Passpoint and OpenRoaming: Complete Guide
This technical reference guide provides a comprehensive analysis of Passpoint (Hotspot 2.0) and WBA OpenRoaming frameworks within enterprise WiFi networks. It details the underlying authentication protocols, architectural components, and deployment strategies required to establish secure, frictionless guest connectivity. Network architects and IT leaders will learn how to design, implement, and troubleshoot these standards to eliminate manual login barriers while maintaining enterprise-grade security.
📚 Part of our core series: Multi-Tenant WiFi →
- Executive Summary
- Technical Deep-Dive
- The 802.11u Discovery Process
- OpenRoaming Federation Architecture
- Implementation Guide
- Step 1: Network Infrastructure Audit
- Step 2: Firewall Configuration
- Step 3: Certificate Acquisition
- Step 4: Wireless Controller Configuration
- Step 5: RADIUS/RadSec Proxy Setup
- Best Practices
- Troubleshooting & Risk Mitigation
- Common Failure Modes and Resolutions
- ROI & Business Impact
- Operational Efficiency
- Security Posture
- Data Intelligence

Executive Summary
Enterprise connectivity demands have shifted from manual, captive-portal-based guest access to automated, secure, and frictionless onboarding. Passpoint (defined by the Wi-Fi Alliance as Hotspot 2.0) and OpenRoaming (orchestrated by the Wireless Broadband Alliance) represent the standardization of this shift. By utilizing IEEE 802.11u protocols and WPA3-Enterprise security, these technologies allow mobile devices to discover, authenticate, and connect to secure WiFi networks automatically without user intervention.
This guide serves as an authoritative reference for network architects and IT directors planning to deploy these technologies across large-scale venues, retail environments, and corporate campuses. We examine the underlying cryptographic handshakes, the federation architecture, and the practical configuration steps required to integrate these standards into existing wireless infrastructure. By adopting these frameworks, organizations can eliminate the friction of traditional guest portals while significantly enhancing their wireless security posture.
Technical Deep-Dive
To understand Passpoint and OpenRoaming, one must first dissect the underlying protocols that govern their operation. At the core of Passpoint is IEEE 802.11u, an amendment to the 802.11 standard that enables wireless devices to discover network services before establishing an association.
Historically, a client device had to associate with an Access Point (AP) and obtain an IP address before it could query the network's capabilities. With 802.11u, this discovery occurs in the pre-association state using Access Network Query Protocol (ANQP) queries.
The 802.11u Discovery Process
When a Passpoint-enabled device scans the airwaves, it detects a beacon containing an Interworking element. This element signals that the AP supports 802.11u and advertises its network type (e.g., private, free public, chargeable public). The client device then sends an ANQP query to request specific parameters, such as:
- Roaming Consortium Organization Identifiers (OIs): Globally unique identifiers assigned by the IEEE that represent specific roaming partners or federations.
- Venue Name and Venue Group: Metadata describing the physical location (e.g., "Terminal 2" or "Stadium").
- IP Address Type Availability: Information on whether IPv4 or IPv6 is available, and if NAT is applied.
If the client device possesses a profile containing a matching Roaming Consortium OI, it initiates the authentication process without prompting the user.
OpenRoaming Federation Architecture
OpenRoaming acts as a global federation layer on top of Passpoint. It establishes a secure Public Key Infrastructure (PKI) managed by the Wireless Broadband Alliance (WBA). This federation allows identity providers (IDPs) - such as mobile network operators, device manufacturers (Apple, Google), and enterprise identity systems - to peer securely with network providers.
Authentication is executed using WPA3-Enterprise (or WPA2-Enterprise for legacy compatibility) with Protected Extensible Authentication Protocol (PEAP) or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). The AP acts as an authenticator, encapsulating the EAP packets into RADIUS (Remote Authentication Dial-In User Service) or RadSec (RADIUS over TLS) packets and forwarding them to the identity provider.
RadSec is mandatory in OpenRoaming to secure the communication between the local network's RADIUS proxy and the global IDPs over the public internet. RadSec uses TCP port 2083 and TLS encryption, ensuring that user credentials and authentication attributes remain confidential during transit across intermediate transit providers.
