Using Passpoint for private Wi-Fi networks

As with any good protocol, the possible applications greatly outstrip the scenarios originally considered

Using Passpoint for private Wi-Fi networks

We normally think of Passpoint, the Wi-Fi Alliance certification, as a feature for Wi-Fi hotspots owned and operated by service providers. Passpoint enables comprehensive inter-carrier roaming, with discovery, authentication and accounting.

But, as with any good protocol, the possible applications greatly outstrip the scenarios originally considered. Enterprise access points already support Passpoint. And as implementation in phones moves forward, slowly but surely non-carriers are finding interesting new applications.

Passpoint’s big innovation is decoupling service advertising from the Service Set Identifier (SSID). An access point can advertise, in addition to its SSID, a number of service providers that provide roaming possibilities. When a device starts authentication, the access point relays to the respective service provider’s authentication server, then provides an internet connection.

To take a hypothetical example, if a T-Mobile hotspot supports roaming from AT&T, Sprint and NTT, then — pre-Passpoint — a separate SSID would be needed for each of these, increasing beacons on the air and decreasing performance. With Passpoint, an access point with a single SSID can advertise roaming capabilities for all these carriers.

For the client device, this means that instead of maintaining a list of configured SSIDs, it needs only a list of service providers, with credentials. It can scan unknown APs, query the service providers supported and start authenticating when it finds a match.

The original scenario for Passpoint was to make Wi-Fi inter-carrier roaming similar to roaming across cellular networks. But substitute a private organization for the carrier in the Passpoint model, and we have a way to support uniform authentication across many venues with different SSIDs. Over the next year or two, as client implementations improve, we will see applications of Passpoint outside the carrier world.

Hotel chain uses Passpoint for Wi-Fi across all properties

One application we have already seen is with a hotel chain. The chain owns many brands but has one, consolidated loyalty program. Without Passpoint, either the loyalty program SSID needs to be added at every hotel or users’ phones must be configured with several SSIDs. But Passpoint can function with just a single profile that identifies the loyalty program, not a hotel SSID. Now, whichever property is subsequently visited, the phone will automatically identify the access point and connect. And only minimal Wi-Fi changes are necessary if a new hotel group is acquired.

Taking this a step further, we see applications for corporate Wi-Fi access. Today, this requires separate credentials per-SSID, but many organizations span multiple member companies, each with its own SSID, and the employee traveling between them must create many profiles. Passpoint allows easy roaming across such an organization.

Other possibilities exist. Many organizations still complain of inadequate cellular coverage from one or more carriers. With the service provider’s Passpoint name configured on access points and a profile on phones, these venues can offer automatic Wi-Fi connections to anyone on the campus, giving them internet data service and possibly Wi-Fi calling. Modern WLAN equipment offers traffic engineering and security features to regulate this service. The most difficult aspect is the lack of commercial roaming agreements offered by the cellular carriers to non-carrier organizations.

All OS families support Passpoint r1

All current OS families—iOS, macOS, Android, Windows—now support Passpoint r1, the discovery-and-connection protocol, although quite a few older, pre-Passpoint devices are still in use. All the scenarios above are technically possible today for most devices.

The biggest obstacle is configuration of the device. While all OS families support provisioning of profiles over the network, implementations are non-standard and currently somewhat buggy. They would do better to adopt Passpoint r2, with Online Sign-Up, but it seems that won’t happen until 2018 at the earliest. Passpoint r2 enables automated provisioning and opens up still more possibilities in guest access.

Passpoint implementation has taken a rather slow road, particularly on the client side.  But progress has been steady, and we are beginning to see app developers building solutions that were not mainstream targets of the original Passpoint concept. A protocol that is used for new, unexpected purposes a decade on reflects well on its authors.

Copyright © 2017 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022