Key Points
- Passpoint automates Wi-Fi connectivity, enabling devices to discover and securely connect to networks without manual logins.
- By leveraging 802.1x, WPA2/WPA3, and cloud RADIUS servers, Passpoint ensures seamless, certificate-based authentication and roaming.
- Upgrade your network with Passpoint and SecureW2 solutions to deliver secure, effortless Wi-Fi access for every device.
Public Wi-Fi is a known attack surface. Open networks expose users to rogue access points, man-in-the-middle interception, and credential theft. Passpoint secure Wi-Fi, also called Hotspot 2.0, was built to fix this.
Developed by the Wi-Fi Alliance, Passpoint automates the entire process of discovering, authenticating, and encrypting Wi-Fi connections so that devices connect to trusted networks without manual login or captive portals.
For IT teams at universities, airports, hotels, healthcare facilities, and enterprises, Passpoint provides a way to offer public or campus-wide Wi-Fi that is both frictionless and secure. And because Passpoint WiFi relies on 802.1X authentication and EAP-TLS under the hood, the same certificate-based infrastructure that secures your internal network can power your Passpoint deployment.
What Is Passpoint (Hotspot 2.0)?
Passpoint is a Wi-Fi Alliance certification program that defines how devices automatically discover and connect to secure Wi-Fi networks. The underlying standard is IEEE 802.11u, which extends the Wi-Fi protocol to support network advertisement and selection before a device even associates with an access point.
Here is how it works, step by step:
1. Network discovery. A Passpoint-enabled device broadcasts a query using the Access Network Query Protocol (ANQP). Nearby access points respond with metadata, including the network operator’s domain name, available EAP authentication methods, roaming consortium memberships, and IP address availability.
2. Profile matching. The device compares the ANQP response against locally stored Passpoint profiles. These profiles contain the user’s credentials (a digital certificate, SIM credential, or username/password pair), the trusted network operator, and the required security settings.
3. Automatic authentication. When a match is found, the device connects and authenticates using WPA2-Enterprise or WPA3-Enterprise encryption and an EAP method such as EAP-TLS, EAP-TTLS, or EAP-SIM. There is no captive portal, and no password prompt.
4. Seamless roaming. As the user moves between Passpoint-enabled access points, the device re-authenticates automatically. This works across different network operators when roaming agreements are in place, similar to cellular roaming.
The result is a Wi-Fi experience that feels like cellular connectivity: the user does nothing, and the connection is encrypted end-to-end.
Passpoint Releases: R1, R2, and R3
The Passpoint specification has evolved through three major releases.
Passpoint R1 introduced the core framework: 802.11u-based discovery, ANQP queries, and automatic connection using WPA2-Enterprise. R1 gave devices the ability to find and join Passpoint networks, but initial credential provisioning still had to happen out of band.
Passpoint R2 added Online Sign-Up (OSU), which lets users enroll for Passpoint credentials directly from the device. R2 also improved credential management and introduced policies for network selection priority. This was a significant step for service providers who needed a way to onboard new subscribers without manual IT intervention.
Passpoint R3 brought WPA3-Enterprise support, a single-SSID approach to OSU (reducing the number of SSIDs an operator needs to broadcast), and terms-and-conditions acceptance flows for venues that require it. R3 aligns Passpoint with the latest Wi-Fi security standards and makes deployment simpler for high-density environments.
Passpoint Secure Wi-Fi vs. Traditional Public Wi-Fi
The difference between Passpoint and traditional public Wi-Fi is stark. Understanding the gap matters for anyone evaluating network security.
Comparison: Open/Captive Portal vs. Passpoint Secure Wi-Fi
| Feature | Open/Captive Portal Wi-Fi | Passpoint Secure Wi-Fi |
|---|---|---|
| Authentication | None, or password behind a captive portal | 802.1X with EAP-TLS, EAP-TTLS, or EAP-SIM |
| Encryption | Often none (open SSID) | WPA2-Enterprise or WPA3-Enterprise |
| Rogue AP Protection | None; devices connect to any matching SSID | Devices verify the network operator via ANQP before connecting |
| User Experience | Manual network selection, portal login, re-authentication | Fully automatic discovery, connection, and roaming |
| Credential Handling | Shared passwords or social login | Per-device certificates or SIM credentials |
| Roaming | Disconnects when moving between APs or venues | Seamless handoff across APs and roaming partners |
Passpoint represents a giant step forward from traditional WiFi solutions. The legacy open Wi-Fi networks broadcast unencrypted traffic, making packet sniffing a trivial task for attackers. Captive portals add a thin authentication layer, but the portal page itself is often served over HTTP, and the underlying connection may still be unencrypted.
Passpoint eliminates both problems by requiring enterprise-grade encryption from the beginning of every session.
Passpoint and 802.1X: How the Authentication Works
Passpoint does not define its own authentication mechanism. It relies on the IEEE 802.1X framework, which is the same standard used to secure enterprise Wi-Fi and wired networks.
When a device connects to a Passpoint network, the following happens:
1. The access point acts as the 802.1X authenticator and forwards the device’s EAP credentials to a RADIUS server.
2. The RADIUS server validates the credentials. For EAP-TLS, this means verifying the device’s X.509 digital certificate against the issuing Certificate Authority (CA). For EAP-SIM, it validates the SIM credential against the carrier’s authentication infrastructure.
3. If validation succeeds, the RADIUS server sends an Access-Accept message, and the access point grants network access with the appropriate VLAN and policy assignment.
