Passpoint (Hotspot 2.0) कैसे Guest Wi-Fi अनुभव को बदल देता है

How Passpoint Transforms the Guest Wi-Fi Experience A Purple Technical Briefing — Approximately 10 Minutes --- INTRODUCTION AND CONTEXT — approximately 1 minute Welcome to the Purple Technical Briefing series. I'm going to spend the next ten minutes walking you through something that, frankly, should have replaced the captive portal years ago — Passpoint, also known as Hotspot 2.0. If you're managing Wi-Fi infrastructure at a hotel group, a retail estate, a stadium, or any venue where guests connect repeatedly, you've almost certainly hit the same wall: guests complaining about having to log in every single time, your IT helpdesk fielding calls about Wi-Fi that "used to work," and a growing realisation that iOS 14 and Android 10's MAC address randomisation has quietly broken your re-authentication logic. Passpoint is the answer to all of those problems. But it's not a magic switch — it's a properly engineered protocol that requires deliberate deployment. So let's get into it. --- TECHNICAL DEEP-DIVE — approximately 5 minutes Let's start with the core problem Passpoint solves, which engineers call the network selection problem. In traditional Wi-Fi, your device scans for a known SSID — a network name — and if it recognises one, it connects. That's simple, but it's brittle. It requires prior connection, it tells you nothing about the network's security posture, and it doesn't support roaming between venues. Every time a guest walks into your hotel, their device has to be manually pointed at your network, then intercepted by a captive portal, then authenticated through a web form. That's friction. And in 2026, friction is a competitive disadvantage. Passpoint shifts the paradigm entirely. Instead of looking for a network name, the device looks for a network that supports its credentials. Before even attempting to connect, the device asks the access point: "Do you support my identity provider?" If the answer is yes, authentication proceeds automatically. No login page. No password prompt. No manual selection. It's the cellular roaming model, applied to Wi-Fi. The mechanism that makes this possible is called the Generic Advertisement Service — GAS — combined with the Access Network Query Protocol, or ANQP. When a Passpoint-enabled access point broadcasts its beacon, it includes what's called an Interworking Element — essentially a flag that says "I speak 802.11u," which is the IEEE amendment that underpins all of this. Your device sees that flag, sends a GAS request, and inside that request, an ANQP query asks: "What Roaming Consortium Organisational Identifiers do you support?" The access point responds. If there's a match with a profile already on the device, the full WPA2 or WPA3 Enterprise authentication handshake begins. That authentication uses IEEE 802.1X — the same port-based access control standard used in enterprise wired networks — combined with an EAP method. The most common are EAP-TLS, which uses certificates; EAP-TTLS, which tunnels username and password securely; and EAP-SIM or EAP-AKA for mobile operator SIM-based authentication. The result is a mutually authenticated, fully encrypted session. The device proves its identity to the network, and the network proves its identity to the device. That mutual authentication is what prevents evil twin attacks and man-in-the-middle attacks that plague open Wi-Fi environments. Now, a term you'll hear alongside Passpoint is OpenRoaming — the Wireless Broadband Alliance's federation framework. Here's the distinction that matters: Passpoint is the vehicle. OpenRoaming is the highway system. Passpoint defines how a device discovers and authenticates to a network. OpenRoaming defines the trust ecosystem that allows an identity provider — say, Google, Samsung, or a mobile operator — and an access provider — your hotel, your stadium, your retail estate — to trust each other's credentials without a bilateral agreement between every pair. OpenRoaming uses a hub-and-spoke PKI model with RadSec tunnels — that's RADIUS over TLS — to proxy authentication requests across the federation. The key Roaming Consortium OI for settlement-free OpenRoaming is 5A-03-BA. You'll also want to broadcast the legacy Cisco OI, 00-40-96, for compatibility with older devices and Samsung OneUI profiles. From a security compliance perspective, Passpoint is a significant upgrade. WPA3-Enterprise uses 192-bit security mode and mandates forward secrecy — every session uses unique encryption keys, so compromising one session doesn't expose historical traffic. For organisations subject to PCI DSS — particularly retail environments processing card payments — or GDPR obligations around personal data, Passpoint's certificate-based authentication means you're not collecting credentials through a web form, which substantially reduces your data handling surface area. And then there's MAC address randomisation. Modern iOS and Android devices randomise their MAC address by default. This breaks traditional captive portal