Skip to main content
Skip to main content

Passpoint Troubleshooting

Overview

This guide covers common issues with Passpoint (Hotspot 2.0) deployments using IronWiFi, including profile installation failures, automatic connection problems, OSU portal errors, and device-specific behavior. Use the quick reference table to jump to your issue, then follow the step-by-step resolution.

Quick Reference

SymptomLikely CauseSection
Profile fails to installCertificate trust issue or invalid profileProfile Installation Issues
Device does not auto-connectPasspoint not enabled on AP or deviceAutomatic Connection Failures
OSU portal not loadingDNS/firewall blocking or certificate errorOSU Portal Errors
Authentication fails after profile installCredential mismatch or expired certificateAuthentication Failures
Intermittent disconnectionsRoaming configuration or session timeoutConnectivity Problems
Android device issuesOS version or carrier restrictionsAndroid-Specific Issues
iOS device issuesProfile trust settings or MDM conflictsiOS-Specific Issues
Windows device issuesCertificate store or supplicant configurationWindows-Specific Issues

Profile Installation Issues

Profile Download Fails

Symptoms: User clicks the profile download link but nothing happens, or the browser shows an error.

Causes and Solutions:

CauseSolution
Browser blocking the downloadTry a different browser. Safari works best on iOS; Chrome works best on Android.
HTTPS certificate error on portalVerify the OSU portal SSL certificate is valid and not expired
Content-Type header incorrectEnsure the server returns 
application/x-apple-aspen-config
for iOS profiles
Profile file corruptedRegenerate the profile in the IronWiFi Console
Network blocks the download URLAdd 
*.ironwifi.com
to the walled garden on the access point

Profile Installation Rejected on iOS

Symptoms: iOS displays "Profile Failed to Install" or "Invalid Profile" when attempting to install.

Step-by-step resolution:

  1. Check the profile was downloaded completely (partial downloads are rejected)
  2. Navigate to Settings > General > VPN & Device Management to find the pending profile
  3. If the profile does not appear, re-download it using Safari (other browsers may not trigger the install flow)
  4. If you see "Not Signed" or "Not Verified":
    • The signing certificate may have expired
    • Regenerate the profile in the IronWiFi Console under Networks > Passpoint
  5. For managed devices (MDM), ensure there are no conflicting WiFi profiles
note

iOS requires profiles to be downloaded via Safari for the automatic installation prompt to appear. Profiles downloaded through Chrome or other browsers must be manually installed from Settings.

Profile Installation Fails on Android

Symptoms: Android does not prompt for installation, or shows "Can't install certificate" or "Network error."

Resolution:

  1. Verify the device supports Passpoint (Android 6.0+ required, but Android 10+ recommended)
  2. Check that the user opens the profile from the Downloads notification or Files app
  3. For certificate-based profiles:
    • Navigate to Settings > Security > Install from storage
    • Select the downloaded certificate file
    • Enter a name and select "WiFi" as the credential use
  4. Some manufacturer skins (Samsung One UI, MIUI) have non-standard Passpoint implementations -- see Android-Specific Issues

Invalid Signature Error on Windows

Symptoms: Windows displays "The digital signature for this file could not be verified" or similar.

Resolution:

  1. Right-click the profile file > Properties > Digital Signatures tab
  2. Verify the signing certificate is trusted by the Windows certificate store
  3. If the root CA is not trusted:
    • Download the IronWiFi root CA certificate
    • Install it in Trusted Root Certification Authorities store
    • Retry the profile installation
  4. See Invalid Signature Error for detailed Windows-specific instructions

Automatic Connection Failures

Device Does Not Auto-Connect to Passpoint Network

Symptoms: The device has a valid Passpoint profile installed but does not automatically connect when in range of a Passpoint-enabled network.

Checklist:

  1. Verify Passpoint is enabled on the access point:

    • Log in to your AP controller
    • Confirm Hotspot 2.0 / Passpoint is enabled on the SSID
    • Verify the ANQP (Access Network Query Protocol) settings are configured
    • Check that the NAI realm matches the realm in the profile

  2. Verify Passpoint is enabled on the device:

    • iOS: Settings > WiFi > verify the Passpoint network appears under "Known Networks"
    • Android: Settings > WiFi > Advanced > Passpoint (must be toggled on)
    • Windows: Open 
      netsh wlan show profiles
      and verify the Passpoint profile exists

  3. Check the NAI realm configuration:

The NAI realm on the AP must exactly match what is configured in the Passpoint profile. A mismatch prevents the device from recognizing the network as a match.