Implementation Guide
Deploying Passpoint and OpenRoaming requires a systematic approach across the wireless controller (WLC), RADIUS infrastructure, and DNS/firewall configurations.
Step 1: Network Infrastructure Audit
Ensure your APs and WLCs support 802.11u and Passpoint Release 2 or 3. Verify that your RADIUS server supports RadSec (RFC 6614). If your legacy RADIUS server does not support RadSec, you must deploy a RadSec proxy (such as FreeRADIUS or a dedicated gateway) in your DMZ.
Step 2: Firewall Configuration
Open outbound TCP port 2083 to the OpenRoaming RadSec proxy servers. Ensure DNS resolution is configured correctly on your RADIUS servers, as RadSec relies on Dynamic Delegation Discovery System (DDDS) and NAPTR records to locate the appropriate IDP.
Step 3: Certificate Acquisition
Obtain a WBA-approved RadSec certificate from an authorized Certificate Authority (CA). This certificate is critical for mutual TLS (mTLS) authentication between your local RadSec proxy and the OpenRoaming federation brokers.
Step 4: Wireless Controller Configuration
- Create a Secure SSID: Configure a new SSID or modify an existing one to use WPA3-Enterprise (or WPA2/WPA3 transition mode).
- Enable 802.11u (Interworking): Enable the Interworking feature on the SSID.
- Configure the HESSID: Set the Homogeneous ESSID, typically the MAC address of one of the AP radios, to uniquely identify the network group.
- Add Roaming Consortium OIs: Add the OpenRoaming Roaming Consortium OIs. The standard OIs are:
5A-03-BE-00-00(Settlement-Free, identities verified by Google, Apple, or mobile operators)5A-03-BE-00-01(Settled, for commercial roaming agreements)
- Configure ANQP Parameters: Define the Venue Name, Venue Group, and Network Type.
Step 5: RADIUS/RadSec Proxy Setup
Configure your local RADIUS server to act as a RadSec proxy. Define routing rules that forward authentication requests containing the OpenRoaming OIs or specific realm patterns to the OpenRoaming RadSec gateway.
Best Practices
To ensure a stable and high-performing deployment, adhere to the following industry-standard recommendations:
- SSID Consolidation: Do not create a dedicated SSID for Passpoint or OpenRoaming. Instead, combine them onto a single, secure enterprise SSID. This minimizes beacon overhead and conserves valuable airtime.
- Certificate Management: Implement automated certificate renewal processes for your RadSec certificates. An expired certificate will immediately halt all OpenRoaming authentications.
- Channel Planning: Because Passpoint relies on pre-association ANQP exchanges, client devices spend more time scanning and querying. Optimize your 5 GHz and 6 GHz channel planning to reduce contention and ensure rapid probe responses.
- Realm Filtering: Implement strict realm filtering on your RadSec proxy to prevent unnecessary authentication traffic from flooding the federation network. Only forward requests that match valid OpenRoaming patterns.
- User Experience Alignment: Ensure that your physical venue signage and digital marketing materials inform users that they can connect automatically via OpenRoaming, reducing reliance on unencrypted open SSIDs.
Troubleshooting & Risk Mitigation
Common Failure Modes and Resolutions
Issue: Client devices fail to connect automatically
- Root Cause: Missing or misconfigured Roaming Consortium OIs on the WLC, or the client device does not have the correct profile installed.
- Mitigation: Use a packet analyzer to capture the beacon and probe response frames. Verify that the 802.11u Interworking element contains the correct OIs. Ensure the client profile is provisioned correctly via an MDM or a provisioning portal.
Issue: RadSec connection failures
- Root Cause: Firewall blocking TCP port 2083, or invalid/expired RadSec certificates.
- Mitigation: Perform a packet capture on the WAN interface of the RADIUS proxy. Verify that the TLS handshake completes successfully. Check the certificate revocation list (CRL) status.
Issue: High latency during authentication
- Root Cause: Geographically distant IDPs or slow DNS resolution for NAPTR records.
- Mitigation: Implement local caching of DNS records and ensure your RADIUS proxy has low-latency paths to the regional OpenRoaming hubs.
