Configuring a Passpoint Policy

About this task

To create and manage passpoint policies:

Procedure

  1. Select Configuration > Wireless > Passpoint Policy to display existing passpoint policies.
    Click to expand in new window
    Passpoint Policy Screen
  2. Refer to the following configuration data for existing passpoint policies:
    Name

    The administrator assigned name of each passpoint policy.
    Access Network Type

    The network access permissions the administrator has set for the passpoint policy.
    Operator Name

    The unique name assigned to the administrator or operator responsible for the configuration and operation of the access point managed hotspot.
    Venue Name

    The administrator assigned name of the venue (or physical location) of the deployed access point hotspot.
  3. Click Add to define a new passpoint policy, select an existing policy and click Edit to modify its configuration, or select an existing policy and click Delete to remove an obsolete policy.
    Optionally, Copy or Rename passpoint policies as needed.
    Click to expand in new window
    Passpoint Policy - Configuration Screen
  4. Configure the following Settings to define an Internet connection medium for the passpoint policy
    Domain Name Optionally, add a 255-character maximum domain name to the pool available to the passpoint policy.
    HESSID Select this option to apply a homogenous ESS ID. Leaving this option blank applies the BSSID instead. This option is disabled by default.
    Internet Select this option to enable Internet access to users of the passpoint hotspot. Internet access is enabled by default.
    IPv4 Address Type Select the IPv4 formatted address type for this passpoint policy. IPv4 is a connectionless protocol operating on a best effort delivery model. IPv4 does not guarantee delivery or assures proper sequencing or avoidance of duplicate delivery (unlike TCP). Options include not available, public, port-restricted, port-restricted-double-nat, single-nat, double-nat, port-restricted-single-nat, and unknown.
    IPv6 Address Type Select the IPv6 formatted address type for this passpoint policy. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. Options include available, unavailable, and unknown.
    OSU SSID Optionally define a 32 character maximum sign-on ID that must be correctly provided to access the passpoint policy‘s hotspot resources.
    ROAM Consort Provide a 0 - 255 character roaming consortium number. A roaming consort ID is sent as roaming consortium information in a hotspot query response.
  5. Set the following WAN Metrics for upstream and downstream bandwidth:
    Up Speed Enable this option to estimate the maximum upstream bandwidth from 0 - 4,294,967,295 Kbps.
    Down Speed Enable this option to estimate the maximum downstream bandwidth from 0 - 4,294,967,295 Kbps.
  6. Set the following Connection Capability for the passpoint policy‘s FTP, HTTP, ICMP, IPSec VPN, PPTP VPN, SIP, SSH, and TLS VPN interfaces:
    Use the drop-down menu to define these interfaces as open, closed, or unknown for this passpoint policy configuration. Disabling unused interfaces is recommended to close unnecessary security holes.
  7. Select + Add Row to set a Connection Capability Variable to make specific virtual ports open or closed for Wi-Fi connection attempts and to set rules for how the user can connect with routing preference using this passpoint policy.
  8. Select + Add Row and set a Network Authentication Type to select how Wi-Fi connection attempts are authenticated and validated using a dedicated redirection URL resource.
  9. Refer to the Basic Configuration field to set the following:
    Access Network Type Select the network access method for this passpoint policy. Access network types include:
    private
    General access to a private network hotspot (default setting)
    private-guest
    Access to a private network hotspot with guest services
    chargeable-public
    Access to a public hotspot with billable services
    personal-device
    Access to a hotspot for personal devices such as wireless routers
    emergency services
    Dedicated network hotspot access for emergency services only
    Venue Group Passpoint is supported across a wide range of wireless network deployment scenarios and client devices. Select the group type best suited to the majority of hotspot requestors utilizing the passpoint policy‘s unique configuration.
    Venue Type Select the venue type best suited to the actual location passpoint requestors are located. If an adequate option cannot be applied, a numeric venue type can be utilized.
    Venue Name Enter the venue name and address. The operator can configure an access point to describe the location of the hotspot. This information typically includes the name and address of the deployment location where the hotspot is located. Enter the name and address configured for the access point hotspot. The name cannot exceed 252 characters.
    Venue Name Long Hotspot operators can list venue names in multiple languages. Select the + Add Row button to add venue name languages. Enter the two- or three-character ISO-14962-1997 encoded string that defines the language used in the Code field. Enter the name of the venue in the Name field. The name cannot exceed 252 characters.
  10. Refer to the Operator Network Parameters field to define the following:
    Operator Name Provide the unique name (in English) of the administrator or operator responsible for the configuration and management or the hotspot. The name cannot exceed 64 characters.
    Operator Name Long Operator names can be listed in multiple languages. Select the + Add Row button to add operator name languages. Enter the two- or three-character ISO-14962-1997 encoded string that defines the language used in the Code field. Enter the name of the operator in the Name field. The name cannot exceed 252 characters.
    PLMNID Operators providing mobile and Wi-Fi hotspot services have a unique Public Land Mobile Network (PLMN) ID. Select the + Add Row button to add PLMN information for operators responsible for the configuration and operation of the hotspot. Provide a description for the PLMN, not exceeding 64 characters.

