Skip to main content

Passpoint and OpenRoaming: Complete Guide

This technical reference guide provides a comprehensive analysis of Passpoint (Hotspot 2.0) and WBA OpenRoaming frameworks within enterprise WiFi networks. It details the underlying authentication protocols, architectural components, and deployment strategies required to establish secure, frictionless guest connectivity. Network architects and IT leaders will learn how to design, implement, and troubleshoot these standards to eliminate manual login barriers while maintaining enterprise-grade security.

📖 6 min read📝 1,277 words🔧 2 worked examples3 practice questions📚 8 key definitions

📚 Part of our core series: Multi-Tenant WiFi

header_image.png

Executive Summary

Enterprise connectivity demands have shifted from manual, captive-portal-based guest access to automated, secure, and frictionless onboarding. Passpoint (defined by the Wi-Fi Alliance as Hotspot 2.0) and OpenRoaming (orchestrated by the Wireless Broadband Alliance) represent the standardization of this shift. By utilizing IEEE 802.11u protocols and WPA3-Enterprise security, these technologies allow mobile devices to discover, authenticate, and connect to secure WiFi networks automatically without user intervention.

This guide serves as an authoritative reference for network architects and IT directors planning to deploy these technologies across large-scale venues, retail environments, and corporate campuses. We examine the underlying cryptographic handshakes, the federation architecture, and the practical configuration steps required to integrate these standards into existing wireless infrastructure. By adopting these frameworks, organizations can eliminate the friction of traditional guest portals while significantly enhancing their wireless security posture.

Technical Deep-Dive

To understand Passpoint and OpenRoaming, one must first dissect the underlying protocols that govern their operation. At the core of Passpoint is IEEE 802.11u, an amendment to the 802.11 standard that enables wireless devices to discover network services before establishing an association.

Historically, a client device had to associate with an Access Point (AP) and obtain an IP address before it could query the network's capabilities. With 802.11u, this discovery occurs in the pre-association state using Access Network Query Protocol (ANQP) queries.

The 802.11u Discovery Process

When a Passpoint-enabled device scans the airwaves, it detects a beacon containing an Interworking element. This element signals that the AP supports 802.11u and advertises its network type (e.g., private, free public, chargeable public). The client device then sends an ANQP query to request specific parameters, such as:

  • Roaming Consortium Organization Identifiers (OIs): Globally unique identifiers assigned by the IEEE that represent specific roaming partners or federations.
  • Venue Name and Venue Group: Metadata describing the physical location (e.g., "Terminal 2" or "Stadium").
  • IP Address Type Availability: Information on whether IPv4 or IPv6 is available, and if NAT is applied.

If the client device possesses a profile containing a matching Roaming Consortium OI, it initiates the authentication process without prompting the user.

OpenRoaming Federation Architecture

OpenRoaming acts as a global federation layer on top of Passpoint. It establishes a secure Public Key Infrastructure (PKI) managed by the Wireless Broadband Alliance (WBA). This federation allows identity providers (IDPs) - such as mobile network operators, device manufacturers (Apple, Google), and enterprise identity systems - to peer securely with network providers.

Authentication is executed using WPA3-Enterprise (or WPA2-Enterprise for legacy compatibility) with Protected Extensible Authentication Protocol (PEAP) or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). The AP acts as an authenticator, encapsulating the EAP packets into RADIUS (Remote Authentication Dial-In User Service) or RadSec (RADIUS over TLS) packets and forwarding them to the identity provider.

RadSec is mandatory in OpenRoaming to secure the communication between the local network's RADIUS proxy and the global IDPs over the public internet. RadSec uses TCP port 2083 and TLS encryption, ensuring that user credentials and authentication attributes remain confidential during transit across intermediate transit providers.

Implementation Guide

Deploying Passpoint and OpenRoaming requires a systematic approach across the wireless controller (WLC), RADIUS infrastructure, and DNS/firewall configurations.

