Page History

...

• 1. 1. 1. User Device with SIM detects a Passpoint-enabled Wi-Fi network.
        2. The device checks its Passpoint profile and determines that EAP-SIM is supported by the network.
        3. The device sends an authentication request using EAP-SIM, including the IMSI (International Mobile Subscriber Identity) from the SIM card.
        4. The Wi-Fi network’s AP forwards the request to the RADIUS server, which queries the user’s mobile network for authentication.
        5. The mobile network verifies the SIM credentials using the HLR/HSS and sends back an authentication challenge.
        6. The device responds to the challenge using the SIM card.
        7. Upon successful verification, the RADIUS server grants access to the Wi-Fi network, and the user is automatically connected.

• Certificate-based authentication

This method allows with Wi-Fi Passpoint involves using EAP-TLS (Extensible Authentication Protocol - Transport Layer Security), where client devices authenticate to the Wi-Fi network using digital certificates rather than usernames, passwords, or SIM credentials. This ensures a high level of security, especially in environments such as enterprises, or public Wi-Fi hotspots

• • Steps to Map Certificate Authentication with Wi-Fi Passpoint:

    1. Understanding EAP-TLS (Certificate-Based Authentication):

       • EAP-TLS is an authentication method within the EAP framework that uses digital certificates for mutual authentication between the client and the server.
       • In this method, both the client and the network's RADIUS server exchange certificates to authenticate each other securely.
       • Certificates are issued and managed by a Certificate Authority (CA).

    2. Components Involved in EAP-TLS Authentication with Passpoint:

       • Passpoint Profile: Configured on the client device to connect to Passpoint-enabled Wi-Fi networks that support certificate-based authentication (EAP-TLS).
       • Access Point (AP): Configured to use WPA2-Enterprise or WPA3-Enterprise security, with EAP-TLS as the authentication method.
       • RADIUS Server: Handles the authentication process and validates the client certificates using the CA's public key.
       • Client Device: Must have a digital certificate installed, along with a private key that corresponds to the certificate. This certificate is typically issued by the network provider or organization.
       • Certificate Authority (CA): Issues the certificates for the client and RADIUS server, allowing mutual authentication.

    Steps to Implement Certificate-Based Authentication in Wi-Fi Passpoint:

    1. Set Up a Certificate Authority (CA):

       • To use certificate-based authentication, you need a trusted Certificate Authority (CA) that issues certificates to both the client devices and the RADIUS server.
       • This can be an external CA (e.g., VeriSign, Let’s Encrypt) or an internal enterprise CA for organizations that want to manage their own certificates.

       Steps:

       • Set up a CA that can issue both client certificates and server certificates.
       • Ensure that both the client and RADIUS server are configured with certificates signed by the CA.
       • Issue certificates to users (client devices) that will connect to the Wi-Fi network.

    2. Configure the RADIUS Server to Support EAP-TLS:

       • The RADIUS server must be configured to use EAP-TLS for authentication.
       • The server needs a server certificate signed by the CA and must be able to validate client certificates during the authentication process.

       Steps:

       • Install the RADIUS server certificate signed by the CA.
       • Configure the RADIUS server to authenticate users using EAP-TLS by validating the client's digital certificate.
       • Configure the RADIUS server to handle certificate revocation lists (CRL) or use Online Certificate Status Protocol (OCSP) to check the status of client certificates.