What does passpoint do

connecting to Wi-Fi networks, particularly public hotspots.It allows users to automatically and securely connect to Wi-Fi networks without needing to manually select SSIDs or enter credentials each time they connect to a new network

Advantages

• Automatic Network Selection

  • Devices equipped with Passpoint can automatically discover and connect to available Wi-Fi networks that meet specific security and performance criteria. This eliminates the need for users to manually search for and join a network.

• Seamless Roaming

  •  Passpoint supports seamless roaming between networks, allowing users to move from one hotspot to another (e.g., from a coffee shop to an airport) without having to log in again.

• Enhanced Security

  • Passpoint requires the use of WPA2-Enterprise (and more recently WPA3) security, which provides better encryption and authentication compared to open networks. It uses Extensible Authentication Protocol (EAP) for authentication, enhancing security for users.

• Authentication via SIM, Certificates, or Username/Password (support all)

  • Passpoint supports multiple methods of authentication, including:

• • • SIM-based authentication(for cellular subscribers), - Not tested,But RDK-B can support

    • Certificate-based authentication - Tested in RDK-B from comcast

    • Username and password authentication (e.g., credentials provided by an internet service provider). - Tested in RDK-B from comcast

    • EAP-AKA - Not tested,But RDK-B can support

• Efficient Data Management

  •  By prioritizing Wi-Fi over cellular networks for data traffic, Passpoint can reduce mobile data usage, particularly in areas with strong Wi-Fi coverage.

Use cases

• Public Hotspots

  • Passpoint is widely used by public Wi-Fi providers, such as airports, hotels, and cafes, to streamline the user experience.

• Service Provider Networks

  •  Internet service providers (ISPs) often deploy Passpoint to allow their subscribers to access their Wi-Fi networks automatically, even when they are away from home.

• Enterprise Networks

  •  Some organizations use Passpoint to provide employees with secure and seamless Wi-Fi access in different office locations.

Reference use case state machine

RDK-B supported use cases

• Use case #	Auth Method
  1	SIM-based authentication
  2	Certificate-based authentication
  3	Username and password authentication
  4	EAP-AKA

Hotspot vs wifi passpoint(Hotspot 2.0)

• Hotspot

  Wifi passpoint(hotspot 2.0)

  Definition: A Wi-Fi hotspot is a physical location or device that provides wireless internet access to users, typically through a local area network (LAN) connected to a router. It can be created using a mobile device (mobile hotspot) or a dedicated router. Authentication: Users typically need to manually connect to a hotspot by selecting the network (SSID) and entering a password. User Experience: The connection is often temporary. Users must re-authenticate every time they connect to the hotspot. Security: Hotspots generally offer open or password-protected networks. Open networks (like those in public places) can be less secure, exposing users to potential threats unless extra protection (like a VPN) is used. Use Cases: Public places like airports, cafes, or personal hotspots created using a smartphone.

  Definition: Wi-Fi Passpoint is a technology that automates the process of connecting to secure Wi-Fi networks. It was developed by the Wi-Fi Alliance under the Hotspot 2.0 standard, making the connection process more seamless, secure, and automated. Authentication: Passpoint networks use automatic authentication, often linked to a user’s cellular carrier, credentials stored on a device, or SIM card. Users don’t need to manually select the network or enter credentials each time. User Experience: Once a device is configured to use Passpoint, it can automatically connect to available Passpoint-enabled Wi-Fi networks, providing a seamless and roaming-friendly experience similar to how mobile networks operate. Security: Passpoint uses advanced encryption standards (WPA3 or WPA2-Enterprise), ensuring a higher level of security than typical public hotspots. It also supports seamless authentication via EAP (Extensible Authentication Protocol). Use Cases: Common in places like airports, hotels, or city-wide networks where secure, automatic roaming is desired. Cellular carriers and ISPs also use Passpoint to offload traffic from mobile networks to Wi-Fi.