Step 1: Network Infrastructure Audit

Ensure your APs and WLCs support 802.11u and Passpoint Release 2 or 3. Verify that your RADIUS server supports RadSec (RFC 6614). If your legacy RADIUS server does not support RadSec, you must deploy a RadSec proxy (such as FreeRADIUS or a dedicated gateway) in your DMZ.

Step 2: Firewall Configuration

Open outbound TCP port 2083 to the OpenRoaming RadSec proxy servers. Ensure DNS resolution is configured correctly on your RADIUS servers, as RadSec relies on Dynamic Delegation Discovery System (DDDS) and NAPTR records to locate the appropriate IDP.

Step 3: Certificate Acquisition

Obtain a WBA-approved RadSec certificate from an authorized Certificate Authority (CA). This certificate is critical for mutual TLS (mTLS) authentication between your local RadSec proxy and the OpenRoaming federation brokers.

Step 4: Wireless Controller Configuration

  1. Create a Secure SSID: Configure a new SSID or modify an existing one to use WPA3-Enterprise (or WPA2/WPA3 transition mode).
  2. Enable 802.11u (Interworking): Enable the Interworking feature on the SSID.
  3. Configure the HESSID: Set the Homogeneous ESSID, typically the MAC address of one of the AP radios, to uniquely identify the network group.
  4. Add Roaming Consortium OIs: Add the OpenRoaming Roaming Consortium OIs. The standard OIs are:
    • 5A-03-BE-00-00 (Settlement-Free, identities verified by Google, Apple, or mobile operators)
    • 5A-03-BE-00-01 (Settled, for commercial roaming agreements)
  5. Configure ANQP Parameters: Define the Venue Name, Venue Group, and Network Type.

Step 5: RADIUS/RadSec Proxy Setup

Configure your local RADIUS server to act as a RadSec proxy. Define routing rules that forward authentication requests containing the OpenRoaming OIs or specific realm patterns to the OpenRoaming RadSec gateway.

Best Practices

To ensure a stable and high-performing deployment, adhere to the following industry-standard recommendations:

  • SSID Consolidation: Do not create a dedicated SSID for Passpoint or OpenRoaming. Instead, combine them onto a single, secure enterprise SSID. This minimizes beacon overhead and conserves valuable airtime.
  • Certificate Management: Implement automated certificate renewal processes for your RadSec certificates. An expired certificate will immediately halt all OpenRoaming authentications.
  • Channel Planning: Because Passpoint relies on pre-association ANQP exchanges, client devices spend more time scanning and querying. Optimize your 5 GHz and 6 GHz channel planning to reduce contention and ensure rapid probe responses.
  • Realm Filtering: Implement strict realm filtering on your RadSec proxy to prevent unnecessary authentication traffic from flooding the federation network. Only forward requests that match valid OpenRoaming patterns.
  • User Experience Alignment: Ensure that your physical venue signage and digital marketing materials inform users that they can connect automatically via OpenRoaming, reducing reliance on unencrypted open SSIDs.

Troubleshooting & Risk Mitigation

Common Failure Modes and Resolutions

Issue: Client devices fail to connect automatically

  • Root Cause: Missing or misconfigured Roaming Consortium OIs on the WLC, or the client device does not have the correct profile installed.
  • Mitigation: Use a packet analyzer to capture the beacon and probe response frames. Verify that the 802.11u Interworking element contains the correct OIs. Ensure the client profile is provisioned correctly via an MDM or a provisioning portal.

Issue: RadSec connection failures

  • Root Cause: Firewall blocking TCP port 2083, or invalid/expired RadSec certificates.
  • Mitigation: Perform a packet capture on the WAN interface of the RADIUS proxy. Verify that the TLS handshake completes successfully. Check the certificate revocation list (CRL) status.

Issue: High latency during authentication

  • Root Cause: Geographically distant IDPs or slow DNS resolution for NAPTR records.
  • Mitigation: Implement local caching of DNS records and ensure your RADIUS proxy has low-latency paths to the regional OpenRoaming hubs.

ROI & Business Impact

Transitioning to Passpoint and OpenRoaming delivers measurable business value across three primary vectors: operational efficiency, security posture, and data intelligence.

