Tag Archives: cisco

Hotspot 2.0 – Making WiFi Roaming Like Cellular

Following on from some of the talks at the recent WLPC conference in Dallas regarding Hotspot 2.0 and public WiFi in general  I wanted to sit down and take a closer look at Hotspot 2.0 and have a go at implementing it myself.   One of the key things I was taking away from people like Dave Wright speaking on the subject was that Hotspot 2.0 is not just a carrier solution and others should be looking to implement it in their network .

What is Hotspot 2.0?

The aspiration of Hotspot 2.0 is to make WiFi roaming more like that which users experience in todays cellular networks.

For example, when I travel abroad I get off the plane and turn on my cell phone which automagically finds a partner network that my home operator has a roaming agreement with and away I go.   No user intervention required.

That is what HS2.0 is aiming to do for WiFi – one operator can host many service providers users on its network, with proper authentication and as long as the device supports HS2.0 and has a valid profile installed it should automatically connect to any available service.   No user intervention required, no captive portals and only one SSID required (in theory!).

What was I aiming to get out of this lab test?

I wanted to see for myself how the configuration aspects of HS2.0 work in the context of a Cisco WLC and get to grips with some of the basics of the technology.

I will not be testing EAP-SIM / EAP-AKA as I don’t have a means to read the information out of my phone to create the required RADIUS entries, and also that is the method I would expect the carriers to be using more so than the providers mainly aiming at non-SIM enabled devices or venue operators.

My end goal was to implement HS2.0 with basic EAP-TTLS authentication (i.e. a cert identifies the authentication server but the user is still simple username / password) as that strikes me as being the method I would probably use in a couple of my environments combined with simple realm / domain announcements.

Lab setup:

I used the following gear in my lab for this testing:

  • Cisco vWLC (8.0.110.0 Code)
  • Cisco 3502 AP
  • pfSense 2.2 (Router / DNS / DHCP / NAT)
  • Freeradius2 (I used the pfSense package to save time)
  • VMware ESXi 5.5
  • Apple iPhone 6 (iOS 8.1.3)
  • Apple Configurator (v1.7.1)

The vWLC and pfSense were both running inside an ESXi 5.5 host located  in a remote datacenter, the APs were joined to the vWLC over a WAN link and operating in Flexconnect mode, however the HS2.0 network was configured for central authentication and central switching.

For the sake of brevity I will assume that people following along here are able to get the above components to a state where you have the WLC running and talking to a RADIUS server and that a user has been setup that you will be using to authenticate against.   The RADIUS package in pfSense is pretty straightforward to get up and running and there are some great guides on their forums that should get you going.

Step 1 – WLC Configuration:

Prepare a WLAN Profile with the following basic settings:

  • Profile Name = Hotspot 2.0 Test
  • SSID = HS2.0 (the SSID is actually irrelevant!)
  • Security = Layer2, WPA2-AES 802.1x, Select your RADIUS servers.

Next we need to enable 802.11u, on the WLANs tab hover over the blue arrow to the right of your WLAN profile and click 802.11u on the dropdown.

802.11u Config Menu
802.11u – Config Menu

Configure the 802.11u General Parameters as per your environment, add a domain (this is what our HS2.0 profile will be looking for to see if there is a valid service available) and add a realm (this is where we specify our EAP type).

802.11u - General Settings & Domain / Realm Config
802.11u – General Settings & Domain / Realm Config

After configuring the realm we need to specify an EAP type for it, click on the realm name and add EAP-TTLS.   Once you’ve added the EAP type we need to specify an authentication method, in our case that will be Inner EAP Auth – EAP TTLS.

802.11u - Auth Parameters
802.11u – Auth Parameters

The only thing that remains to do now is to enable Hotspot 2.0 on the WLAN profile, from the WLANs tab use the blue arrow to the right of the profile and select Hotspot 2.0.   Next simply enable HS2.0 and configure some WAN bandwidth parameters if you want to.