ROI & Business Impact
Transitioning to Passpoint and OpenRoaming delivers measurable business value across three primary vectors: operational efficiency, security posture, and data intelligence.
Operational Efficiency
By automating the connection process, venues experience a significant reduction in guest-WiFi-related support tickets. Front-desk staff and IT help desks spend less time troubleshooting captive portal failures and password issues.
Security Posture
Traditional open guest networks expose users to eavesdropping and man-in-the-middle attacks. Passpoint mandates enterprise-grade encryption (WPA2/WPA3-Enterprise), securing all over-the-air traffic. This protects both the user and the venue from liability associated with data breaches.
Data Intelligence
When integrated with platforms like Purple, Passpoint allows venues to identify returning visitors seamlessly. Because the device connects automatically, the venue captures accurate dwell time and visit frequency metrics without requiring the user to open a browser and log in repeatedly. This continuous data stream enables highly targeted, real-time engagement strategies.
Key Definitions
Passpoint
A WiFi Alliance certification program (based on Hotspot 2.0) that enables mobile devices to automatically discover and connect to WiFi networks with enterprise-grade security.
It forms the technical foundation for seamless guest onboarding.
OpenRoaming
A global roaming federation created by the Wireless Broadband Alliance (WBA) that allows users to connect securely and automatically to WiFi networks using trusted identities.
It acts as the policy and identity layer on top of Passpoint.
ANQP
Access Network Query Protocol. A query-response protocol used by mobile devices to discover network capabilities before associating with an AP.
Crucial for pre-association discovery in 802.11u.
802.11u
An amendment to the IEEE 802.11 standard that adds features for interworking with external networks, enabling pre-association discovery.
The physical and MAC layer standard that makes Passpoint possible.
RadSec
RADIUS over TLS (RFC 6614). A protocol that secures RADIUS packets by encapsulating them within a TLS tunnel over TCP.
Mandatory for OpenRoaming to secure authentication traffic over the public internet.
Roaming Consortium OI
Roaming Consortium Organization Identifier. A unique hex identifier assigned by the IEEE to identify a specific roaming federation or partner.
Used by APs to advertise which roaming credentials they accept.
HESSID
Homogeneous ESSID. A 48-bit MAC address configured on APs to identify a group of APs belonging to the same network or venue.
Helps client devices understand that multiple APs belong to the same administrative domain.
EAP-TLS
Extensible Authentication Protocol-Transport Layer Security. An authentication protocol that uses digital certificates for mutual authentication.
The most secure authentication method supported by Passpoint.
Worked Examples
A large-scale stadium deployment requires configuring a Cisco Catalyst 9800 Wireless Controller to support OpenRoaming (Settlement-Free) alongside existing corporate SSIDs. The network architect must ensure that client devices automatically discover and connect to the network using the correct Roaming Consortium OIs.
To implement this on the Cisco Catalyst 9800 WLC, follow these configuration steps:
- Define the ANQP Server Profile:
wireless profile anqp openroaming-anqp-profile
venue-name english "Stadium Main Bowl"
venue-group assembly venue-type arena
network-auth-type redirect-url "https://portal.purple.ai"
ip-type ipv4-nat ipv6-no-address
- Create the Roaming Consortium Profile and add the OpenRoaming Settlement-Free OI (5A-03-BE-00-00):
wireless profile roaming openroaming-roaming-profile
roaming-consortium-oi 5A03BE0000
- Configure the Hotspot 2.0 (Passpoint) Profile:
wireless profile hotspot openroaming-hotspot-profile
anqp-server-profile openroaming-anqp-profile
roaming-consortium-profile openroaming-roaming-profile
hessid 00:11:22:33:44:55
- Apply the Hotspot profile to the target WLAN Profile:
wlan openroaming-wlan 1 openroaming-ssid
security wpa wpa3
security wpa akm eap
hotspot-profile openroaming-hotspot-profile
no shutdown
- Verify the configuration using the CLI:
show wireless profile hotspot detailed openroaming-hotspot-profile
A multi-site retail chain wants to migrate from a traditional captive portal to a hybrid model. They want to use OpenRoaming for seamless connection while utilizing Purple's analytics platform to track visitor behavior and run targeted campaigns based on dwell time.