Operational Efficiency

By automating the connection process, venues experience a significant reduction in guest-WiFi-related support tickets. Front-desk staff and IT help desks spend less time troubleshooting captive portal failures and password issues.

Security Posture

Traditional open guest networks expose users to eavesdropping and man-in-the-middle attacks. Passpoint mandates enterprise-grade encryption (WPA2/WPA3-Enterprise), securing all over-the-air traffic. This protects both the user and the venue from liability associated with data breaches.

Data Intelligence

When integrated with platforms like Purple, Passpoint allows venues to identify returning visitors seamlessly. Because the device connects automatically, the venue captures accurate dwell time and visit frequency metrics without requiring the user to open a browser and log in repeatedly. This continuous data stream enables highly targeted, real-time engagement strategies.

Key Definitions

Passpoint

A WiFi Alliance certification program (based on Hotspot 2.0) that enables mobile devices to automatically discover and connect to WiFi networks with enterprise-grade security.

It forms the technical foundation for seamless guest onboarding.

OpenRoaming

A global roaming federation created by the Wireless Broadband Alliance (WBA) that allows users to connect securely and automatically to WiFi networks using trusted identities.

It acts as the policy and identity layer on top of Passpoint.

ANQP

Access Network Query Protocol. A query-response protocol used by mobile devices to discover network capabilities before associating with an AP.

Crucial for pre-association discovery in 802.11u.

802.11u

An amendment to the IEEE 802.11 standard that adds features for interworking with external networks, enabling pre-association discovery.

The physical and MAC layer standard that makes Passpoint possible.

RadSec

RADIUS over TLS (RFC 6614). A protocol that secures RADIUS packets by encapsulating them within a TLS tunnel over TCP.

Mandatory for OpenRoaming to secure authentication traffic over the public internet.

Roaming Consortium OI

Roaming Consortium Organization Identifier. A unique hex identifier assigned by the IEEE to identify a specific roaming federation or partner.

Used by APs to advertise which roaming credentials they accept.

HESSID

Homogeneous ESSID. A 48-bit MAC address configured on APs to identify a group of APs belonging to the same network or venue.

Helps client devices understand that multiple APs belong to the same administrative domain.

EAP-TLS

Extensible Authentication Protocol-Transport Layer Security. An authentication protocol that uses digital certificates for mutual authentication.

The most secure authentication method supported by Passpoint.

Worked Examples

A large-scale stadium deployment requires configuring a Cisco Catalyst 9800 Wireless Controller to support OpenRoaming (Settlement-Free) alongside existing corporate SSIDs. The network architect must ensure that client devices automatically discover and connect to the network using the correct Roaming Consortium OIs.

To implement this on the Cisco Catalyst 9800 WLC, follow these configuration steps:

  1. Define the ANQP Server Profile:
wireless profile anqp openroaming-anqp-profile
  venue-name english "Stadium Main Bowl"
  venue-group assembly venue-type arena
  network-auth-type redirect-url "https://portal.purple.ai"
  ip-type ipv4-nat ipv6-no-address
  1. Create the Roaming Consortium Profile and add the OpenRoaming Settlement-Free OI (5A-03-BE-00-00):
wireless profile roaming openroaming-roaming-profile
  roaming-consortium-oi 5A03BE0000
  1. Configure the Hotspot 2.0 (Passpoint) Profile:
wireless profile hotspot openroaming-hotspot-profile
  anqp-server-profile openroaming-anqp-profile
  roaming-consortium-profile openroaming-roaming-profile
  hessid 00:11:22:33:44:55
  1. Apply the Hotspot profile to the target WLAN Profile:
wlan openroaming-wlan 1 openroaming-ssid
  security wpa wpa3
  security wpa akm eap
  hotspot-profile openroaming-hotspot-profile
  no shutdown
  1. Verify the configuration using the CLI:
show wireless profile hotspot detailed openroaming-hotspot-profile
Examiner's Commentary: The candidate correctly identified the separation of ANQP, Roaming, and Hotspot profiles on the Cisco Catalyst 9800 platform. A common mistake is omitting the HESSID, which is required for proper client roaming decisions. The use of the correct hex format for the Roaming Consortium OI (5A03BE0000) is critical, as incorrect formatting will prevent client matching.