Prerequisites for Passpoint(Hotspot 2.0)

• Configure public VAP's using postman or dmcli

• Public hostspot

• Wi-Fi Interworking element

• GAS(Generic advertisement service)

• ANQP (Access Network query protocol)

How to enable

• Use case highlevel

• Webconfig enabled builds

• For Non Webconfig builds

  • Use Datamodels to configure and enable - configure public and private VAP's

    • 
    • 

    • Check if the interfaces are up for the vaps and are mapped to GRE TAPS

      • brctl show

    • Testing of passpoint

      • Run the sniffer in MAC Book and verify the packets

    • Where to configure my AUTH methods 

      •  As part of COM_InterworkingService.parameteres

    • Feature Flags for passpoint and interworking

      • 

    • Complete feature flags

      • 

    • Feature enabling in latest builds

      • In latest build enabling of feature done inside wifi component
        • 

      • Some references

        • 

      • Ccspwifiagent apply settings(Radio apply will do it for both radio and accesspoint)

        Porting Guide - OneWifi#CcspWifiAgent:

    • HAL API's

      • wifi_pushApRoamingConsortiumElement

      • https://code.rdkcentral.com/r/plugins/gitiles/rdkb/components/opensource/ccsp/halinterface/+/refs/heads/rdk-next/wifi_hal_ap.h

Porting mechanism

By default this feature is kept under distro and disabled.Operator has to work with OEM/SoC vendor and enable this feature in their platform and get the Platform api's from SoC/OEM to integrate end to end use case

• Highlevel Block diagram

• Prerequisites

  • Enable the distro 

    • 

    • Hal definitions

      • 
      • Definition for enablePassPointSettings and wifi_setGASConfiguration are not available in halinterface(https://code.rdkcentral.com/r/plugins/gitiles/rdkb/components/opensource/ccsp/halinterface/+/refs/heads/rdk-next).its there in rdk-wifi-hal(https://code.rdkcentral.com/r/plugins/gitiles/rdkb/components/opensource/ccsp/hal/rdk-wifi-hal/+/refs/heads/rdk-next/src/).you can port those two api's from rdk-wifi-hal to ccspwifiagent hal 
      • For enablePassPointSettings it has dependency on
        • wifi_setCountryIe(ap_index, passpoint_enable)
        • wifi_setProxyArp(ap_index, passpoint_enable)
        • wifi_setLayer2TrafficInspectionFiltering(ap_index, layer2TIF)
        • wifi_setDownStreamGroupAddress(ap_index, downstream_disable);
        • wifi_setBssLoad(ap_index, passpoint_enable);
        • wifi_setP2PCrossConnect(ap_index, p2p_disable);
        • wifi_pushApHotspotElement(ap_index,passpoint_enable)

      • wifi_applyGASConfiguration - this is been invoked by wifi_setGASConfiguration

    • PSM configurations

      • As part of device you may need to have passpoint and interworking specific psm entries in the psm config file and by default the code for RFC params for passpoint and interworking are under feature flags.when we enable the distro code is compiled in CcspPandM
      • 
      • 

    • CcspwifiAgent side - No code changes required

    • Reference for operators(Just for understanding)