    Enter a three-digit Mobile Country Code (MCC) and two-digit Mobile Network Code (MNC) for the PLMN ID. The MCC identifies the region and country where the hotspot is deployed. The MNC identifies the operator responsible for the configuration and management of the hotspot by PLMN ID and country. Both the MCC and MNC fields are mandatory.
  11. Click OK to update the passpoint policy settings.
    Click Reset to revert to the last saved configuration.
  12. Select NAI Realm.
    The Network Access Identifier (NAI) is the user identity submitted by the hotspot requesting client during authentication. The standard syntax is user@realm. NAI is frequently used when roaming, to identify the user and assist in routing an authentication request to the user's authentication server. The realm name is often the domain name of the service provider.
    The NAI Realm screen displays those realms created thus far for utilization with a passpoint policy.
    Click to expand in new window
    Passpoint Policy - NAI Realm Screen
  13. Click Add to create a new NAI realm configuration for passpoint hotspot utilization, Edit to modify the attributes of an existing configuration, or Delete to remove a selected configuration from those available.
    Provide a realm name or names (32 characters maximum), delimited by semicolons. Click + Add Row to create an EAP Method configuration for the NAI realm.
    Click to expand in new window
    Passpoint Policy - NAI Realm EAP Method Screen
  14. Set the following EAP Method attributes to secure the NAI realm used by the passpoint policy:
    Index Select an EAP instance index from 1 - 10 to apply to this hotspot‘s EAP credential exchange and verification session. NAIs are often user identifiers in the EAP authentication protocol.
    Method Set an EAP method for the NAI realm. Options include identity, otp, gtc, rsa-public-key, tls, sim, ttls, peap, ms-auth, ms-authv2, fast, psk, and ikev2.
    Authentication Type Specify the EAP method authentication type. Options include expanded-eap, non-eap-inner, inner-eap, expanded-inner-eap, credential, tunn-eap-credential, and vendor.
    Authentication Value If you are setting the authentication type to either non-eap-inner, inner-eap, credential, or tunnel-eap-credential, define an authentication value that must be shared with the EAP credential validation server resource.
    Authentication Vendor ID If the authentication type is set to either expanded-eap or expanded-inner-eap, set a six-character authentication vendor ID. This ID must match the ID utilized by the EAP server resource.
    Authentication Vendor Specific If required, add 2 - 510 character vendor-specific authentication data required for the selected authentication type. Enter the value in an a- FA -F0-9 format.
    Authentication Vendor Type Set an eight-character authentication vendor type used exclusively for the expanded-eap or expanded-inner-eap authentication types.
  15. Click OK to save the updates to the NAI realm.
    Click Reset to revert to the last saved configuration.
  16. Select OSU Provider.
    WiNG managed clients can use Online Sign-Up (OSU) for registration and credential provisioning to obtain hotspot network access. Service providers have an OSU AAA server and certificate authority (CA). For a client and hotspot to trust one another, the OSU server holds a certificate signed by a CA whose root certificate is issued by a CA authorized by the Wi-Fi Alliance, and CA certificates are installed on the client device. A CA performs the following functions:
    • Issues certificates (creates and signs)
    • Maintains certificate status information and issues certificate revocation lists (CRLs)
    • Publishes current (non-expired) certificates and CRLs
    • Maintains status archives for the expired or revoked certificates it has issued

