How Passpoint (Hotspot 2.0) Transforms the Guest Wi-Fi Experience

A comprehensive technical reference guide detailing how Passpoint (Hotspot 2.0) and 802.11u protocols replace traditional captive portals with seamless, secure, cellular-like Wi-Fi roaming. It provides IT leaders with architectural overviews, implementation frameworks, and the business case for adopting credential-based authentication to solve MAC randomisation challenges and improve guest experience.

📖 6 min read📝 1,359 words🔧 2 examples❓ 3 questions📚 8 key terms

🎧 Listen to this Guide

View Transcript

How Passpoint Transforms the Guest Wi-Fi Experience
A Purple Technical Briefing — Approximately 10 Minutes

---

INTRODUCTION AND CONTEXT — approximately 1 minute

Welcome to the Purple Technical Briefing series. I'm going to spend the next ten minutes walking you through something that, frankly, should have replaced the captive portal years ago — Passpoint, also known as Hotspot 2.0.

If you're managing Wi-Fi infrastructure at a hotel group, a retail estate, a stadium, or any venue where guests connect repeatedly, you've almost certainly hit the same wall: guests complaining about having to log in every single time, your IT helpdesk fielding calls about Wi-Fi that "used to work," and a growing realisation that iOS 14 and Android 10's MAC address randomisation has quietly broken your re-authentication logic.

Passpoint is the answer to all of those problems. But it's not a magic switch — it's a properly engineered protocol that requires deliberate deployment. So let's get into it.

---

TECHNICAL DEEP-DIVE — approximately 5 minutes

Let's start with the core problem Passpoint solves, which engineers call the network selection problem.

In traditional Wi-Fi, your device scans for a known SSID — a network name — and if it recognises one, it connects. That's simple, but it's brittle. It requires prior connection, it tells you nothing about the network's security posture, and it doesn't support roaming between venues. Every time a guest walks into your hotel, their device has to be manually pointed at your network, then intercepted by a captive portal, then authenticated through a web form. That's friction. And in 2026, friction is a competitive disadvantage.

Passpoint shifts the paradigm entirely. Instead of looking for a network name, the device looks for a network that supports its credentials. Before even attempting to connect, the device asks the access point: "Do you support my identity provider?" If the answer is yes, authentication proceeds automatically. No login page. No password prompt. No manual selection. It's the cellular roaming model, applied to Wi-Fi.

The mechanism that makes this possible is called the Generic Advertisement Service — GAS — combined with the Access Network Query Protocol, or ANQP. When a Passpoint-enabled access point broadcasts its beacon, it includes what's called an Interworking Element — essentially a flag that says "I speak 802.11u," which is the IEEE amendment that underpins all of this. Your device sees that flag, sends a GAS request, and inside that request, an ANQP query asks: "What Roaming Consortium Organisational Identifiers do you support?" The access point responds. If there's a match with a profile already on the device, the full WPA2 or WPA3 Enterprise authentication handshake begins.

That authentication uses IEEE 802.1X — the same port-based access control standard used in enterprise wired networks — combined with an EAP method. The most common are EAP-TLS, which uses certificates; EAP-TTLS, which tunnels username and password securely; and EAP-SIM or EAP-AKA for mobile operator SIM-based authentication.

The result is a mutually authenticated, fully encrypted session. The device proves its identity to the network, and the network proves its identity to the device. That mutual authentication is what prevents evil twin attacks and man-in-the-middle attacks that plague open Wi-Fi environments.

Now, a term you'll hear alongside Passpoint is OpenRoaming — the Wireless Broadband Alliance's federation framework. Here's the distinction that matters: Passpoint is the vehicle. OpenRoaming is the highway system.

Passpoint defines how a device discovers and authenticates to a network. OpenRoaming defines the trust ecosystem that allows an identity provider — say, Google, Samsung, or a mobile operator — and an access provider — your hotel, your stadium, your retail estate — to trust each other's credentials without a bilateral agreement between every pair. OpenRoaming uses a hub-and-spoke PKI model with RadSec tunnels — that's RADIUS over TLS — to proxy authentication requests across the federation. The key Roaming Consortium OI for settlement-free OpenRoaming is 5A-03-BA. You'll also want to broadcast the legacy Cisco OI, 00-40-96, for compatibility with older devices and Samsung OneUI profiles.