      • 

      • /* GAS Configuration */ #define GAS_CFG_TYPE_SUPPORTED 1 /* GAS Configuration */ typedef struct _wifi_GASConfiguration_t{ // Values correspond to the dot11GASAdvertisementEntry field definitions; see 802.11-2016 Annex C.3. unsigned int AdvertisementID; bool PauseForServerResponse; unsigned int ResponseTimeout; unsigned int ComeBackDelay; unsigned int ResponseBufferingTime; unsigned int QueryResponseLengthLimit; }__attribute__((packed))wifi_GASConfiguration_t; typedef enum { wifi_anqp_element_name_reserved_0, wifi_anqp_element_name_query_list = 256, wifi_anqp_element_name_capability_list, wifi_anqp_element_name_venue_name, wifi_anqp_element_name_emergency_call_number, wifi_anqp_element_name_network_auth_type, wifi_anqp_element_name_roaming_consortium, wifi_anqp_element_name_ip_address_availabality, wifi_anqp_element_name_nai_realm, wifi_anqp_element_name_3gpp_cellular_network, wifi_anqp_element_name_geo_location, wifi_anqp_element_name_civic_location, wifi_anqp_element_name_loc_public_id, wifi_anqp_element_name_domain_name, wifi_anqp_element_name_emergency_alert_id, wifi_anqp_element_name_tdls_capability, wifi_anqp_element_name_emergency_nai, wifi_anqp_element_name_neighbor_report, wifi_anqp_element_name_venue_url, wifi_anqp_element_name_advice_of_charge, wifi_anqp_element_name_local_content, wifi_anqp_element_name_network_auth_type_with_timestamp, wifi_anqp_element_name_reserved_1 = 273, wifi_anqp_element_name_vendor_specific = 56797, wifi_anqp_element_name_reserved_2 } wifi_anqp_element_name_t; typedef enum { wifi_anqp_element_hs_subtype_reserved_0, wifi_anqp_element_hs_subtype_hs_query_list, wifi_anqp_element_hs_subtype_hs_capability_list, wifi_anqp_element_hs_subtype_operator_friendly_name, wifi_anqp_element_hs_subtype_wan_metrics, wifi_anqp_element_hs_subtype_conn_capability, wifi_anqp_element_hs_subtype_nai_home_realm_query, wifi_anqp_element_hs_subtype_op_class_ind, wifi_anqp_element_hs_subtype_osu_providers_list, wifi_anqp_element_hs_subtype_reserved_1, wifi_anqp_element_hs_subtype_icon_request, wifi_anqp_element_hs_subtype_icon_bin_file, wifi_anqp_element_hs_subtype_op_icon_metadata, wifi_anqp_element_hs_subtype_op_providers_nai_list, wifi_anqp_element_hs_subtype_reserved_2 } wifi_anqp_element_hs_subtype_t; typedef enum { wifi_anqp_id_type_anqp, wifi_anqp_id_type_hs } wifi_anqp_id_type_t; typedef struct { wifi_anqp_id_type_t type; union { wifi_anqp_element_name_t anqp_elem_id; wifi_anqp_element_hs_subtype_t anqp_hs_id; } u; UINT len; UCHAR *data; } wifi_anqp_elem_t; typedef struct wifi_anqp_node { struct wifi_anqp_node *next; wifi_anqp_elem_t *value; } wifi_anqp_node_t; typedef struct { UCHAR wifiRoamingConsortiumCount; UCHAR wifiRoamingConsortiumOui[3][15+1];//only 3 OIS is allowed in beacon and probe responses OIS length is variable between 3-15 UCHAR wifiRoamingConsortiumLen[3]; }__attribute__((packed)) wifi_roamingConsortiumElement_t; typedef struct { // wifi_InterworkingElement_t interworking; wifi_roamingConsortiumElement_t roamingConsortium; //wifi_anqp_settings_t anqp; //should not be implemented in the hal //wifi_passpoint_settings_t passpoint; }__attribute__((packed)) wifi_interworking_t; //---------------------------------------------------------- int enablePassPointSettings(int ap_index, bool passpoint_enable, bool downstream_disable, bool p2p_disable, bool layer2TIF) { printf("enablePassPointSettings.\n"); #ifdef CKP if (ap_index < 0 || ap_index > MAX_AP_INDEX) { wifi_anqp_dbg_print(1, "%s:%d:Invalid ap index: %d\n", __func__, __LINE__, ap_index); return RETURN_ERR; } if(!hs2SettingsStored) { hs2SettingsStored = TRUE; wifi_storeInitialPassPointSettings(); } if (passpoint_enable) { wifi_anqp_dbg_print(1, "%s:%d:Enabling HS2 Settings for ap index: %d\n", __func__, __LINE__, ap_index); wifi_setCountryIe(ap_index, passpoint_enable); wifi_setProxyArp(ap_index, passpoint_enable); wifi_setLayer2TrafficInspectionFiltering(ap_index, layer2TIF); wifi_setDownStreamGroupAddress(ap_index, downstream_disable); wifi_setBssLoad(ap_index, passpoint_enable); wifi_setP2PCrossConnect(ap_index, p2p_disable); } else { //set the values initially stored in hs2settings for ap index. wifi_anqp_dbg_print(1, "%s:%d:Disabling HS2 Settings for ap index: %d\n", __func__, __LINE__, ap_index); wifi_setCountryIe(ap_index, hs2Settings[ap_index].countryIe); wifi_setProxyArp(ap_index, hs2Settings[ap_index].proxyArp); wifi_setLayer2TrafficInspectionFiltering(ap_index, hs2Settings[ap_index].layer2TIF); wifi_setDownStreamGroupAddress(ap_index, hs2Settings[ap_index].downStreamGroupAddress); wifi_setBssLoad(ap_index, hs2Settings[ap_index].bssLoad); } if(wifi_pushApHotspotElement(ap_index,passpoint_enable)!= RETURN_OK) { return RETURN_ERR; } #endif return 1; } int wifi_setGASConfiguration(unsigned int advertisementID, wifi_GASConfiguration_t *input_struct) { printf("wifi_setGASConfiguration.\n"); return 1; } // Dummy function to simulate callback registration int wifi_anqp_request_callback_register(wifi_anqp_request_callback_t callback) { // Dummy implementation: just print a message and return success printf("ANQP request callback registered.\n"); return 1; } // Example of a dummy callback function void anqpRequest_callback(int apIndex, mac_address_t sta, unsigned char token, wifi_anqp_node_t *list) { // Dummy callback implementation printf("ANQP request received for AP index: %d, token: %u\n", apIndex, token); } int wifi_anqpSendResponse(unsigned int apIndex, mac_address_t sta, unsigned char token, wifi_anqp_node_t *list) { printf("Called with apIndex: %d\n", apIndex); // Dummy implementation, just returning 1 return 1; } int wifi_pushApInterworkingElement(int apIndex, wifi_InterworkingElement_t *infoElement) { printf("Called wifi_pushApInterworkingElement with apIndex: %d\n", apIndex); // Dummy implementation, just returning 1 return 1; } // Dummy function implementation int wifi_pushApRoamingConsortiumElement(int apIndex, wifi_roamingConsortiumElement_t *infoElement) { // Log the input values (optional, for debugging) printf("Called wifi_pushApRoamingConsortiumElement with apIndex: %d\n", apIndex); // Optionally print contents of infoElement for debugging (if fields exist) if (infoElement != NULL) { //printf("Info Element some_field: %d\n", infoElement->some_field); } // Dummy function, always returns true return 1; } Note: Add all necessary structures

