You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

WIP


What does passpoint do

connecting to Wi-Fi networks, particularly public hotspots.It allows users to automatically and securely connect to Wi-Fi networks without needing to manually select SSIDs or enter credentials each time they connect to a new network

Process

  • Automatic Network Selection

    • Devices equipped with Passpoint can automatically discover and connect to available Wi-Fi networks that meet specific security and performance criteria. This eliminates the need for users to manually search for and join a network.

  • Seamless Roaming

    •  Passpoint supports seamless roaming between networks, allowing users to move from one hotspot to another (e.g., from a coffee shop to an airport) without having to log in again.

  • Enhanced Security

    • Passpoint requires the use of WPA2-Enterprise (and more recently WPA3) security, which provides better encryption and authentication compared to open networks. It uses Extensible Authentication Protocol (EAP) for authentication, enhancing security for users.

  • Authentication via SIM, Certificates, or Username/Password

    • Passpoint supports multiple methods of authentication, including:
      • SIM-based authentication(for cellular subscribers),
      • Certificate-based authentication
      • Username and password authentication (e.g., credentials provided by an internet service provider).

  • Efficient Data Management

    •  By prioritizing Wi-Fi over cellular networks for data traffic, Passpoint can reduce mobile data usage, particularly in areas with strong Wi-Fi coverage.

Use cases

  • Public Hotspots

    • Passpoint is widely used by public Wi-Fi providers, such as airports, hotels, and cafes, to streamline the user experience.

  • Service Provider Networks

    •  Internet service providers (ISPs) often deploy Passpoint to allow their subscribers to access their Wi-Fi networks automatically, even when they are away from home.

  • Enterprise Networks

    •  Some organizations use Passpoint to provide employees with secure and seamless Wi-Fi access in different office locations.

Appendix

  • SIM Based Auth(users moving between cellular and Wi-Fi networks)

    1. Steps to Map SIM-Based Authentication with Wi-Fi Passpoint
      • SIM-based Authentication Overview (EAP-SIM)
        • EAP-SIM is a type of EAP (Extensible Authentication Protocol) used for authenticating devices based on their SIM cards. It enables automatic connection to Wi-Fi networks using information from the SIM card (such as IMSI and authentication keys) instead of traditional username/password methods.
        • Mobile Network Operators (MNOs) or Wi-Fi providers that have partnerships with MNOs can use EAP-SIM to let subscribers connect to Wi-Fi networks seamlessly.
    2. Steps to Implement SIM-Based Authentication with Wi-Fi Passpoint

      1. Configure Wi-Fi Network to Support EAP-SIM:

        • The Wi-Fi network, specifically the RADIUS server (Authentication server), must be configured to support EAP-SIM for authentication.
        • The network provider’s infrastructure should support 3GPP AAA servers or similar infrastructure that allows the Wi-Fi network to communicate with the Home Location Register (HLR) or Home Subscriber Server (HSS) to authenticate the SIM credentials.

        Steps:

        • The Wi-Fi access point (AP) is configured to use WPA2-Enterprise (or WPA3-Enterprise for enhanced security).
        • In the AP's configuration, select EAP-SIM as one of the supported authentication methods.
        • The AP communicates with a RADIUS server, which verifies the subscriber's identity through the Mobile Core Network using the SIM card information.

      2. Wi-Fi Passpoint Network Configuration:

        • Passpoint profiles are used to configure client devices to automatically connect to Passpoint-enabled networks.
        • The Passpoint profile for a network that supports SIM-based authentication will specify EAP-SIM as the authentication method.
        • The network's Online Sign-Up (OSU) Server can also deliver the profile to compatible devices, so they can connect automatically.

        Steps:

        • In the Access Network Query Protocol (ANQP) settings, configure EAP-SIM as a supported authentication method.
        • The ANQP responses from the AP will indicate to the device that the network supports EAP-SIM, allowing devices with SIM cards to select this network for automatic connection.

      3. Device-Side Configuration:

        • On the client side (e.g., smartphones or tablets), Passpoint profiles are created by the mobile operator or network provider.
        • Devices with Passpoint support will automatically select networks that match their Passpoint profile and initiate EAP-SIM authentication.

        Steps:

        • The device detects the Passpoint-enabled network and checks the profile for available authentication methods (such as EAP-SIM).
        • The device automatically chooses EAP-SIM and sends the SIM card information (IMSI) to the network.
        • The RADIUS server communicates with the mobile operator’s backend to verify the SIM card’s information.

      4. Authentication Process (EAP-SIM):

        • When a device with a SIM card attempts to connect to a Passpoint-enabled network that supports EAP-SIM, the following occurs:

        Steps:

        • The device sends a request to authenticate using EAP-SIM.
        • The access point forwards this request to the RADIUS server.
        • The RADIUS server then communicates with the Mobile Core Network, querying the HLR or HSS to authenticate the device using the IMSI and other SIM data.
        • The mobile network sends a challenge-response mechanism back to the device, which uses the SIM card to respond and complete authentication.
        • Once authentication is successful, the device is granted access to the network.