    Passpoint certificates are governed by the Hotspot 2.0 OSU Certificate Policy Specification. An OSU server certificate should be obtained from any of the CAs authorized by the Wi-Fi Alliance. Once an OSU provider is selected, the client connects to the OSU WLAN. It then triggers an HTTPS connection to the OSU server, which was received with the OSU providers list. The client validates the server certificate to ensure it's a trusted OSU server. The client is prompted to complete an online registration through their browser. When the client has a valid credential for the hotspot 2.0 WLAN, it disassociates from the OSU WLAN and connects to the hotspot 2.0 WLAN.

    The OSU Provider screen displays those provider configurations created thus far for use with a passpoint policy.
    Click to expand in new window
    Passpoint Policy - OSU Provider Screen
  17. Click Add to create a new OSU provider configuration for passpoint hotspot utilization, Edit to modify the attributes of an existing configuration, or Delete to remove a selected configuration from those available.
    Click to expand in new window
    Passpoint Policy - OSU Provider - Add/Edit Screen
  18. If you are creating a new OSU provider configuration, provide it a 32-character maximum OSU ID that will serve as an online sign up identifier.
  19. Set the following attributes to secure the Network Access Identifier (NAI) submitted by the hotspot during OSU authentication:
    Server URL Provide a 255 character maximum sign up server URL for the OSU provider.
    NAI Enter a 255 character maximum NAI to identify the user and assist in routing an authentication request to the authentication server. The realm name is often the domain name of the service provider.
    Method OMA DM Priority Select this option to provide Open Mobile Alliance (OMA) device management priority. OMA is a standards body developing open standards for mobile clients. OMA is relevant to service providers working across countries (with different languages), operators and mobile terminals. Adherence to OMA is strictly voluntary. Use the drop-menu to specify the priority as 1 or 2.
    Method SOAP XML SPP Priority Select this option to apply a SOAP-XML subscription provisioning protocol priority of either 1 or 2. The simple object access protocol (SOAP) is a protocol for exchanging structured information in web services. SOAP uses XML as its message format and relies on other application layer protocols, like HTTP or SMTP, for message negotiation and transmission.
  20. Refer to the Name field to optionally set a 252-character English language sign up name, then provide a 3-character maximum ISO-639 language code to apply the sign up name in a language other then English.
    Apply a 252-character maximum hexadecimal online sign up name to encode in the ISO-639 language code applied to the sign up name.
  21. Refer to the OSU Provider Description field to set an online sign up description in a language other then English.

    Select + Add Row and provide a 3-character maximum ISO-639 language code to apply the sign up name in a language other then English. Apply a 252-character maximum hexadecimal online sign up description to encode in the ISO-639 language code applied to the sign up name.

  22. Optionally provide an OSU Provider Icon by selecting + Add Row.
    Apply the following configuration attributes to the icon.
    Code Enter a 3-character maximum ISO-639 language Code to define the language used in the OSU provider icon.
    File Name Provide a 255-character maximum icon name and directory path location for the icon file.
    Height Provide the icon's height in pixels from 0 - 65,535. The default setting is 0.
    MIME Type Set the icon's MIME file type from 0 - 64. The MIME associates filename extensions with a MIME type. A MIME enables a fallback on an extension and are frequently used by web servers.
    Width Provide the icon's width in pixels from 0 - 65,535. The default setting is 0.
  23. Click OK to save the updates to the OSU Provider configuration.
    Click Reset to revert to the last saved configuration.
9036512-01 Rev AB