A multi-site retail chain wants to migrate from a traditional captive portal to a hybrid model. They want to use OpenRoaming for seamless connection while utilizing Purple's analytics platform to track visitor behavior and run targeted campaigns based on dwell time.

The solution requires configuring a RadSec proxy to route authentication requests to the OpenRoaming federation while simultaneously sending accounting data to the Purple cloud platform.

  1. Configure the local RadSec proxy (e.g., FreeRADIUS) to establish a TLS connection with the OpenRoaming gateway:
home_server openroaming_radsec {
  type = auth+acct
  ipaddr = radsec.openroaming.org
  port = 2083
  proto = tcp
  tls {
    private_key_file = /etc/raddb/certs/radsec.key
    certificate_file = /etc/raddb/certs/radsec.pem
    ca_file = /etc/raddb/certs/wba_ca.pem
  }
}
  1. Configure the accounting server to duplicate accounting packets and forward them to Purple's RADIUS accounting endpoints:
home_server purple_accounting {
  type = acct
  ipaddr = acct.purpleportal.net
  port = 1813
  secret = PurpleSharedSecret
}

realm openroaming {
  auth_pool = openroaming_radsec
  acct_pool = purple_accounting
}
  1. On the WLC, ensure that RADIUS accounting is enabled and configured to send interim updates every 300 seconds. This ensures Purple receives continuous dwell time data even if the user does not actively open a browser.
Examiner's Commentary: This hybrid architecture is highly effective. By routing authentication to the OpenRoaming federation and duplicating accounting data to Purple, the retailer achieves secure, automatic onboarding while maintaining full visibility into visitor analytics. The key to success here is the configuration of the RadSec proxy to handle dual-destination routing.

Practice Questions

Q1. A network engineer notices that Android devices are connecting automatically to the OpenRoaming SSID, but iOS devices are prompting users to manually select the network. What is the most likely cause of this behavior?

Hint: Consider how profiles are provisioned and trusted on different mobile operating systems.

View model answer

The most likely cause is that the iOS devices do not have the required OpenRoaming profile installed, or the profile's certificate payload is not trusted by iOS. Android devices often come with preloaded OpenRoaming profiles from device manufacturers or carrier configurations. iOS requires explicit profile installation via an MDM, a provisioning app, or a portal like Purple to trust the root CA and associate the Roaming Consortium OI with the SSID.

Q2. During a packet capture on the WAN interface of a RadSec proxy, you observe TCP SYN packets sent to port 2083, but no SYN-ACK is received. What troubleshooting steps should you take?

Hint: Focus on network path and firewall configurations.

View model answer
  1. Verify that the outbound firewall policy permits TCP port 2083 traffic from the RadSec proxy IP to the destination OpenRoaming gateway.
  2. Check if there is an intermediate security appliance (such as an IPS or deep packet inspection firewall) blocking or dropping the traffic.
  3. Confirm that the destination IP address resolved via DNS NAPTR records is correct and reachable.
  4. Perform a traceroute to identify where the packet drop is occurring in the transit path.

Q3. Why is SSID consolidation considered a best practice when deploying Passpoint and OpenRoaming, and what is the technical impact of ignoring this recommendation?

Hint: Think about airtime efficiency and beacon overhead.

View model answer

SSID consolidation is critical because every SSID configured on an AP must broadcast its own beacon frames, typically at the lowest supported mandatory data rate. Creating a dedicated SSID for Passpoint/OpenRoaming increases beacon overhead, consuming valuable airtime and reducing overall network capacity. By consolidating Passpoint onto an existing secure enterprise SSID, the AP advertises the 802.11u parameters within the existing beacon frames, preserving airtime and maintaining optimal channel efficiency.