Release details:

2020q4 dunfel

• https://code.rdkcentral.com/r/plugins/gitiles/rdkb/components/opensource/ccsp/CcspWifiAgent/+log/refs/heads/rdkb-2020q4-dunfell/

commit

• https://code.rdkcentral.com/r/plugins/gitiles/rdkb/components/opensource/ccsp/CcspWifiAgent/+/19b5f71116dffc11d928bb26158e82d164eb4dee

Appendix

• SIM Based Auth(users moving between cellular and Wi-Fi networks)

SIM-based authentication in Wi-Fi Passpoint, also known as EAP-SIM (Extensible Authentication Protocol - Subscriber Identity Module), allows users with mobile SIM cards to automatically authenticate and connect to Wi-Fi networks without manually entering credentials like usernames or passwords. This method is widely used in cellular offloading scenarios, where mobile devices automatically switch from cellular data to Wi-Fi networks provided by their carrier or trusted roaming partners

1. 1. Steps to Map SIM-Based Authentication with Wi-Fi Passpoint

• • • SIM-based Authentication Overview (EAP-SIM)

• 1. • • EAP-SIM is a type of EAP (Extensible Authentication Protocol) used for authenticating devices based on their SIM cards. It enables automatic connection to Wi-Fi networks using information from the SIM card (such as IMSI and authentication keys) instead of traditional username/password methods.
       • Mobile Network Operators (MNOs) or Wi-Fi providers that have partnerships with MNOs can use EAP-SIM to let subscribers connect to Wi-Fi networks seamlessly.