      5. SIM-Based Roaming:

        • When the network is set up for roaming, SIM-based authentication works across different networks with roaming agreements.
        • A device using SIM-based authentication can automatically connect to Wi-Fi networks provided by a partner operator in a different country or region.

      6. Advantages of SIM-Based Authentication in Passpoint:

        • Seamless Authentication: Users do not need to manually select a Wi-Fi network or enter credentials. The SIM card handles all authentication automatically.
        • Roaming Support: EAP-SIM enables users to roam between Wi-Fi networks that have roaming agreements with the user’s mobile operator, providing a seamless transition between Wi-Fi and cellular networks.
        • Security: The authentication process is secure, leveraging SIM credentials that are difficult to compromise. EAP-SIM operates over WPA2/WPA3-Enterprise networks, ensuring encryption during data transmission.

Example Workflow of SIM-Based Authentication with Passpoint

        1. User Device with SIM detects a Passpoint-enabled Wi-Fi network.
        2. The device checks its Passpoint profile and determines that EAP-SIM is supported by the network.
        3. The device sends an authentication request using EAP-SIM, including the IMSI (International Mobile Subscriber Identity) from the SIM card.
        4. The Wi-Fi network’s AP forwards the request to the RADIUS server, which queries the user’s mobile network for authentication.
        5. The mobile network verifies the SIM credentials using the HLR/HSS and sends back an authentication challenge.
        6. The device responds to the challenge using the SIM card.
        7. Upon successful verification, the RADIUS server grants access to the Wi-Fi network, and the user is automatically connected.

  • Certificate-based authentication

This method allows with Wi-Fi Passpoint involves using EAP-TLS (Extensible Authentication Protocol - Transport Layer Security), where client devices authenticate to the Wi-Fi network using digital certificates rather than usernames, passwords, or SIM credentials. This ensures a high level of security, especially in environments such as enterprises, or public Wi-Fi hotspots

Steps to Map Certificate Authentication with Wi-Fi Passpoint:

        1. Understanding EAP-TLS (Certificate-Based Authentication):

          • EAP-TLS is an authentication method within the EAP framework that uses digital certificates for mutual authentication between the client and the server.
          • In this method, both the client and the network's RADIUS server exchange certificates to authenticate each other securely.
          • Certificates are issued and managed by a Certificate Authority (CA).

        2. Components Involved in EAP-TLS Authentication with Passpoint:

          • Passpoint Profile: Configured on the client device to connect to Passpoint-enabled Wi-Fi networks that support certificate-based authentication (EAP-TLS).
          • Access Point (AP): Configured to use WPA2-Enterprise or WPA3-Enterprise security, with EAP-TLS as the authentication method.
          • RADIUS Server: Handles the authentication process and validates the client certificates using the CA's public key.
          • Client Device: Must have a digital certificate installed, along with a private key that corresponds to the certificate. This certificate is typically issued by the network provider or organization.
          • Certificate Authority (CA): Issues the certificates for the client and RADIUS server, allowing mutual authentication.

Steps to Implement Certificate-Based Authentication in Wi-Fi Passpoint:

            1. Set Up a Certificate Authority (CA):

              • To use certificate-based authentication, you need a trusted Certificate Authority (CA) that issues certificates to both the client devices and the RADIUS server.
              • This can be an external CA (e.g., VeriSign, Let’s Encrypt) or an internal enterprise CA for organizations that want to manage their own certificates.

              Steps:

              • Set up a CA that can issue both client certificates and server certificates.
              • Ensure that both the client and RADIUS server are configured with certificates signed by the CA.
              • Issue certificates to users (client devices) that will connect to the Wi-Fi network.

            2. Configure the RADIUS Server to Support EAP-TLS:

              • The RADIUS server must be configured to use EAP-TLS for authentication.
              • The server needs a server certificate signed by the CA and must be able to validate client certificates during the authentication process.

              Steps:

              • Install the RADIUS server certificate signed by the CA.
              • Configure the RADIUS server to authenticate users using EAP-TLS by validating the client's digital certificate.
              • Configure the RADIUS server to handle certificate revocation lists (CRL) or use Online Certificate Status Protocol (OCSP) to check the status of client certificates.
              • Example configuration for FreeRADIUS (a popular open-source RADIUS server)
                1. certiauth

            3. Configure the Wi-Fi Access Point for WPA2/WPA3-Enterprise:

              • The Wi-Fi AP must be configured to use WPA2-Enterprise (or WPA3-Enterprise) security mode.
              • The AP should also be configured to use the RADIUS server for authentication and EAP-TLS as the supported authentication method.

              Steps:

              • Set the Security Mode on the AP to WPA2-Enterprise or WPA3-Enterprise.
              • Specify the RADIUS server IP address and shared secret on the AP, so that the AP can forward authentication requests to the RADIUS server.
              • Enable EAP-TLS as the authentication method.
              • apconfig



  • No labels

DISCLAIMER: Please note that the use of the RDK Wiki is subject to its Privacy Policy & Terms of Use. In addition, this Wiki may be accessed by all RDK licensees and their contractors.