  1. Verify the Roaming Consortium OI:
    • The OI in the AP configuration must match the OI in the profile
    • For IronWiFi-issued profiles, use the OI provided in your Network settings
tip

Use a WiFi analyzer app (e.g., WiFi Explorer on macOS, Wifiman on Android) to verify that the AP is broadcasting Passpoint/Hotspot 2.0 advertisements with the correct ANQP data.

Device Connects to Wrong Network

Symptoms: The device has multiple WiFi profiles and connects to a non-Passpoint network instead of the Passpoint network.

Resolution:

  1. On iOS: Remove competing WiFi networks from Known Networks, or toggle off Auto-Join for those networks
  2. On Android: Forget other saved networks in the area, or prioritize the Passpoint network
  3. On Windows: Set the Passpoint network to higher priority:
  1. Verify the Passpoint network signal strength is adequate (at least -70 dBm)

OSU Portal Errors

OSU Portal Not Loading

Symptoms: The user attempts to access the Online Sign-Up portal but sees a blank page, timeout, or connection error.

Causes and Solutions:

CauseSolution
DNS resolution failureVerify 
osu.ironwifi.com
resolves correctly from the user's network
Firewall blocking HTTPSAllow outbound TCP port 443 to 
osu.ironwifi.com
Walled garden misconfiguredAdd 
osu.ironwifi.com
and 
*.ironwifi.com
to the walled garden
Captive portal redirect loopCheck that the redirect URL in the AP settings is correct
SSL certificate errorClear browser cache; if persistent, check the system clock on the device

OSU Registration Fails

Symptoms: User completes the registration form but receives an error when submitting.

Resolution:

  1. Check that all required fields are completed
  2. Verify the email address format is valid
  3. Check IronWiFi service status for any ongoing incidents
  4. Review the RADIUS authentication logs in the IronWiFi Console:
    • Navigate to Logs > Authentication Logs
    • Filter by the OSU portal source
    • Look for error details in the response

OSU Profile Provisioning Error

Symptoms: Registration succeeds but the automatic profile download or installation fails.

Resolution:

  1. Verify the profile generation is configured in the IronWiFi Console:
    • Navigate to Networks > select network > Passpoint tab
    • Confirm the profile template is configured and active
  2. Check that the OSU server URL in the ANQP configuration matches the actual portal URL
  3. Try manual profile download from the success page link
  4. Check browser console for JavaScript errors that may prevent the download trigger
note

The WiFi Alliance deprecated the OSU feature from Passpoint certification testing as of June 30, 2023. Existing OSU implementations continue to function, but new device OS versions may have reduced or changed OSU support. Consider MDM-based provisioning or the IronWiFi onboarding portal as alternatives. See Passpoint Onboarding for all available methods.

Authentication Failures After Profile Installation

EAP-TLS Authentication Rejected

Symptoms: Profile is installed but RADIUS rejects authentication. Error logs show certificate-related failures.

Resolution:

  1. Check the authentication logs in the IronWiFi Console:

    • Navigate to Logs > Authentication Logs
    • Filter by the username or MAC address
    • Look for the rejection reason

  2. Common certificate issues:

ErrorCauseFix
certificate has expired
Client certificate past validityReissue the certificate and reinstall the profile
certificate revoked
Certificate appears on the CRLIssue a new certificate if the revocation was in error
unknown CA
Client cert signed by untrusted CAAdd the CA to IronWiFi's trusted CA list in Network settings
certificate chain incomplete
Missing intermediate CAInclude the full chain in the profile
  1. Verify the server certificate is trusted by the client device:
    • The IronWiFi RADIUS server certificate must chain to a CA trusted by the OS
    • Some older devices may not trust newer root CAs

See Certificate Revocation for managing certificate validity.

EAP-TTLS/MSCHAPv2 Authentication Fails

Symptoms: Profile uses username/password authentication but RADIUS rejects the credentials.

Resolution:

  1. Verify the username and password in the IronWiFi Console:
    • Navigate to Users > search for the user
    • Confirm the account is enabled and credentials are correct
  2. Check that the user belongs to a group with Passpoint access
  3. Verify the EAP method in the profile matches the server configuration:
    • Profile: EAP-TTLS with MSCHAPv2 inner method
    • Server: Must support MSCHAPv2 (requires NT-Password or cleartext password stored)
  4. Test with the IronWiFi authentication test tool:
    • Navigate to Networks > select network > Test Authentication

Intermittent Connectivity Problems

Frequent Disconnections

Symptoms: Device connects via Passpoint but disconnects after a period of time, then reconnects.