From a security compliance perspective, Passpoint is a significant upgrade. WPA3-Enterprise uses 192-bit security mode and mandates forward secrecy — every session uses unique encryption keys, so compromising one session doesn't expose historical traffic. For organisations subject to PCI DSS — particularly retail environments processing card payments — or GDPR obligations around personal data, Passpoint's certificate-based authentication means you're not collecting credentials through a web form, which substantially reduces your data handling surface area.

And then there's MAC address randomisation. Modern iOS and Android devices randomise their MAC address by default. This breaks traditional captive portal re-authentication flows — the device looks new on every visit. Passpoint is immune to this. Authentication is credential-based, not MAC-based. Your returning guest connects seamlessly on every visit, regardless of what their device's MAC address happens to be that day. This also has a significant implication for your Wi-Fi analytics — if you're using Purple's analytics platform, credential-based authentication restores the accuracy of your returning visitor data.

---

IMPLEMENTATION RECOMMENDATIONS AND PITFALLS — approximately 2 minutes

Let me give you the practical deployment picture.

The infrastructure requirements are more involved than a captive portal, but they're well within reach for any organisation running enterprise-class hardware. You need Passpoint-certified access points — most enterprise APs from Cisco, Aruba, Ruckus, and Ubiquiti support this today. You need a RADIUS server with EAP support, AAA infrastructure for credential management, and ideally an OSU — Online Sign-Up — server for self-service profile provisioning.

The configuration work centres on four elements: your ANQP settings, which define what the AP advertises pre-association; your Roaming Consortium OIs; your NAI realm definitions, which tell devices which EAP methods you support; and your venue information, which is used by devices to display context about the network.

My strongest recommendation for most venues is a dual SSID strategy. Run a Passpoint SSID for returning guests and enrolled users, and maintain a captive portal SSID for first-time visitors. Use the captive portal as an onboarding funnel — present the option to install a Passpoint profile at the end of the first-visit authentication flow. This progressive onboarding model gives you the best of both worlds: easy first access, seamless return visits.

Now, the pitfalls. The most common deployment failure I see is treating Passpoint as a drop-in replacement for captive portals without building the onboarding journey. If guests don't know how to install a profile, or if the OSU flow is clunky, adoption stalls. Invest in the provisioning experience.

The second pitfall is certificate management. If you're using EAP-TLS with device certificates, you need a robust PKI lifecycle. Expired certificates will silently break authentication for affected devices — and your helpdesk will be the last to know. Automate certificate renewal and monitor expiry proactively.

Third: don't neglect legacy device support. Passpoint requires iOS 7 or later, Android 6 or later, and Windows 10 or later. That covers the vast majority of modern devices, but IoT devices and some older corporate-issued hardware will need alternative access paths.

---

RAPID-FIRE Q AND A — approximately 1 minute

Does Passpoint work with existing access points? If they're enterprise-class hardware from the last five years, almost certainly yes — check for Wi-Fi Alliance Passpoint certification in the spec sheet.

Can I still collect guest data with Passpoint? Yes, but the mechanism shifts. Data collection happens at profile provisioning time — in the OSU flow or app-based enrolment — rather than at every login. This is actually more GDPR-friendly, as consent is captured once, explicitly.

What about venues that want branded splash pages? Passpoint connections are invisible by design, so traditional splash pages don't apply. However, you can trigger in-app notifications or push messages post-connection if you have a loyalty app integration. Some operators use a hybrid model where the first visit still goes through a branded portal before Passpoint enrolment.

Is OpenRoaming free to join? The settlement-free tier of OpenRoaming, using the 5A-03-BA OI, is available at no cost through the Wireless Broadband Alliance. Commercial tiers with analytics and monetisation features are available through WBA members.