  2. Steps to Implement SIM-Based Authentication with Wi-Fi Passpoint

     1. Configure Wi-Fi Network to Support EAP-SIM:

        • The Wi-Fi network, specifically the RADIUS server (Authentication server), must be configured to support EAP-SIM for authentication.
        • The network provider’s infrastructure should support 3GPP AAA servers or similar infrastructure that allows the Wi-Fi network to communicate with the Home Location Register (HLR) or Home Subscriber Server (HSS) to authenticate the SIM credentials.

        Steps:

        • The Wi-Fi access point (AP) is configured to use WPA2-Enterprise (or WPA3-Enterprise for enhanced security).
        • In the AP's configuration, select EAP-SIM as one of the supported authentication methods.
        • The AP communicates with a RADIUS server, which verifies the subscriber's identity through the Mobile Core Network using the SIM card information.

     2. Wi-Fi Passpoint Network Configuration:

        • Passpoint profiles are used to configure client devices to automatically connect to Passpoint-enabled networks.
        • The Passpoint profile for a network that supports SIM-based authentication will specify EAP-SIM as the authentication method.
        • The network's Online Sign-Up (OSU) Server can also deliver the profile to compatible devices, so they can connect automatically.

        Steps:

        • In the Access Network Query Protocol (ANQP) settings, configure EAP-SIM as a supported authentication method.
        • The ANQP responses from the AP will indicate to the device that the network supports EAP-SIM, allowing devices with SIM cards to select this network for automatic connection.

     3. Device-Side Configuration:

        • On the client side (e.g., smartphones or tablets), Passpoint profiles are created by the mobile operator or network provider.
        • Devices with Passpoint support will automatically select networks that match their Passpoint profile and initiate EAP-SIM authentication.

        Steps:

        • The device detects the Passpoint-enabled network and checks the profile for available authentication methods (such as EAP-SIM).
        • The device automatically chooses EAP-SIM and sends the SIM card information (IMSI) to the network.
        • The RADIUS server communicates with the mobile operator’s backend to verify the SIM card’s information.

     4. Authentication Process (EAP-SIM):

        • When a device with a SIM card attempts to connect to a Passpoint-enabled network that supports EAP-SIM, the following occurs:

        Steps:

        • The device sends a request to authenticate using EAP-SIM.
        • The access point forwards this request to the RADIUS server.
        • The RADIUS server then communicates with the Mobile Core Network, querying the HLR or HSS to authenticate the device using the IMSI and other SIM data.
        • The mobile network sends a challenge-response mechanism back to the device, which uses the SIM card to respond and complete authentication.
        • Once authentication is successful, the device is granted access to the network.

     5. SIM-Based Roaming:

        • When the network is set up for roaming, SIM-based authentication works across different networks with roaming agreements.
        • A device using SIM-based authentication can automatically connect to Wi-Fi networks provided by a partner operator in a different country or region.

     6. Advantages of SIM-Based Authentication in Passpoint:

        • Seamless Authentication: Users do not need to manually select a Wi-Fi network or enter credentials. The SIM card handles all authentication automatically.
        • Roaming Support: EAP-SIM enables users to roam between Wi-Fi networks that have roaming agreements with the user’s mobile operator, providing a seamless transition between Wi-Fi and cellular networks.
        • Security: The authentication process is secure, leveraging SIM credentials that are difficult to compromise. EAP-SIM operates over WPA2/WPA3-Enterprise networks, ensuring encryption during data transmission.

