What does passpoint do

connecting to Wi-Fi networks, particularly public hotspots.It allows users to automatically and securely connect to Wi-Fi networks without needing to manually select SSIDs or enter credentials each time they connect to a new network

Process

• Automatic Network Selection

  • Devices equipped with Passpoint can automatically discover and connect to available Wi-Fi networks that meet specific security and performance criteria. This eliminates the need for users to manually search for and join a network.

• Seamless Roaming

  •  Passpoint supports seamless roaming between networks, allowing users to move from one hotspot to another (e.g., from a coffee shop to an airport) without having to log in again.

• Enhanced Security

  • Passpoint requires the use of WPA2-Enterprise (and more recently WPA3) security, which provides better encryption and authentication compared to open networks. It uses Extensible Authentication Protocol (EAP) for authentication, enhancing security for users.

• Authentication via SIM, Certificates, or Username/Password

  • Passpoint supports multiple methods of authentication, including:

• • • SIM-based authentication(for cellular subscribers),

    • Certificate-based authentication

    • Username and password authentication (e.g., credentials provided by an internet service provider).

• Efficient Data Management

  •  By prioritizing Wi-Fi over cellular networks for data traffic, Passpoint can reduce mobile data usage, particularly in areas with strong Wi-Fi coverage.

Use cases

• Public Hotspots

  • Passpoint is widely used by public Wi-Fi providers, such as airports, hotels, and cafes, to streamline the user experience.

• Service Provider Networks

  •  Internet service providers (ISPs) often deploy Passpoint to allow their subscribers to access their Wi-Fi networks automatically, even when they are away from home.

• Enterprise Networks

  •  Some organizations use Passpoint to provide employees with secure and seamless Wi-Fi access in different office locations.

Appendix

• SIM Based Auth(users moving between cellular and Wi-Fi networks)

1. 1. Steps to Map SIM-Based Authentication with Wi-Fi Passpoint

• • • SIM-based Authentication Overview (EAP-SIM)

• 1. • • EAP-SIM is a type of EAP (Extensible Authentication Protocol) used for authenticating devices based on their SIM cards. It enables automatic connection to Wi-Fi networks using information from the SIM card (such as IMSI and authentication keys) instead of traditional username/password methods.
       • Mobile Network Operators (MNOs) or Wi-Fi providers that have partnerships with MNOs can use EAP-SIM to let subscribers connect to Wi-Fi networks seamlessly.

  2. Steps to Implement SIM-Based Authentication with Wi-Fi Passpoint

     1. Configure Wi-Fi Network to Support EAP-SIM:

        • The Wi-Fi network, specifically the RADIUS server (Authentication server), must be configured to support EAP-SIM for authentication.
        • The network provider’s infrastructure should support 3GPP AAA servers or similar infrastructure that allows the Wi-Fi network to communicate with the Home Location Register (HLR) or Home Subscriber Server (HSS) to authenticate the SIM credentials.

        Steps:

        • The Wi-Fi access point (AP) is configured to use WPA2-Enterprise (or WPA3-Enterprise for enhanced security).
        • In the AP's configuration, select EAP-SIM as one of the supported authentication methods.
        • The AP communicates with a RADIUS server, which verifies the subscriber's identity through the Mobile Core Network using the SIM card information.

     2. Wi-Fi Passpoint Network Configuration:

        • Passpoint profiles are used to configure client devices to automatically connect to Passpoint-enabled networks.
        • The Passpoint profile for a network that supports SIM-based authentication will specify EAP-SIM as the authentication method.
        • The network's Online Sign-Up (OSU) Server can also deliver the profile to compatible devices, so they can connect automatically.

        Steps:

        • In the Access Network Query Protocol (ANQP) settings, configure EAP-SIM as a supported authentication method.
        • The ANQP responses from the AP will indicate to the device that the network supports EAP-SIM, allowing devices with SIM cards to select this network for automatic connection.

     3. Device-Side Configuration:

        • On the client side (e.g., smartphones or tablets), Passpoint profiles are created by the mobile operator or network provider.
        • Devices with Passpoint support will automatically select networks that match their Passpoint profile and initiate EAP-SIM authentication.

        Steps:

        • The device detects the Passpoint-enabled network and checks the profile for available authentication methods (such as EAP-SIM).
        • The device automatically chooses EAP-SIM and sends the SIM card information (IMSI) to the network.
        • The RADIUS server communicates with the mobile operator’s backend to verify the SIM card’s information.