---

SUMMARY AND NEXT STEPS — approximately 1 minute

To summarise: Passpoint is not a future technology — it's a mature, standards-based protocol that is already deployed at major airports, hotel chains, and stadiums globally. The question for your organisation is not whether to adopt it, but when and how.

If you're running a hotel group, a retail chain, or a large venue with recurring visitors, the ROI case is clear: reduced helpdesk burden, improved guest satisfaction, compliance risk mitigation, and accurate analytics data that isn't broken by MAC randomisation.

Your next steps are straightforward. First, audit your current AP estate for Passpoint certification. Second, evaluate your RADIUS infrastructure and determine whether you need an OSU server for self-service provisioning. Third, design your dual SSID strategy and onboarding journey. And fourth, if you're considering OpenRoaming federation, engage with the Wireless Broadband Alliance or a platform provider like Purple who can handle the federation plumbing on your behalf.

This is Purple's Technical Briefing on Passpoint and Hotspot 2.0. For the full written guide, architecture diagrams, and worked deployment examples, visit purple.ai. Thank you for listening.

Executive Summary

For the modern enterprise venue, friction is a competitive disadvantage. Traditional captive portals, while once the standard for guest network access, now represent a significant operational bottleneck and a source of persistent user frustration. Passpoint, also known as Hotspot 2.0, fundamentally transforms this paradigm by replacing manual web-based authentication with seamless, cellular-like roaming. By leveraging the IEEE 802.11u standard and WPA3-Enterprise encryption, Passpoint allows guest devices to discover, authenticate, and connect to enterprise Wi-Fi networks automatically and securely.

For IT leaders across Hospitality, Retail, and large public venues, the transition to Passpoint is no longer optional. The default MAC address randomisation implemented in modern iOS and Android devices has effectively broken the re-authentication logic of legacy captive portals, meaning returning guests appear as new devices on every visit. Passpoint solves this by authenticating the user's credential profile rather than their hardware address. This guide details the technical architecture of Passpoint, the business impact of deployment, and a vendor-neutral implementation framework designed to improve the Guest WiFi experience while reducing helpdesk overhead.

Technical Deep-Dive

The Network Selection Problem and 802.11u

In legacy Wi-Fi deployments, devices rely on a fundamentally brittle mechanism for network selection: scanning for known Service Set Identifiers (SSIDs). This approach requires the user to have previously connected to the network or to manually select the network from a list. It provides no pre-association visibility into the network's security posture, authentication requirements, or upstream internet availability. Passpoint addresses this limitation through the IEEE 802.11u amendment, which introduces Interworking with External Networks.

Instead of passively scanning for SSIDs, a Passpoint-enabled device actively queries the network infrastructure before attempting association. When an access point broadcasts its beacon, it includes an Interworking Element — a flag indicating support for 802.11u. The client device detects this flag and initiates a Generic Advertisement Service (GAS) request. Encapsulated within this request is an Access Network Query Protocol (ANQP) query. The device asks the infrastructure, "What Roaming Consortium Organisational Identifiers (OIs) do you support?" If the access point's response matches a credential profile stored on the device, automatic authentication proceeds.

Authentication and Security Architecture

Passpoint mandates enterprise-grade security, completely eliminating the "open network" phase inherent to captive portal deployments. Authentication is handled via IEEE 802.1X port-based network access control, coupled with an Extensible Authentication Protocol (EAP) method. The most prevalent methods in enterprise deployments are EAP-TLS (relying on client and server certificates), EAP-TTLS (tunnelled credentials), and EAP-SIM/AKA (for cellular offload scenarios).

This architecture provides mutual authentication. The device cryptographically proves its identity to the network, and crucially, the network proves its identity to the device. This mutual verification is the primary defence against evil twin access points and man-in-the-middle interception attempts. Furthermore, Passpoint mandates WPA2-Enterprise or WPA3-Enterprise encryption. WPA3-Enterprise introduces 192-bit security mode and mandates forward secrecy, ensuring that even if session keys are compromised in the future, historical traffic remains encrypted.