Example Workflow of SIM-Based Authentication with Passpoint

• 1. 1. 1. User Device with SIM detects a Passpoint-enabled Wi-Fi network.
        2. The device checks its Passpoint profile and determines that EAP-SIM is supported by the network.
        3. The device sends an authentication request using EAP-SIM, including the IMSI (International Mobile Subscriber Identity) from the SIM card.
        4. The Wi-Fi network’s AP forwards the request to the RADIUS server, which queries the user’s mobile network for authentication.
        5. The mobile network verifies the SIM credentials using the HLR/HSS and sends back an authentication challenge.
        6. The device responds to the challenge using the SIM card.
        7. Upon successful verification, the RADIUS server grants access to the Wi-Fi network, and the user is automatically connected.

• Certificate-based authentication

This method allows with Wi-Fi Passpoint involves using EAP-TLS (Extensible Authentication Protocol - Transport Layer Security), where client devices authenticate to the Wi-Fi network using digital certificates rather than usernames, passwords, or SIM credentials. This ensures a high level of security, especially in environments such as enterprises, or public Wi-Fi hotspots

Steps to Map Certificate Authentication with Wi-Fi Passpoint:

1. 1. 1. 1. Understanding EAP-TLS (Certificate-Based Authentication):

            • EAP-TLS is an authentication method within the EAP framework that uses digital certificates for mutual authentication between the client and the server.
            • In this method, both the client and the network's RADIUS server exchange certificates to authenticate each other securely.
            • Certificates are issued and managed by a Certificate Authority (CA).

         2. Components Involved in EAP-TLS Authentication with Passpoint:

            • Passpoint Profile: Configured on the client device to connect to Passpoint-enabled Wi-Fi networks that support certificate-based authentication (EAP-TLS).
            • Access Point (AP): Configured to use WPA2-Enterprise or WPA3-Enterprise security, with EAP-TLS as the authentication method.
            • RADIUS Server: Handles the authentication process and validates the client certificates using the CA's public key.
            • Client Device: Must have a digital certificate installed, along with a private key that corresponds to the certificate. This certificate is typically issued by the network provider or organization.
            • Certificate Authority (CA): Issues the certificates for the client and RADIUS server, allowing mutual authentication.

Steps to Implement Certificate-Based Authentication in Wi-Fi Passpoint:

1. 1. 1. 1. 1. 1. Set Up a Certificate Authority (CA):

                  • To use certificate-based authentication, you need a trusted Certificate Authority (CA) that issues certificates to both the client devices and the RADIUS server.
                  • This can be an external CA (e.g., VeriSign, Let’s Encrypt) or an internal enterprise CA for organizations that want to manage their own certificates.

                  Steps:

                  • Set up a CA that can issue both client certificates and server certificates.
                  • Ensure that both the client and RADIUS server are configured with certificates signed by the CA.
                  • Issue certificates to users (client devices) that will connect to the Wi-Fi network.

               2. Configure the RADIUS Server to Support EAP-TLS:

                  • The RADIUS server must be configured to use EAP-TLS for authentication.
                  • The server needs a server certificate signed by the CA and must be able to validate client certificates during the authentication process.

                  Steps:

                  • Install the RADIUS server certificate signed by the CA.
                  • Configure the RADIUS server to authenticate users using EAP-TLS by validating the client's digital certificate.
                  • Configure the RADIUS server to handle certificate revocation lists (CRL) or use Online Certificate Status Protocol (OCSP) to check the status of client certificates.
                  • Example configuration for FreeRADIUS (a popular open-source RADIUS server)
                    1. 

               3. Configure the Wi-Fi Access Point for WPA2/WPA3-Enterprise:

                  • The Wi-Fi AP must be configured to use WPA2-Enterprise (or WPA3-Enterprise) security mode.
                  • The AP should also be configured to use the RADIUS server for authentication and EAP-TLS as the supported authentication method.