     4. Authentication Process (EAP-SIM):

        • When a device with a SIM card attempts to connect to a Passpoint-enabled network that supports EAP-SIM, the following occurs:

        Steps:

        • The device sends a request to authenticate using EAP-SIM.
        • The access point forwards this request to the RADIUS server.
        • The RADIUS server then communicates with the Mobile Core Network, querying the HLR or HSS to authenticate the device using the IMSI and other SIM data.
        • The mobile network sends a challenge-response mechanism back to the device, which uses the SIM card to respond and complete authentication.
        • Once authentication is successful, the device is granted access to the network.

     5. SIM-Based Roaming:

        • When the network is set up for roaming, SIM-based authentication works across different networks with roaming agreements.
        • A device using SIM-based authentication can automatically connect to Wi-Fi networks provided by a partner operator in a different country or region.

     6. Advantages of SIM-Based Authentication in Passpoint:

        • Seamless Authentication: Users do not need to manually select a Wi-Fi network or enter credentials. The SIM card handles all authentication automatically.
        • Roaming Support: EAP-SIM enables users to roam between Wi-Fi networks that have roaming agreements with the user’s mobile operator, providing a seamless transition between Wi-Fi and cellular networks.
        • Security: The authentication process is secure, leveraging SIM credentials that are difficult to compromise. EAP-SIM operates over WPA2/WPA3-Enterprise networks, ensuring encryption during data transmission.

Example Workflow of SIM-Based Authentication with Passpoint

• 1. 1. 1. User Device with SIM detects a Passpoint-enabled Wi-Fi network.
        2. The device checks its Passpoint profile and determines that EAP-SIM is supported by the network.
        3. The device sends an authentication request using EAP-SIM, including the IMSI (International Mobile Subscriber Identity) from the SIM card.
        4. The Wi-Fi network’s AP forwards the request to the RADIUS server, which queries the user’s mobile network for authentication.
        5. The mobile network verifies the SIM credentials using the HLR/HSS and sends back an authentication challenge.
        6. The device responds to the challenge using the SIM card.
        7. Upon successful verification, the RADIUS server grants access to the Wi-Fi network, and the user is automatically connected.

• Certificate-based authentication

This method allows with Wi-Fi Passpoint involves using EAP-TLS (Extensible Authentication Protocol - Transport Layer Security), where client devices authenticate to the Wi-Fi network using digital certificates rather than usernames, passwords, or SIM credentials. This ensures a high level of security, especially in environments such as enterprises, or public Wi-Fi hotspots

Steps to Map Certificate Authentication with Wi-Fi Passpoint:

1. 1. 1. 1. Understanding EAP-TLS (Certificate-Based Authentication):

            • EAP-TLS is an authentication method within the EAP framework that uses digital certificates for mutual authentication between the client and the server.
            • In this method, both the client and the network's RADIUS server exchange certificates to authenticate each other securely.
            • Certificates are issued and managed by a Certificate Authority (CA).

         2. Components Involved in EAP-TLS Authentication with Passpoint:

            • Passpoint Profile: Configured on the client device to connect to Passpoint-enabled Wi-Fi networks that support certificate-based authentication (EAP-TLS).
            • Access Point (AP): Configured to use WPA2-Enterprise or WPA3-Enterprise security, with EAP-TLS as the authentication method.
            • RADIUS Server: Handles the authentication process and validates the client certificates using the CA's public key.
            • Client Device: Must have a digital certificate installed, along with a private key that corresponds to the certificate. This certificate is typically issued by the network provider or organization.
            • Certificate Authority (CA): Issues the certificates for the client and RADIUS server, allowing mutual authentication.

Steps to Implement Certificate-Based Authentication in Wi-Fi Passpoint:

1. 1. 1. 1. 1. 1. Set Up a Certificate Authority (CA):

                  • To use certificate-based authentication, you need a trusted Certificate Authority (CA) that issues certificates to both the client devices and the RADIUS server.
                  • This can be an external CA (e.g., VeriSign, Let’s Encrypt) or an internal enterprise CA for organizations that want to manage their own certificates.

                  Steps:

                  • Set up a CA that can issue both client certificates and server certificates.
                  • Ensure that both the client and RADIUS server are configured with certificates signed by the CA.
                  • Issue certificates to users (client devices) that will connect to the Wi-Fi network.