Causes and Solutions:

CauseSolution
Session-Timeout too shortIncrease 
Session-Timeout
attribute in the user's group. See Attributes.
Idle-Timeout too aggressiveIncrease 
Idle-Timeout
or disable it for Passpoint users
AP roaming settingsAdjust minimum RSSI and roaming aggressiveness on the AP controller
Certificate expiration during sessionCheck if the client certificate expires mid-session
RADIUS server unreachableVerify both primary and secondary RADIUS servers are configured on the AP

Slow Connection Establishment

Symptoms: Device takes more than 5 seconds to establish a connection after detecting the Passpoint network.

Resolution:

  1. Check RADIUS response time in the authentication logs
  2. Verify the AP's RADIUS timeout settings (recommended: 5 seconds, 3 retries)
  3. Ensure the AP is configured with the closest IronWiFi region
  4. For EAP-TLS, verify OCSP/CRL lookup is not causing delays:
    • If OCSP is slow, consider using CRL instead
    • Check that the CRL distribution point is accessible from IronWiFi's servers

Device-Specific Issues

Android-Specific Issues

Common Android Passpoint problems:

  1. "Passpoint" toggle missing in WiFi settings:

    • Passpoint requires Android 6.0+
    • Some budget devices do not include Passpoint support
    • Check with the device manufacturer for Passpoint compatibility

  2. Samsung devices not auto-connecting:

    • Samsung One UI may require manually enabling Passpoint: Settings > Connections > WiFi > Advanced > Passpoint
    • After enabling, restart WiFi for the profile to take effect

  3. Certificate installation prompts for lock screen:

    • Android requires a PIN, pattern, or password when installing certificates
    • Set a screen lock before installing the Passpoint profile

  4. Random MAC address causes re-authentication:

    • By default, Android 10+ uses a random MAC per network
    • For consistent identity, instruct users to set Privacy to "Use device MAC" for the Passpoint network

iOS-Specific Issues

Common iOS Passpoint problems:

  1. Profile shows "Not Verified" warning:

    • The profile signing certificate is not in Apple's trusted root store
    • Users can still install by tapping "Install" and entering their passcode
    • For a clean experience, use an Apple-trusted signing certificate

  2. Passpoint network not appearing after profile install:

    • Toggle WiFi off and on
    • If still missing, restart the device
    • Verify the profile is listed in Settings > General > VPN & Device Management

  3. Private WiFi Address interfering:

    • iOS 14+ uses private MAC addresses by default
    • If MAC-based policies are in use, disable Private WiFi Address for the specific network: Settings > WiFi > tap the (i) next to the network > toggle off Private WiFi Address

  4. MDM-managed devices rejecting profiles:

    • Check for MDM restrictions on WiFi profile installation
    • The MDM may need to push the Passpoint profile instead of manual installation

Windows-Specific Issues

Common Windows Passpoint problems:

  1. Passpoint not supported on older Windows versions:

    • Passpoint requires Windows 10 version 1709 or later
    • Windows 11 has improved Passpoint support

  2. Certificate not found during authentication:

    • Verify the certificate is in the correct store (Personal > Certificates)
    • Open 
      certmgr.msc
      and check that the client certificate has a private key
    • Verify the certificate purpose includes "Client Authentication"

  3. Windows prefers other WiFi networks:

    • Open Network and Sharing Center > manage known networks
    • Set the Passpoint network to connect automatically
    • Lower the priority of competing networks

  4. Group Policy conflicts:

    • Domain-joined machines may have Group Policy settings that restrict WiFi profile installation
    • Check with the domain administrator for WiFi-related GPOs

macOS-Specific Issues

  1. Profile installation requires admin password:

    • macOS requires admin credentials to install network profiles
    • This is expected behavior and cannot be bypassed

  2. Keychain access prompt on every connection:

    • When prompted, select "Always Allow" to save the permission
    • If the prompt recurs, delete the keychain entry and reinstall the profile

Diagnostic Tools

IronWiFi Console Diagnostics

  1. Authentication Logs: Navigate to Logs > Authentication Logs to see all RADIUS authentication attempts, including rejections with reason codes
  2. Test Authentication: Navigate to Networks > select network > Test Authentication to simulate an auth request
  3. Request Inspector: View the raw RADIUS request/response pairs for debugging attribute issues

Device-Side Diagnostics

iOS:

Android:

Windows:

macOS:

AP-Side Diagnostics

Verify the access point's Passpoint configuration:

  1. Confirm Hotspot 2.0 is enabled on the SSID
  2. Verify ANQP settings (NAI realm, roaming consortium, venue info)
  3. Check RADIUS server connectivity from the AP
  4. Review the AP's authentication logs for RADIUS timeout or rejection events
  5. Test with a known-good Passpoint client to isolate AP vs. device issues

Was this page helpful?