                  Steps:

                  • Set the Security Mode on the AP to WPA2-Enterprise or WPA3-Enterprise.
                  • Specify the RADIUS server IP address and shared secret on the AP, so that the AP can forward authentication requests to the RADIUS server.
                  • Enable EAP-TLS as the authentication method.
                  • 

               4. Configure the Passpoint Profile for Certificate-Based Authentication:

                  • Passpoint profiles on client devices include settings that define how the device should connect to the Wi-Fi network. For EAP-TLS, the profile should specify that certificate-based authentication is required.
                  • The profile will also contain the identity provider (IDP) information, allowing the device to automatically connect to networks using the correct certificates.

                  Steps:

                  • The ANQP (Access Network Query Protocol) settings should be configured on the AP to inform clients that EAP-TLS is available.
                  • The Passpoint profile on the client device must include:
                    • The CA certificate (for server verification).
                    • The client certificate (issued by the network or organization).
                    • The private key associated with the client certificate.
                    • 

               5. Install Certificates on Client Devices:

                  • The client device (laptop, smartphone, tablet, etc.) must have a client certificate and private key installed. This certificate is typically issued by the organization or service provider offering the Wi-Fi network.

                  Steps:

                  • Install the client certificate and corresponding private key on the client device.
                  • Ensure that the device trusts the CA certificate of the RADIUS server to validate the server's identity during the authentication process.

                  • Example on Windows/macOS/Linux:

                    • Use the system’s certificate manager to install the certificates and configure the Wi-Fi connection settings to use EAP-TLS.
                    • For Android and iOS devices, profiles can be pushed by the network provider or manually installed via the settings menu.

               6. EAP-TLS Authentication Workflow: When a client with a Passpoint profile and a client certificate attempts to connect to a Passpoint-enabled network that supports EAP-TLS, the following occurs:

                  Steps:

                  1. The client sends a TLS handshake request to the Wi-Fi access point.
                  2. The AP forwards this request to the RADIUS server.
                  3. The RADIUS server responds with its own certificate for the client to verify.
                  4. The client validates the server's certificate using the CA certificate it trusts.
                  5. The client sends its client certificate to the RADIUS server for authentication.
                  6. The RADIUS server validates the client's certificate using the CA that issued it.
                  7. Upon successful mutual authentication, the client is granted access to the Wi-Fi network.
                  8. A secure TLS session is established between the client and the network.

               7. Advantages of Certificate-Based Authentication in Passpoint:

                  • Higher Security: EAP-TLS provides strong mutual authentication, making it difficult for attackers to intercept or impersonate clients or servers.
                  • Eliminates Passwords: Users do not need to remember or enter passwords, which reduces the risk of weak or compromised credentials.
                  • Automated Authentication: With Passpoint, client devices can automatically connect to trusted Wi-Fi networks using certificates, ensuring a seamless experience.
                  • Mutual Authentication: Both the client and the RADIUS server authenticate each other, reducing the risk of man-in-the-middle attacks

• Username and Password Authentication

To map Wi-Fi Passpoint with Username and Password Authentication, you would typically use EAP-TTLS (Tunneled Transport Layer Security) or EAP-PEAP (Protected Extensible Authentication Protocol). These authentication methods allow the use of usernames and passwords securely over Wi-Fi networks. In these protocols, an outer TLS tunnel is established to protect the inner authentication, where the user credentials (username and password) are verified

Steps to Map Username and Password Authentication with Wi-Fi Passpoint

1. Understanding EAP-TTLS and EAP-PEAP:

• • • EAP-TTLS and EAP-PEAP are both Extensible Authentication Protocol (EAP) types used for WPA2-Enterprise or WPA3-Enterprise networks. They both work by establishing a secure TLS tunnel between the client and the authentication server (usually a RADIUS server).
    • Inside this tunnel, user credentials (username and password) are sent securely for authentication.
    • EAP-TTLS supports multiple inner authentication mechanisms (such as PAP, CHAP, MS-CHAPv2, etc.).
    • EAP-PEAP typically uses MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2) to authenticate with a username and password.