               2. Configure the RADIUS Server to Support EAP-TLS:

                  • The RADIUS server must be configured to use EAP-TLS for authentication.
                  • The server needs a server certificate signed by the CA and must be able to validate client certificates during the authentication process.

                  Steps:

                  • Install the RADIUS server certificate signed by the CA.
                  • Configure the RADIUS server to authenticate users using EAP-TLS by validating the client's digital certificate.
                  • Configure the RADIUS server to handle certificate revocation lists (CRL) or use Online Certificate Status Protocol (OCSP) to check the status of client certificates.
                  • Example configuration for FreeRADIUS (a popular open-source RADIUS server)
                    1. 

               3. Configure the Wi-Fi Access Point for WPA2/WPA3-Enterprise:

                  • The Wi-Fi AP must be configured to use WPA2-Enterprise (or WPA3-Enterprise) security mode.
                  • The AP should also be configured to use the RADIUS server for authentication and EAP-TLS as the supported authentication method.

                  Steps:

                  • Set the Security Mode on the AP to WPA2-Enterprise or WPA3-Enterprise.
                  • Specify the RADIUS server IP address and shared secret on the AP, so that the AP can forward authentication requests to the RADIUS server.
                  • Enable EAP-TLS as the authentication method.
                  • 

               4. Configure the Passpoint Profile for Certificate-Based Authentication:

                  • Passpoint profiles on client devices include settings that define how the device should connect to the Wi-Fi network. For EAP-TLS, the profile should specify that certificate-based authentication is required.
                  • The profile will also contain the identity provider (IDP) information, allowing the device to automatically connect to networks using the correct certificates.

                  Steps:

                  • The ANQP (Access Network Query Protocol) settings should be configured on the AP to inform clients that EAP-TLS is available.
                  • The Passpoint profile on the client device must include:
                    • The CA certificate (for server verification).
                    • The client certificate (issued by the network or organization).
                    • The private key associated with the client certificate.
                    • 

               5. Install Certificates on Client Devices:

                  • The client device (laptop, smartphone, tablet, etc.) must have a client certificate and private key installed. This certificate is typically issued by the organization or service provider offering the Wi-Fi network.

                  Steps:

                  • Install the client certificate and corresponding private key on the client device.
                  • Ensure that the device trusts the CA certificate of the RADIUS server to validate the server's identity during the authentication process.

                  • Example on Windows/macOS/Linux:

                    • Use the system’s certificate manager to install the certificates and configure the Wi-Fi connection settings to use EAP-TLS.
                    • For Android and iOS devices, profiles can be pushed by the network provider or manually installed via the settings menu.

               6. EAP-TLS Authentication Workflow: When a client with a Passpoint profile and a client certificate attempts to connect to a Passpoint-enabled network that supports EAP-TLS, the following occurs:

                  Steps:

                  1. The client sends a TLS handshake request to the Wi-Fi access point.
                  2. The AP forwards this request to the RADIUS server.
                  3. The RADIUS server responds with its own certificate for the client to verify.
                  4. The client validates the server's certificate using the CA certificate it trusts.
                  5. The client sends its client certificate to the RADIUS server for authentication.
                  6. The RADIUS server validates the client's certificate using the CA that issued it.
                  7. Upon successful mutual authentication, the client is granted access to the Wi-Fi network.
                  8. A secure TLS session is established between the client and the network.

               7. Advantages of Certificate-Based Authentication in Passpoint:

                  • Higher Security: EAP-TLS provides strong mutual authentication, making it difficult for attackers to intercept or impersonate clients or servers.
                  • Eliminates Passwords: Users do not need to remember or enter passwords, which reduces the risk of weak or compromised credentials.
                  • Automated Authentication: With Passpoint, client devices can automatically connect to trusted Wi-Fi networks using certificates, ensuring a seamless experience.
                  • Mutual Authentication: Both the client and the RADIUS server authenticate each other, reducing the risk of man-in-the-middle attacks

• Username and Password Authentication

To map Wi-Fi Passpoint with Username and Password Authentication, you would typically use EAP-TTLS (Tunneled Transport Layer Security) or EAP-PEAP (Protected Extensible Authentication Protocol). These authentication methods allow the use of usernames and passwords securely over Wi-Fi networks. In these protocols, an outer TLS tunnel is established to protect the inner authentication, where the user credentials (username and password) are verified

Steps to Map Username and Password Authentication with Wi-Fi Passpoint

1. Understanding EAP-TTLS and EAP-PEAP:

• • • EAP-TTLS and EAP-PEAP are both Extensible Authentication Protocol (EAP) types used for WPA2-Enterprise or WPA3-Enterprise networks. They both work by establishing a secure TLS tunnel between the client and the authentication server (usually a RADIUS server).
    • Inside this tunnel, user credentials (username and password) are sent securely for authentication.
    • EAP-TTLS supports multiple inner authentication mechanisms (such as PAP, CHAP, MS-CHAPv2, etc.).
    • EAP-PEAP typically uses MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2) to authenticate with a username and password.