The OpenRoaming Federation

While Passpoint defines the technical mechanism for discovery and authentication, OpenRoaming provides the trust framework. Developed by the Wireless Broadband Alliance (WBA), OpenRoaming is a global federation that allows Identity Providers (such as mobile network operators, Google, or Apple) and Access Providers (such as hotels, stadiums, and retail chains) to trust each other's credentials without requiring bilateral agreements between every entity.

OpenRoaming operates on a hub-and-spoke Public Key Infrastructure (PKI) model. Authentication requests are proxied across the federation using RadSec (RADIUS over TLS) tunnels. By broadcasting the settlement-free OpenRoaming OI (5A-03-BA), an enterprise venue can instantly provide seamless, secure Wi-Fi access to millions of users globally who already possess a compatible identity profile on their devices.

Implementation Guide

Deploying Passpoint requires a more sophisticated infrastructure baseline than a traditional open network, but the components are standard within modern enterprise environments.

Infrastructure Prerequisites

Passpoint-Certified Access Points: The wireless infrastructure must support 802.11u and Hotspot 2.0 specifications. The vast majority of enterprise access points manufactured in the last five years from vendors like Cisco, Aruba, and Ruckus meet this requirement.
RADIUS/AAA Infrastructure: A robust RADIUS server capable of handling EAP authentication and routing requests to the appropriate identity stores. If participating in OpenRoaming, the RADIUS server must support RadSec for secure proxying.
Online Sign-Up (OSU) Server: For environments issuing their own credentials (rather than relying solely on federated identities), an OSU server provides the mechanism for securely provisioning Passpoint profiles to guest devices.

The Dual-SSID Strategy

The most effective deployment model for venues transitioning to Passpoint is the dual-SSID strategy. This approach maintains a traditional captive portal SSID for initial onboarding while providing a Passpoint SSID for seamless subsequent connections.

When a guest connects to the captive portal SSID for the first time, they complete the standard authentication flow (e.g., accepting terms and conditions, providing an email address). Upon successful authentication, the portal presents an option to download a Passpoint profile. Once installed, the device will automatically prefer the secure Passpoint SSID on all future visits. This progressive onboarding model ensures accessibility for legacy devices while migrating the majority of users to the secure, frictionless Passpoint network.

Best Practices

When designing a Passpoint architecture, IT leaders must adhere to several critical best practices to ensure operational stability and security.

Firstly, certificate lifecycle management is paramount. If utilizing EAP-TLS, the expiration of client or server certificates will result in silent authentication failures that are difficult for front-line helpdesks to diagnose. Implement automated certificate renewal protocols and proactive monitoring. As highlighted in our guide on Device Posture Assessment for Network Access Control, robust endpoint visibility is essential when managing certificate-based access.

Secondly, ensure legacy device compatibility. While iOS 7+, Android 6+, and Windows 10+ natively support Passpoint, certain IoT devices, legacy hardware, and strict corporate-managed devices may lack support. The dual-SSID strategy mitigates this risk by providing a fallback access method.

Thirdly, when configuring ANQP elements, ensure the Venue Information is accurate and descriptive. This metadata is often displayed by the client device's operating system to provide context about the network the user is joining.

Troubleshooting & Risk Mitigation

The complexity of Passpoint introduces specific failure domains that differ from captive portal deployments.

Failure Mode 1: RADIUS Timeout or Unreachability If the local RADIUS server cannot reach the upstream Identity Provider (especially in federated OpenRoaming scenarios), the EAP handshake will time out. Mitigation: Implement redundant RADIUS infrastructure and ensure robust monitoring of RadSec tunnels. Review our technical documentation on RadSec : Sécurisation du trafic d'authentification RADIUS avec TLS for configuration guidance.

Failure Mode 2: Profile Provisioning Failures Users may encounter errors when attempting to download the Passpoint profile from the OSU server, often due to captive portal browser limitations on mobile devices. Mitigation: Design the captive portal flow to break out of the captive network assistant (CNA) mini-browser into the device's native system browser before initiating the profile download.

