What does passpoint do

connecting to Wi-Fi networks, particularly public hotspots.It allows users to automatically and securely connect to Wi-Fi networks without needing to manually select SSIDs or enter credentials each time they connect to a new network

Process

• Automatic Network Selection

  • Devices equipped with Passpoint can automatically discover and connect to available Wi-Fi networks that meet specific security and performance criteria. This eliminates the need for users to manually search for and join a network.

• Seamless Roaming

  •  Passpoint supports seamless roaming between networks, allowing users to move from one hotspot to another (e.g., from a coffee shop to an airport) without having to log in again.

• Enhanced Security

  • Passpoint requires the use of WPA2-Enterprise (and more recently WPA3) security, which provides better encryption and authentication compared to open networks. It uses Extensible Authentication Protocol (EAP) for authentication, enhancing security for users.

• Authentication via SIM, Certificates, or Username/Password

  • Passpoint supports multiple methods of authentication, including:

• • • SIM-based authentication(for cellular subscribers),

    • Certificate-based authentication

    • Username and password authentication (e.g., credentials provided by an internet service provider).

• Efficient Data Management

  •  By prioritizing Wi-Fi over cellular networks for data traffic, Passpoint can reduce mobile data usage, particularly in areas with strong Wi-Fi coverage.

Use cases

• Public Hotspots

  • Passpoint is widely used by public Wi-Fi providers, such as airports, hotels, and cafes, to streamline the user experience.

• Service Provider Networks

  •  Internet service providers (ISPs) often deploy Passpoint to allow their subscribers to access their Wi-Fi networks automatically, even when they are away from home.

• Enterprise Networks

  •  Some organizations use Passpoint to provide employees with secure and seamless Wi-Fi access in different office locations.

Appendix

• SIM Based Auth(users moving between cellular and Wi-Fi networks)

1. 1. Steps to Map SIM-Based Authentication with Wi-Fi Passpoint

• • • SIM-based Authentication Overview (EAP-SIM)

• 1. • • EAP-SIM is a type of EAP (Extensible Authentication Protocol) used for authenticating devices based on their SIM cards. It enables automatic connection to Wi-Fi networks using information from the SIM card (such as IMSI and authentication keys) instead of traditional username/password methods.
       • Mobile Network Operators (MNOs) or Wi-Fi providers that have partnerships with MNOs can use EAP-SIM to let subscribers connect to Wi-Fi networks seamlessly.

  2. Steps to Implement SIM-Based Authentication with Wi-Fi Passpoint

     1. Configure Wi-Fi Network to Support EAP-SIM:

        • The Wi-Fi network, specifically the RADIUS server (Authentication server), must be configured to support EAP-SIM for authentication.
        • The network provider’s infrastructure should support 3GPP AAA servers or similar infrastructure that allows the Wi-Fi network to communicate with the Home Location Register (HLR) or Home Subscriber Server (HSS) to authenticate the SIM credentials.

        Steps:

        • The Wi-Fi access point (AP) is configured to use WPA2-Enterprise (or WPA3-Enterprise for enhanced security).
        • In the AP's configuration, select EAP-SIM as one of the supported authentication methods.
        • The AP communicates with a RADIUS server, which verifies the subscriber's identity through the Mobile Core Network using the SIM card information.

     2. Wi-Fi Passpoint Network Configuration:

        • Passpoint profiles are used to configure client devices to automatically connect to Passpoint-enabled networks.
        • The Passpoint profile for a network that supports SIM-based authentication will specify EAP-SIM as the authentication method.
        • The network's Online Sign-Up (OSU) Server can also deliver the profile to compatible devices, so they can connect automatically.

        Steps:

        • In the Access Network Query Protocol (ANQP) settings, configure EAP-SIM as a supported authentication method.
        • The ANQP responses from the AP will indicate to the device that the network supports EAP-SIM, allowing devices with SIM cards to select this network for automatic connection.

     3. Device-Side Configuration:

        • On the client side (e.g., smartphones or tablets), Passpoint profiles are created by the mobile operator or network provider.
        • Devices with Passpoint support will automatically select networks that match their Passpoint profile and initiate EAP-SIM authentication.

        Steps:

        • The device detects the Passpoint-enabled network and checks the profile for available authentication methods (such as EAP-SIM).
        • The device automatically chooses EAP-SIM and sends the SIM card information (IMSI) to the network.
        • The RADIUS server communicates with the mobile operator’s backend to verify the SIM card’s information.

     4. Authentication Process (EAP-SIM):

        • When a device with a SIM card attempts to connect to a Passpoint-enabled network that supports EAP-SIM, the following occurs:

        Steps:

        • The device sends a request to authenticate using EAP-SIM.
        • The access point forwards this request to the RADIUS server.
        • The RADIUS server then communicates with the Mobile Core Network, querying the HLR or HSS to authenticate the device using the IMSI and other SIM data.
        • The mobile network sends a challenge-response mechanism back to the device, which uses the SIM card to respond and complete authentication.
        • Once authentication is successful, the device is granted access to the network.

     5. SIM-Based Roaming:

        • When the network is set up for roaming, SIM-based authentication works across different networks with roaming agreements.
        • A device using SIM-based authentication can automatically connect to Wi-Fi networks provided by a partner operator in a different country or region.