2. Components Involved:

• • • Passpoint Profile: Configured on the client device to define how the device should connect to a Passpoint-enabled network that supports username and password-based authentication.
    • Access Point (AP): Configured to support WPA2/WPA3-Enterprise with EAP-TTLS or EAP-PEAP as the authentication method.
    • RADIUS Server: Performs authentication by validating the username and password. It also validates the server’s certificate.
    • Client Device: Configured with a Passpoint profile that includes the username and password for authentication.

3. Configure the RADIUS Server for EAP-TTLS or EAP-PEAP:

The RADIUS server must be configured to support EAP-TTLS or EAP-PEAP. The RADIUS server will authenticate the username and password against a backend database, such as LDAP, Active Directory, or a local user database.

Steps:

• • • Install the server certificate on the RADIUS server, which is used to establish the TLS tunnel for secure communication.
    • Configure the RADIUS server to support EAP-TTLS or EAP-PEAP and to verify the username and password credentials.
    • 
    • Ensure that the CA certificate (used to sign the server certificate) is trusted by client devices.

4.Configure the Wi-Fi Access Point:

The Wi-Fi AP must be configured to use WPA2-Enterprise (or WPA3-Enterprise) and must use EAP-TTLS or EAP-PEAP as the authentication methods.

Steps:

• • • Set the Security Mode on the AP to WPA2-Enterprise or WPA3-Enterprise.
    • Specify the RADIUS server IP address and shared secret on the AP to allow it to forward authentication requests to the RADIUS server.
    • Enable EAP-TTLS or EAP-PEAP as the authentication method on the AP.

5. Configure the Passpoint Profile for Username and Password Authentication:

• • • The Passpoint profile on the client device needs to specify the EAP method (either EAP-TTLS or EAP-PEAP) and the credentials (username and password) that the client will use to authenticate.
    • The profile also contains the identity provider (IDP) information that allows the device to automatically connect to Passpoint-enabled networks.

Steps:

• • • • Configure the ANQP (Access Network Query Protocol) settings on the Wi-Fi AP to advertise support for EAP-TTLS or EAP-PEAP.
      • On the client device, create a Passpoint configuration profile that specifies the username and password for authentication, as well as the EAP type (EAP-TTLS or EAP-PEAP)
      • 

6.Install the Passpoint Profile on Client Devices:

• • • The Passpoint profile containing the username, password, and EAP method needs to be installed on the client device.
    • The client device must also have the CA certificate installed to trust the RADIUS server’s certificate.

Steps:

• • • • For Windows/macOS/Linux: Use the system’s network manager or profile manager to install the profile.
      • For Android and iOS devices: The Passpoint profile can be pushed via Mobile Device Management (MDM), or users can install it manually.

7. EAP-TTLS or EAP-PEAP Authentication Workflow:

When the client with a Passpoint profile containing the username and password tries to connect to a Passpoint-enabled Wi-Fi network, the following occurs:

Steps:

1. 1. 1. 1. The client sends an authentication request to the AP.
         2. The AP forwards this request to the RADIUS server.
         3. The RADIUS server responds with its certificate to establish a secure TLS tunnel.
         4. The client validates the server certificate (using the CA certificate installed on the client device).
         5. The client sends the username and password (inside the secure TLS tunnel) to the RADIUS server.
         6. The RADIUS server verifies the username and password by checking the credentials against its backend database (such as LDAP, AD, etc.).
         7. Upon successful authentication, the client is granted access to the Wi-Fi network.
         8. A secure TLS session is established for the client’s data to be transmitted securely.

8. User Experience:

Once the Passpoint profile with the username and password is configured, the client device can automatically connect to Passpoint-enabled networks that support EAP-TTLS or EAP-PEAP without needing to re-enter the credentials.

The client device will also automatically authenticate securely, ensuring a seamless and secure experience.

References