re-authentication flows — the device looks new on every visit. Passpoint is immune to this. Authentication is credential-based, not MAC-based. Your returning guest connects seamlessly on every visit, regardless of what their device's MAC address happens to be that day. This also has a significant implication for your Wi-Fi analytics — if you're using Purple's analytics platform, credential-based authentication restores the accuracy of your returning visitor data. --- IMPLEMENTATION RECOMMENDATIONS AND PITFALLS — approximately 2 minutes Let me give you the practical deployment picture. The infrastructure requirements are more involved than a captive portal, but they're well within reach for any organisation running enterprise-class hardware. You need Passpoint-certified access points — most enterprise APs from Cisco, Aruba, Ruckus, and Ubiquiti support this today. You need a RADIUS server with EAP support, AAA infrastructure for credential management, and ideally an OSU — Online Sign-Up — server for self-service profile provisioning. The configuration work centres on four elements: your ANQP settings, which define what the AP advertises pre-association; your Roaming Consortium OIs; your NAI realm definitions, which tell devices which EAP methods you support; and your venue information, which is used by devices to display context about the network. My strongest recommendation for most venues is a dual SSID strategy. Run a Passpoint SSID for returning guests and enrolled users, and maintain a captive portal SSID for first-time visitors. Use the captive portal as an onboarding funnel — present the option to install a Passpoint profile at the end of the first-visit authentication flow. This progressive onboarding model gives you the best of both worlds: easy first access, seamless return visits. Now, the pitfalls. The most common deployment failure I see is treating Passpoint as a drop-in replacement for captive portals without building the onboarding journey. If guests don't know how to install a profile, or if the OSU flow is clunky, adoption stalls. Invest in the provisioning experience. The second pitfall is certificate management. If you're using EAP-TLS with device certificates, you need a robust PKI lifecycle. Expired certificates will silently break authentication for affected devices — and your helpdesk will be the last to know. Automate certificate renewal and monitor expiry proactively. Third: don't neglect legacy device support. Passpoint requires iOS 7 or later, Android 6 or later, and Windows 10 or later. That covers the vast majority of modern devices, but IoT devices and some older corporate-issued hardware will need alternative access paths. --- RAPID-FIRE Q AND A — approximately 1 minute Does Passpoint work with existing access points? If they're enterprise-class hardware from the last five years, almost certainly yes — check for Wi-Fi Alliance Passpoint certification in the spec sheet. Can I still collect guest data with Passpoint? Yes, but the mechanism shifts. Data collection happens at profile provisioning time — in the OSU flow or app-based enrolment — rather than at every login. This is actually more GDPR-friendly, as consent is captured once, explicitly. What about venues that want branded splash pages? Passpoint connections are invisible by design, so traditional splash pages don't apply. However, you can trigger in-app notifications or push messages post-connection if you have a loyalty app integration. Some operators use a hybrid model where the first visit still goes through a branded portal before Passpoint enrolment. Is OpenRoaming free to join? The settlement-free tier of OpenRoaming, using the 5A-03-BA OI, is available at no cost through the Wireless Broadband Alliance. Commercial tiers with analytics and monetisation features are available through WBA members. --- SUMMARY AND NEXT STEPS — approximately 1 minute To summarise: Passpoint is not a future technology — it's a mature, standards-based protocol that is already deployed at major airports, hotel chains, and stadiums globally. The question for your organisation is not whether to adopt it, but when and how. If you're running a hotel group, a retail chain, or a large venue with recurring visitors, the ROI case is clear: reduced helpdesk burden, improved guest satisfaction, compliance risk mitigation, and accurate analytics data that isn't broken by MAC randomisation. Your next steps are straightforward. First, audit your current AP estate for Passpoint certification. Second, evaluate your RADIUS infrastructure and determine whether you need an OSU server for self-service provisioning. Third, design your dual SSID strategy and onboarding journey. And fourth, if you're considering OpenRoaming federation, engage with the Wireless Broadband Alliance or a platform provider like Purple who can handle the federation plumbing on your behalf. This is Purple's Technical Briefing on Passpoint and Hotspot 2.0. For the full written guide, architecture diagrams, and worked deployment examples, visit purple.ai. Thank you for listening.