     6. Advantages of SIM-Based Authentication in Passpoint:

        • Seamless Authentication: Users do not need to manually select a Wi-Fi network or enter credentials. The SIM card handles all authentication automatically.
        • Roaming Support: EAP-SIM enables users to roam between Wi-Fi networks that have roaming agreements with the user’s mobile operator, providing a seamless transition between Wi-Fi and cellular networks.
        • Security: The authentication process is secure, leveraging SIM credentials that are difficult to compromise. EAP-SIM operates over WPA2/WPA3-Enterprise networks, ensuring encryption during data transmission.

Example Workflow of SIM-Based Authentication with Passpoint

• 1. 1. 1. User Device with SIM detects a Passpoint-enabled Wi-Fi network.
        2. The device checks its Passpoint profile and determines that EAP-SIM is supported by the network.
        3. The device sends an authentication request using EAP-SIM, including the IMSI (International Mobile Subscriber Identity) from the SIM card.
        4. The Wi-Fi network’s AP forwards the request to the RADIUS server, which queries the user’s mobile network for authentication.
        5. The mobile network verifies the SIM credentials using the HLR/HSS and sends back an authentication challenge.
        6. The device responds to the challenge using the SIM card.
        7. Upon successful verification, the RADIUS server grants access to the Wi-Fi network, and the user is automatically connected.

• Certificate-based authentication

This method allows with Wi-Fi Passpoint involves using EAP-TLS (Extensible Authentication Protocol - Transport Layer Security), where client devices authenticate to the Wi-Fi network using digital certificates rather than usernames, passwords, or SIM credentials. This ensures a high level of security, especially in environments such as enterprises, or public Wi-Fi hotspots

Steps to Map Certificate Authentication with Wi-Fi Passpoint:

1. 1. 1. 1. Understanding EAP-TLS (Certificate-Based Authentication):

            • EAP-TLS is an authentication method within the EAP framework that uses digital certificates for mutual authentication between the client and the server.
            • In this method, both the client and the network's RADIUS server exchange certificates to authenticate each other securely.
            • Certificates are issued and managed by a Certificate Authority (CA).

         2. Components Involved in EAP-TLS Authentication with Passpoint:

            • Passpoint Profile: Configured on the client device to connect to Passpoint-enabled Wi-Fi networks that support certificate-based authentication (EAP-TLS).
            • Access Point (AP): Configured to use WPA2-Enterprise or WPA3-Enterprise security, with EAP-TLS as the authentication method.
            • RADIUS Server: Handles the authentication process and validates the client certificates using the CA's public key.
            • Client Device: Must have a digital certificate installed, along with a private key that corresponds to the certificate. This certificate is typically issued by the network provider or organization.
            • Certificate Authority (CA): Issues the certificates for the client and RADIUS server, allowing mutual authentication.

Steps to Implement Certificate-Based Authentication in Wi-Fi Passpoint:

1. 1. 1. 1. 1. 1. Set Up a Certificate Authority (CA):

                  • To use certificate-based authentication, you need a trusted Certificate Authority (CA) that issues certificates to both the client devices and the RADIUS server.
                  • This can be an external CA (e.g., VeriSign, Let’s Encrypt) or an internal enterprise CA for organizations that want to manage their own certificates.

                  Steps:

                  • Set up a CA that can issue both client certificates and server certificates.
                  • Ensure that both the client and RADIUS server are configured with certificates signed by the CA.
                  • Issue certificates to users (client devices) that will connect to the Wi-Fi network.

               2. Configure the RADIUS Server to Support EAP-TLS:

                  • The RADIUS server must be configured to use EAP-TLS for authentication.
                  • The server needs a server certificate signed by the CA and must be able to validate client certificates during the authentication process.

                  Steps:

                  • Install the RADIUS server certificate signed by the CA.
                  • Configure the RADIUS server to authenticate users using EAP-TLS by validating the client's digital certificate.
                  • Configure the RADIUS server to handle certificate revocation lists (CRL) or use Online Certificate Status Protocol (OCSP) to check the status of client certificates.
                  • Example configuration for FreeRADIUS (a popular open-source RADIUS server)
                    1. 

               3. Configure the Wi-Fi Access Point for WPA2/WPA3-Enterprise:

                  • The Wi-Fi AP must be configured to use WPA2-Enterprise (or WPA3-Enterprise) security mode.
                  • The AP should also be configured to use the RADIUS server for authentication and EAP-TLS as the supported authentication method.

                  Steps:

                  • Set the Security Mode on the AP to WPA2-Enterprise or WPA3-Enterprise.
                  • Specify the RADIUS server IP address and shared secret on the AP, so that the AP can forward authentication requests to the RADIUS server.
                  • Enable EAP-TLS as the authentication method.
                  • 

               4. Configure the Passpoint Profile for Certificate-Based Authentication:

                  • Passpoint profiles on client devices include settings that define how the device should connect to the Wi-Fi network. For EAP-TLS, the profile should specify that certificate-based authentication is required.
                  • The profile will also contain the identity provider (IDP) information, allowing the device to automatically connect to networks using the correct certificates.

                  Steps:

                  • The ANQP (Access Network Query Protocol) settings should be configured on the AP to inform clients that EAP-TLS is available.
                  • The Passpoint profile on the client device must include:
                    • The CA certificate (for server verification).
                    • The client certificate (issued by the network or organization).
                    • The private key associated with the client certificate.
                    •