The solution requires configuring a RadSec proxy to route authentication requests to the OpenRoaming federation while simultaneously sending accounting data to the Purple cloud platform.
- Configure the local RadSec proxy (e.g., FreeRADIUS) to establish a TLS connection with the OpenRoaming gateway:
home_server openroaming_radsec {
type = auth+acct
ipaddr = radsec.openroaming.org
port = 2083
proto = tcp
tls {
private_key_file = /etc/raddb/certs/radsec.key
certificate_file = /etc/raddb/certs/radsec.pem
ca_file = /etc/raddb/certs/wba_ca.pem
}
}
- Configure the accounting server to duplicate accounting packets and forward them to Purple's RADIUS accounting endpoints:
home_server purple_accounting {
type = acct
ipaddr = acct.purpleportal.net
port = 1813
secret = PurpleSharedSecret
}
realm openroaming {
auth_pool = openroaming_radsec
acct_pool = purple_accounting
}
- On the WLC, ensure that RADIUS accounting is enabled and configured to send interim updates every 300 seconds. This ensures Purple receives continuous dwell time data even if the user does not actively open a browser.
Practice Questions
Q1. A network engineer notices that Android devices are connecting automatically to the OpenRoaming SSID, but iOS devices are prompting users to manually select the network. What is the most likely cause of this behavior?
Hint: Consider how profiles are provisioned and trusted on different mobile operating systems.
View model answer
The most likely cause is that the iOS devices do not have the required OpenRoaming profile installed, or the profile's certificate payload is not trusted by iOS. Android devices often come with preloaded OpenRoaming profiles from device manufacturers or carrier configurations. iOS requires explicit profile installation via an MDM, a provisioning app, or a portal like Purple to trust the root CA and associate the Roaming Consortium OI with the SSID.
Q2. During a packet capture on the WAN interface of a RadSec proxy, you observe TCP SYN packets sent to port 2083, but no SYN-ACK is received. What troubleshooting steps should you take?
Hint: Focus on network path and firewall configurations.
View model answer
- Verify that the outbound firewall policy permits TCP port 2083 traffic from the RadSec proxy IP to the destination OpenRoaming gateway.
- Check if there is an intermediate security appliance (such as an IPS or deep packet inspection firewall) blocking or dropping the traffic.
- Confirm that the destination IP address resolved via DNS NAPTR records is correct and reachable.
- Perform a traceroute to identify where the packet drop is occurring in the transit path.
Q3. Why is SSID consolidation considered a best practice when deploying Passpoint and OpenRoaming, and what is the technical impact of ignoring this recommendation?
Hint: Think about airtime efficiency and beacon overhead.
View model answer
SSID consolidation is critical because every SSID configured on an AP must broadcast its own beacon frames, typically at the lowest supported mandatory data rate. Creating a dedicated SSID for Passpoint/OpenRoaming increases beacon overhead, consuming valuable airtime and reducing overall network capacity. By consolidating Passpoint onto an existing secure enterprise SSID, the AP advertises the 802.11u parameters within the existing beacon frames, preserving airtime and maintaining optimal channel efficiency.
Continue reading in this series
Configuring RADIUS Authentication for Guest and Staff WiFi Networks
This technical reference guide outlines the architecture, configuration, and deployment of RADIUS authentication for enterprise guest and staff WiFi networks. It provides network architects and IT managers with the exact protocols, security standards, and troubleshooting methodologies required to build secure, scalable wireless access control systems.
Configuring RADIUS Authentication for Guest and Staff WiFi Networks
This technical reference guide outlines the architecture, configuration, and deployment of RADIUS authentication for enterprise guest and staff WiFi networks. It provides network architects and IT managers with the exact protocols, security standards, and troubleshooting methodologies required to build secure, scalable wireless access control systems.
How to Implement SCEP for Secure BYOD and Network Enrollment in Higher Education
This technical guide provides network architects and IT managers with a vendor-neutral blueprint for deploying SCEP-based certificate enrollment to secure higher education campus networks. It details how to migrate from password-based PEAP to 802.1X EAP-TLS, automate BYOD onboarding, and enforce robust VLAN segmentation.