2. Components Involved:

• • • Passpoint Profile: Configured on the client device to define how the device should connect to a Passpoint-enabled network that supports username and password-based authentication.
    • Access Point (AP): Configured to support WPA2/WPA3-Enterprise with EAP-TTLS or EAP-PEAP as the authentication method.
    • RADIUS Server: Performs authentication by validating the username and password. It also validates the server’s certificate.
    • Client Device: Configured with a Passpoint profile that includes the username and password for authentication.

3. Configure the RADIUS Server for EAP-TTLS or EAP-PEAP:

The RADIUS server must be configured to support EAP-TTLS or EAP-PEAP. The RADIUS server will authenticate the username and password against a backend database, such as LDAP, Active Directory, or a local user database.

Steps:

• • • Install the server certificate on the RADIUS server, which is used to establish the TLS tunnel for secure communication.
    • Configure the RADIUS server to support EAP-TTLS or EAP-PEAP and to verify the username and password credentials.
    • 
    • Ensure that the CA certificate (used to sign the server certificate) is trusted by client devices.

4.Configure the Wi-Fi Access Point:

The Wi-Fi AP must be configured to use WPA2-Enterprise (or WPA3-Enterprise) and must use EAP-TTLS or EAP-PEAP as the authentication methods.

Steps:

• • • Set the Security Mode on the AP to WPA2-Enterprise or WPA3-Enterprise.
    • Specify the RADIUS server IP address and shared secret on the AP to allow it to forward authentication requests to the RADIUS server.
    • Enable EAP-TTLS or EAP-PEAP as the authentication method on the AP.

5. Configure the Passpoint Profile for Username and Password Authentication:

• • • The Passpoint profile on the client device needs to specify the EAP method (either EAP-TTLS or EAP-PEAP) and the credentials (username and password) that the client will use to authenticate.
    • The profile also contains the identity provider (IDP) information that allows the device to automatically connect to Passpoint-enabled networks.

Steps:

• • • • Configure the ANQP (Access Network Query Protocol) settings on the Wi-Fi AP to advertise support for EAP-TTLS or EAP-PEAP.
      • On the client device, create a Passpoint configuration profile that specifies the username and password for authentication, as well as the EAP type (EAP-TTLS or EAP-PEAP)
      • 

6.Install the Passpoint Profile on Client Devices:

• • • The Passpoint profile containing the username, password, and EAP method needs to be installed on the client device.
    • The client device must also have the CA certificate installed to trust the RADIUS server’s certificate.

Steps:

• • • • For Windows/macOS/Linux: Use the system’s network manager or profile manager to install the profile.
      • For Android and iOS devices: The Passpoint profile can be pushed via Mobile Device Management (MDM), or users can install it manually.

7. EAP-TTLS or EAP-PEAP Authentication Workflow:

When the client with a Passpoint profile containing the username and password tries to connect to a Passpoint-enabled Wi-Fi network, the following occurs:

Steps:

1. 1. 1. 1. The client sends an authentication request to the AP.
         2. The AP forwards this request to the RADIUS server.
         3. The RADIUS server responds with its certificate to establish a secure TLS tunnel.
         4. The client validates the server certificate (using the CA certificate installed on the client device).
         5. The client sends the username and password (inside the secure TLS tunnel) to the RADIUS server.
         6. The RADIUS server verifies the username and password by checking the credentials against its backend database (such as LDAP, AD, etc.).
         7. Upon successful authentication, the client is granted access to the Wi-Fi network.
         8. A secure TLS session is established for the client’s data to be transmitted securely.

8. User Experience:

Once the Passpoint profile with the username and password is configured, the client device can automatically connect to Passpoint-enabled networks that support EAP-TTLS or EAP-PEAP without needing to re-enter the credentials.

The client device will also automatically authenticate securely, ensuring a seamless and secure experience.