Step 2 – Using Apple Configurator to create a HS2.0 profile:

Apple provides a nice application that you can use to create a profile containing the authentication information required for your HS2.0 network.

There are two simple ways to get the profile onto the device once you’ve created it, either attaching it via USB to a computer or by sending the profile to the device as an email attachment, I will use the latter for this guide.

Inside the configurator select “Supervise” and then “all devices” and use the small + button to create a new profile.

Apple Configurator - Create new profile.
Apple Configurator – Create new profile.

Under the “General” settings area of the new profile fill in some of the required details and give the profile a name, after that is done we will want to import our certificate for our auth server so we can add it to the WiFi profile later on.

If you’re using the pfSense RADIUS package with the built in cert manager go to System > Cert Manager to export them.

Now configure a WiFi profile with the following settings:

  • Enable auto join.
  • Select “Passpoint” for “Network Type”.
  • Select “TTLS” for accepted EAP types.
  • Select “Trust” and tick your certificate(s).
  • Enter a Username / Password configured on your RADIUS server.
  • Apple requires the “Provider Display Name” to be set, this is what will be shown on the phone below the SSID.
  • Domain name – as per your WLC config.
Apple Configurator - WiFi Settings.
Apple Configurator – WiFi Settings.

Now click save and you will be taken out of the profile configuration area, you can now export the profile for installation onto a device, or use the prepare option to load the profile into a device connected via USB.

That should be all that is required and once the profile has been installed your device will now connect automatically to your HS2.0 network and authenticate using the credentials you have provided!

What I’ve learned and further areas of interest:

I clearly need to learn a lot more about RADIUS and .1x in general – this took me the best part of an evening to get up and running.   I’m sure that I have configured some things that are not required for my particular deployment, especially on the RADIUS side of things.

Hotspot 2.0 is a very interesting technology to me, given that for the most part my work involves building large public networks.   Today we often struggle with striking a balance between the holy trinity of “Free, Fast and Easy”,  when really in reality what I would like is to have “Free, Fast, Easy and Secure” and I can see HS2.0 giving us that.

The “Easy” part of implementing HS2.0 is going to be trickiest to work out, primarily how do we get profiles into peoples devices, and how do we arrange to authenticate other providers users.   The authentication infrastructure required to support HS2.0 is going to require a huge degree of openness and co-operation from the industry as a whole.   I would like to see a situation where as a network operator we can easily get access to other operators authentication infrastructure, ideally via some kind of regional roaming hub or RADIUS clearing house that would allow us to quickly turn up services for a number of providers.   I’m envisioning something along the lines of Eduroam’s federated RADIUS servers perhaps?

The biggest selling point of HS2.0 for me in that context is the idea of simply getting people connected automatically as soon as they walk in our doors.   There is also the added bonus of cutting down on the number of SSIDs in the air – imagine a conference centre with 10 separate events on one day all demanding an SSID for connectivity – how much better would it be if they just used a  profile and we did some VLAN override based on their profile!   We currently do something similar using .1x for devices we own and control, but what the public bring in is a totally different matter.

It seems at the moment that support in devices for HS2.0 is generally also lacking outside of the high end Samsung and Apple devices there seems to be fairly poor uptake in support for it.   It’s a shame that Google are not supporting this yet in their Nexus range of devices as perhaps if it were baked into Android stock OS other vendors would support it by default.   We also really need to see a significant growth in support for protocols such as 802.11k/r/v (fast roaming in particular if we are moving to a certificate based system) and at the moment outside of a lot of high end devices and recent hardware from Apple seems to be fairly thin on the ground.

Recommended reading:

There are some great white papers from various vendors and telcos around at the moment on HS2.0 and there are some good blogs and posts covering real world deployments in some very large networks.

Ruckus Wireless – Hotspot 2.0

Aruba Networks – Hotspot 2.0 White Paper

Cisco Blogs on Hotspot 2.0

Cisco config guide for EAP-SIM & EAP-TLS