a noncompliant NAP (Network Access Protection) client tries to enroll, they can be redirected to the remediation server.

A Remediation server usually has two purposes. It can provide updates to clients that are simply running an outdated version of their network access software, or it can provide a limited-access network that is insulated from the main network.

Remediation Servers are important because they maintain the overall health of your network by only allowing “healthy”, properly configured clients access. This has the double benefit of eliminating a potential vector of attack while also helping to triage users who have connection difficulties.

If you’re curious about Remediation Servers, SecureW2 provides OSU & Remediation servers, alongside powerful policy engines that enable any service provider to securely implement Passpoint. If you’d like to learn more about our solutions, contact us today.

Passpoint & 5G

As 5G begins to be implemented, there will be more and more devices occupying the airwaves – and there’s only so much spectrum available. Much of this spectrum can be offloaded to Wi-Fi, but switching bands is a cumbersome task. This scenario is exactly where Passpoint can provide a huge value.

Passpoint allows devices that are using the cellular network (mobile data) to easily switch to Wi-Fi hotspots with no service interruption. This will relieve a lot of bandwidth that will become exponentially more crowded as 5G rolls out. It will be particularly effective in areas of high density, like sporting events, universities, metropolitan districts, and other similar locations.

Consider also that 5G operates on a higher frequency of the highband (millimeter wavelength) spectrum. These high energy waves are what allows data to be transmitted quickly and enables faster internet speeds, but it also means that the waves have trouble penetrating objects. 5G will be difficult to use indoors, so having an automatic and seamless transition to local Wi-Fi will be invaluable.

As you can see, the rollout of 5G is almost dependent on the widespread availability of Passpoint. It’s unlikely that mobile data operating on a higher frequency than 4G will ever be reliable indoors, which necessitates the offloading ability of Passpoint.

Authenticating Passpoint – 5G Connections

Of course, the transition from mobile data to Wi-Fi requires the local network to be able to authenticate the mobile device. There are a few ways to authenticate these connections through Passpoint, but the most widely used one will likely be SIM authentication.

SIM authentication is a natural choice for a few reasons. A SIM card is a type of smartcard, meaning it’s capable of using certificate-based EAP-TLS authentication on WPA2-Enterprise and WPA3 networks. Furthermore, a SIM is already registered to a single person and can be used to validate their identity, so it’s only a small step away from full-fledged digital certificates.

SIM authentication isn’t the only solution. Nearly every modern device is capable of using certificate-based authentication, regardless of the SIM card. However, the methodologies of enrolling and installing certificates to mass devices aren’t well known. That’s one of the reasons why we’ve been helping so many organizations issue certificates to devices, as our software makes it incredibly easy to connect your Identity Provider for certificate issuance.

Almost every new mobile device is manufactured with Passpoint compatibility, and 5G will be equally common soon enough. It’s likely that many users will never even notice that they are being moved from mobile data to Wi-Fi with this technology.

Secure Passpoint and 5G Networks

However, every time a device connects to an SSID is an opportunity for hackers to steal credentials over-the-air. That’s why SecureW2 has been pioneering certificate-based Wi-Fi for devices using Passpoint and non-Passpoint Wi-Fi. With SecureW2’s #1 Rated Onboarding Clients, users can easily self-service their devices for certificate-based Wi-Fi, eliminating the risk for over-the-air credential theft, and securely configuring devices for hotspots like Passpoint.

How to Deploy Passpoint Wi-Fi

In order to configure your organization’s network to support Passpoint Wi-Fi, and to configure the partner networks that users can roam between, you’ll need the services of an experienced network solutions company.

SecureW2 has been building secure WPA2-Enterprise networks for years. We are industry forerunners in adopting new technology, including Passpoint r3 and 5G. Click here to see our affordable pricing.

 

Learn about this author

Patrick Grubbs

Patrick is an experienced SEO specialist at SecureW2 who also enjoys running, hiking, and reading. With a degree in Biology from College of William & Mary, he got his start in digital content by writing about his ever-expanding collection of succulents and cacti.

What is Passpoint?