Passpoint / Hotspot 2.0

Key Takeaways

Passpoint (Hotspot 2.0) is a WiFi Alliance certification based on the IEEE 802.11u standard that enables devices to automatically discover, select, and connect to WiFi networks -- delivering a cellular-like experience over WiFi.
All Passpoint connections use WPA2/WPA3-Enterprise encryption by default, eliminating the security risks of open guest networks and captive portals.
IronWiFi supports Passpoint across 14+ access point vendors including Ubiquiti UniFi, Cisco Meraki, Aruba, Ruckus, MikroTik, and Juniper Mist.
Passpoint is supported natively on iOS 7+, Android 6+ (9+ recommended), Windows 10+, and macOS 10.9+ -- covering the vast majority of modern devices.
Combined with OpenRoaming, Passpoint enables users to roam across thousands of hotspots worldwide using a single set of credentials.

Passpoint is a WiFi Alliance certification program based on the IEEE 802.11u standard that allows devices to automatically discover, select, and securely connect to WiFi networks without any manual configuration or credential entry by the user. It uses WPA2/WPA3-Enterprise encryption and EAP authentication to deliver a cellular-like roaming experience across participating hotspots worldwide.

When combined with IronWiFi's cloud RADIUS service, you can deploy enterprise-grade automatic WiFi authentication across any supported infrastructure.

What is Passpoint?

Passpoint is a WiFi Alliance certification program based on the IEEE 802.11u standard that enables:

Automatic network discovery - Devices find and connect to compatible networks automatically
Seamless roaming - Move between Passpoint networks without reauthentication
Carrier-grade security - Uses WPA2/WPA3-Enterprise encryption
Cellular-like experience - Connect to WiFi as easily as cellular networks

How Passpoint Works

The Passpoint connection process leverages the IEEE 802.11u standard for network discovery and the ANQP (Access Network Query Protocol) for capability advertisement, followed by standard 802.1X/EAP authentication:

Discovery: Device broadcasts a probe request and detects Passpoint-capable networks via the Interworking element (802.11u)
ANQP Query: Device queries the access point for supported authentication methods, roaming consortium OIs, NAI realms, and venue information
Selection: Device automatically selects the best matching network based on credentials, signal strength, and operator preferences
Authentication: Secure authentication via EAP-TLS (RFC 5216), EAP-TTLS (RFC 5281), or EAP-SIM (RFC 4186) through IronWiFi's RADIUS servers
Connection: WPA2/WPA3-Enterprise encrypted connection established without any user interaction

IronWiFi Passpoint Features

IronWiFi provides complete Passpoint infrastructure:

Passpoint Profile Management - Configure and deploy Passpoint profiles
RADIUS Authentication - Full EAP support for Passpoint authentication
OpenRoaming Integration - Connect to the global OpenRoaming federation
Certificate Management - PKI for EAP-TLS authentication
Analytics - Track Passpoint connections and roaming

Supported Vendors

IronWiFi Passpoint is compatible with:

Ubiquiti UniFi - UniFi access points
Cisco Meraki - Meraki wireless
Cisco WLC / Catalyst 9800 - Enterprise wireless controllers
Aruba - IAP and Mobility Controllers
Ruckus - SmartZone and standalone APs
MikroTik - RouterOS devices
FortiGate - Fortinet wireless
Mist - Juniper Mist AI
Cambium - cnPilot and XMS
TP-Link - Omada SDN
OpenWrt - Open source routers
Teltonika - Industrial routers
OpenWiFi (TIP) - Telecom Infra Project
Aerohive / Extreme - ExtremeCloud IQ

OpenRoaming

OpenRoaming extends Passpoint by creating a global WiFi roaming federation:

Connect to thousands of hotspots worldwide
Single credential for all participating networks
Automatic secure authentication

Device Support

Passpoint is supported on:

Platform	Support
iOS / iPadOS	iOS 7+
Android	Android 6+ (9+ recommended)
Windows	Windows 10+
macOS	macOS 10.9+

Getting Started

Configure your access points - Follow vendor-specific guides
Create Passpoint profile in IronWiFi - Define authentication and roaming settings
Deploy client profiles - Provision devices with Passpoint credentials
Test connectivity - Verify seamless connection

Architecture

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│   Client    │────▶│ Access Point│────▶│  IronWiFi   │
│  (Phone)    │     │ (Passpoint) │     │   RADIUS    │
└─────────────┘     └─────────────┘     └─────────────┘
                           │                    │
                           │                    ▼
                           │            ┌─────────────┐
                           │            │  Identity   │
                           │            │  Provider   │
                           │            └─────────────┘
                           │
                           ▼
                    ┌─────────────┐
                    │ OpenRoaming │
                    │ Federation  │
                    └─────────────┘

Benefits

For Organizations

Reduce support calls for WiFi connectivity
Improve security with automatic WPA2/WPA3-Enterprise
Enable guest access without sharing passwords
Join global roaming federations

For Users

No manual network selection
No password entry
Seamless roaming between locations
Carrier-grade security

When to Use Passpoint

Passpoint delivers the most seamless WiFi experience available, but it is not the right fit for every deployment. Based on real-world deployments across enterprise, hospitality, and public-access networks, the following guidelines help determine when Passpoint adds the most value.

Use Passpoint when

Seamless, zero-touch connectivity is critical -- Venues where users expect to connect automatically without selecting a network or entering credentials (airports, stadiums, transit hubs, hotel chains).
You operate a multi-site or multi-venue network -- Passpoint enables automatic roaming across all locations with the same credentials, eliminating per-site configuration for users.
Security must be enforced without user friction -- Passpoint mandates WPA2/WPA3-Enterprise encryption, providing per-user encryption keys without requiring users to interact with a splash page.
You want to join the OpenRoaming federation -- Passpoint is the underlying technology for OpenRoaming, allowing your network to attract roaming users from global identity providers (Google, Apple, Microsoft).
Reducing WiFi support calls is a priority -- By eliminating manual network selection and password entry, Passpoint significantly reduces help desk volume related to WiFi connectivity.

Use traditional WiFi (captive portal or WPA-Enterprise) instead when

You need to collect user data before granting access -- Passpoint authenticates silently, so there is no splash page for marketing data capture, terms acceptance, or payment collection.
Your access points do not support Hotspot 2.0 -- Passpoint requires 802.11u-capable hardware. Older or consumer-grade access points may not support it.
Your user base is on legacy devices -- While most modern devices support Passpoint, some older Android devices (pre-Android 9) have limited or inconsistent support.
Simple guest access is sufficient -- For a small office or cafe where a captive portal splash page meets requirements, Passpoint adds unnecessary complexity.

Deployment Scenario

A large hotel chain deploys Passpoint on all properties, allowing loyalty program members to configure their devices once and automatically connect at any location worldwide. Guests who are not part of the loyalty program still see a captive portal on a separate SSID. IronWiFi manages both flows from a single console.

Next Steps

Was this page helpful?

What is Passpoint?​

How Passpoint Works​

IronWiFi Passpoint Features​

Supported Vendors​

OpenRoaming​

Device Support​

Getting Started​

Architecture​

Benefits​

For Organizations​

For Users​

When to Use Passpoint​

Use Passpoint when​

Use traditional WiFi (captive portal or WPA-Enterprise) instead when​

Next Steps​