Failure Mode 3: MAC Randomisation Analytics Impact While Passpoint solves the authentication breakage caused by MAC randomisation, legacy analytics platforms relying solely on MAC addresses will still report inaccurate visitor counts. Mitigation: Integrate the RADIUS authentication logs with your WiFi Analytics platform. By tracking unique credential identifiers (such as the Chargeable User Identity or anonymised NAI) rather than MAC addresses, venues can restore accurate footfall and loyalty metrics.

ROI & Business Impact

The business case for Passpoint deployment rests on three measurable pillars: operational efficiency, risk reduction, and user experience.

From an operational standpoint, the elimination of captive portal friction directly correlates to a reduction in IT helpdesk tickets related to Wi-Fi connectivity. In large Healthcare or Transport environments, this represents significant cost savings.

Regarding risk mitigation, the shift from open networks to WPA3-Enterprise encryption substantially reduces the venue's liability footprint. For retail environments subject to PCI DSS, the reduction in data handling surface area (by eliminating web-based credential collection) simplifies compliance audits.

Finally, the user experience improvement is profound. In hospitality, studies consistently show that seamless, reliable Wi-Fi is a primary driver of guest satisfaction and repeat bookings. By implementing Passpoint, venues deliver a connectivity experience that mirrors the reliability of cellular networks, transforming Wi-Fi from a frustrating utility into a transparent, premium amenity.

Key Terms & Definitions

IEEE 802.11u

The wireless networking standard amendment that enables Interworking with External Networks, allowing devices to query APs before associating.

When configuring wireless controllers, engineers must enable 802.11u to allow devices to discover Passpoint capabilities.

ANQP (Access Network Query Protocol)

A query and response protocol used by devices to discover network services, roaming agreements, and venue information before connecting.

IT teams configure ANQP profiles on the wireless controller to broadcast their supported Roaming Consortium OIs and NAI Realms.

Roaming Consortium OI

An Organisational Identifier broadcast by the access point that indicates which identity providers or federations the network supports.

If an enterprise joins OpenRoaming, they must ensure their APs broadcast the specific OpenRoaming OI (5A-03-BA).

OSU (Online Sign-Up)

A standardized process and server infrastructure for securely provisioning Passpoint credentials and certificates to a user's device.

When building a self-service onboarding flow for a loyalty programme, developers will integrate with an OSU server to push the profile to the device.

RadSec

A protocol that encapsulates RADIUS authentication traffic within a TLS tunnel to ensure secure transmission over untrusted networks.

Required when proxying authentication requests from a local venue to a cloud-based OpenRoaming hub.

NAI Realm

Network Access Identifier Realm; indicates the domain of the user and the specific EAP authentication methods supported by the network.

Configured alongside ANQP to tell client devices whether the network requires EAP-TLS, EAP-TTLS, or EAP-SIM.

EAP-TLS

Extensible Authentication Protocol - Transport Layer Security; a highly secure authentication method requiring both client and server certificates.

Often used in enterprise employee Wi-Fi deployments where IT can push certificates to managed devices via MDM.

MAC Address Randomisation

A privacy feature in modern mobile operating systems that generates a fake, temporary hardware address for each Wi-Fi network connection.

The primary catalyst driving venues away from captive portals, as it breaks the ability to recognize returning visitors based on their hardware.

Case Studies

A 400-room enterprise hotel chain is experiencing a high volume of helpdesk tickets from returning guests who complain they must manually reconnect to the Wi-Fi in the lobby, restaurant, and their rooms, despite having connected previously. The hotel currently uses a traditional open SSID with a captive portal. How should the network architect resolve this?

The architect should implement a Dual-SSID strategy. First, deploy a secure Passpoint SSID broadcasting the hotel's specific Roaming Consortium OI. Second, modify the existing captive portal on the open SSID to serve as an onboarding funnel. When a guest logs in via the portal, they are prompted to download a Passpoint configuration profile to their device. Once installed, the device will automatically and securely authenticate via 802.1X/EAP to the Passpoint SSID as they move between the lobby, restaurant, and room, eliminating manual re-authentication.

Implementation Notes: This approach directly addresses the friction caused by MAC address randomisation breaking captive portal session persistence. By using the captive portal to provision the profile, the hotel ensures a smooth transition for users while maintaining an access path for legacy devices that do not support Passpoint.

A national retail chain wants to offer secure, seamless Wi-Fi across its 500 locations to drive loyalty app engagement. However, managing custom certificates or individual credentials for millions of potential customers is deemed operationally unfeasible. What is the recommended deployment architecture?

The retailer should deploy Passpoint and federate with OpenRoaming. By configuring their access points to broadcast the settlement-free OpenRoaming OI (5A-03-BA) and establishing RadSec tunnels from their RADIUS infrastructure to an OpenRoaming hub, the retailer allows any customer with a compatible identity provider profile (such as a modern Samsung device or a mobile carrier profile) to connect automatically. The retailer can then integrate this with their loyalty app to trigger push notifications upon successful network association.

Implementation Notes: Federation via OpenRoaming is the optimal solution for scale. It offloads the burden of identity management and credential provisioning to established Identity Providers, allowing the retailer to focus on the access layer and the resulting engagement analytics.

Scenario Analysis

Q1. A hospital IT director wants to deploy Passpoint to ensure doctors' mobile devices connect securely to the clinical network, while patients connect to a separate guest network. The doctors use unmanaged personal devices (BYOD). Which EAP method and provisioning strategy should the architect recommend?

💡 Hint:Consider the balance between security and the operational overhead of managing certificates on unmanaged personal devices.

Show Recommended Approach

The architect should recommend EAP-TTLS with an Online Sign-Up (OSU) server provisioning flow. EAP-TLS requires client certificates, which are operationally difficult to deploy and manage on unmanaged BYOD devices. EAP-TTLS allows the doctors to authenticate securely using their existing Active Directory/LDAP credentials (username and password) tunneled inside a secure TLS session. The OSU server can provide a self-service portal where doctors log in once to download the profile, enabling automatic connection thereafter.

Q2. During a Passpoint deployment pilot, Android devices are successfully authenticating and connecting, but iOS devices are failing during the EAP handshake. The RADIUS logs show 'Unknown CA' errors. What is the most likely cause and solution?

💡 Hint:Apple's iOS has strict requirements regarding the trust chain for RADIUS server certificates.

Show Recommended Approach

The most likely cause is that the RADIUS server is using a self-signed certificate or a certificate issued by a private internal Certificate Authority (CA) that the iOS devices do not inherently trust. Android devices sometimes allow users to bypass or ignore certificate validation (though this is poor security practice), whereas iOS strictly enforces it for Passpoint profiles. The solution is to replace the RADIUS server certificate with one issued by a publicly trusted commercial CA (e.g., DigiCert, Let's Encrypt), or ensure the private CA root certificate is explicitly bundled within the Passpoint configuration profile pushed to the iOS devices.

Q3. A stadium venue has implemented OpenRoaming. A user with a valid Google OpenRoaming profile walks into the venue, but their device does not attempt to connect automatically. What specific configuration on the stadium's wireless LAN controller should the network engineer verify first?

💡 Hint:How does the device know that the access point supports the OpenRoaming federation before it attempts to connect?

Show Recommended Approach

The engineer should verify the ANQP configuration, specifically checking that the Access Points are broadcasting the correct Roaming Consortium Organisational Identifier (OI) for OpenRoaming, which is 5A-03-BA. If this OI is not included in the AP's beacon or GAS response, the device will not recognize the network as an OpenRoaming participant and will not attempt to authenticate.

Key Takeaways

✓Passpoint (Hotspot 2.0) replaces manual captive portal logins with automatic, cellular-like Wi-Fi roaming.
✓It uses IEEE 802.11u for pre-association network discovery and WPA3-Enterprise for encrypted, mutually authenticated connections.
✓Passpoint solves the MAC address randomisation issue by authenticating the user's credential profile rather than their hardware address.
✓OpenRoaming is the global federation framework that allows Passpoint devices to connect across different venues seamlessly.
✓A dual-SSID strategy (Captive Portal for onboarding, Passpoint for returning users) is the recommended deployment model for enterprise venues.