Why EAP-TLS matters for Passpoint. Among the EAP methods Passpoint supports, EAP-TLS is the strongest. It uses mutual certificate authentication: the device presents its certificate to the server, and the server presents its certificate to the device.
No passwords are transmitted over the air. There is nothing to phish, nothing to intercept, and nothing for an attacker to replay.
For organizations deploying Passpoint on campus or in facilities they control, EAP-TLS with a managed PKI provides the highest assurance that only authorized devices connect.
Benefits of Passpoint Secure Wi-Fi
Passpoint WiFi delivers security and easy of use. Here’s what that looks like.
Stronger Security Than Any Captive Portal
Passpoint mandates WPA2-Enterprise or WPA3-Enterprise encryption. Every frame between the device and the access point is encrypted with a unique per-session key. This eliminates the eavesdropping risk inherent in open networks and the credential-harvesting risk of shared-password networks.
Because Passpoint devices verify the network operator’s identity via ANQP before associating, rogue access points that spoof the SSID name cannot trick devices into connecting. Traditional Wi-Fi has no equivalent protection.
Frictionless User Experience
Users hate captive portals. They break application flows, require repeated login, and often fail on IoT devices or headless clients. Passpoint removes all of that. Once a device has a valid Passpoint profile, every connection is automatic and invisible to the user.
For higher education, this is particularly impactful. Students and staff connect once via eduroam and then roam across every participating campus worldwide. Passpoint is the mechanism that makes eduroam’s seamless roaming possible at the radio layer.
Carrier Wi-Fi Offload
Mobile carriers use Passpoint to offload cellular traffic onto Wi-Fi in high-density areas like stadiums, airports, and transit stations. Devices with SIM-based Passpoint profiles (using EAP-SIM or EAP-AKA) connect to carrier-operated Wi-Fi automatically, reducing cellular congestion without any user action.
OpenRoaming: Passpoint at Global Scale
OpenRoaming, managed by the Wireless Broadband Alliance, extends Passpoint’s roaming model to a global federation. Identity providers (carriers, enterprises, universities) and access network providers (venues, cities, ISPs) join the OpenRoaming federation, and any user with a valid credential from any participating identity provider can connect to any participating network.
OpenRoaming builds directly on the Passpoint R2/R3 framework. For organizations already running Passpoint with 802.1X, joining an OpenRoaming federation requires configuring the appropriate roaming consortium identifiers and establishing RADIUS peering with the federation hub.
How to Deploy Passpoint Secure Wi-Fi
Deploying Passpoint involves infrastructure, credential provisioning, and ongoing management. Here is a practical breakdown of the six key steps.
1. Verify Access Point Support
Passpoint requires Wi-Fi Alliance-certified access points that support 802.11u, ANQP, and Hotspot 2.0. Most enterprise-grade APs from major vendors released in the last five years include this support. Check the firmware version and enable the Hotspot 2.0 feature in your wireless controller.
2. Set Up a RADIUS Server
Passpoint authentication requires a RADIUS server that supports EAP-TLS, EAP-TTLS, or EAP-SIM. The RADIUS server handles all credential validation and policy enforcement.
For organizations that do not want to manage on-premises RADIUS infrastructure, a cloud RADIUS service provides the same functionality without the server maintenance. Cloud RADIUS is especially useful for multi-site Passpoint deployments where centralized authentication and consistent policy enforcement matter.
3. Deploy a PKI for Certificate-Based Authentication
If you are using EAP-TLS (the recommended approach for maximum security), you need a PKI to issue and manage device certificates. The PKI must:
- Issue X.509 certificates to every device that will connect
- Support automated enrollment via SCEP, ACME, or MDM-based distribution
- Manage the full certificate lifecycle: issuance, renewal, and revocation
- Provide a Certificate Revocation List (CRL) or OCSP responder so the RADIUS server can check certificate validity in real time
A cloud-hosted PKI simplifies this. It integrates with MDMs like Intune, Jamf, and Google Workspace for managed device enrollment and offers self-service onboarding portals for BYOD devices that need Passpoint profiles.
4. Create and Distribute Passpoint Profiles
Passpoint profiles contain the network’s domain name, the SSID, the EAP method, the trusted root CA certificate, and optionally the user’s credential. These profiles can be distributed via:
- MDM push for managed devices (Intune, Jamf, Kandji, Google Workspace)
- Self-service onboarding for BYOD devices, where users visit a portal, authenticate with their identity provider, and receive a Passpoint profile with a provisioned certificate
- OSU (Online Sign-Up) for guest or subscriber onboarding, using the Passpoint R2/R3 OSU framework
5. Test and Validate
Before full rollout, test the complete flow: device discovery via ANQP, profile matching, EAP-TLS authentication against the RADIUS server, VLAN assignment, and roaming between access points. Verify that devices without valid profiles are correctly denied access.
6. Monitor and Optimize
Once live, monitor authentication success rates, roaming handoff times, and certificate expiration dates. A cloud RADIUS dashboard provides visibility into every authentication event, including the user identity, device type, EAP method, and policy applied.
Why SecureW2 for Passpoint Deployments
Passpoint’s security depends entirely on the quality of the authentication backend: the PKI that issues certificates and the RADIUS server that validates them. SecureW2 provides both as fully managed cloud services.
JoinNow Cloud RADIUS handles Passpoint authentication with 99.999% uptime, RadSec support for encrypted RADIUS transport, and real-time identity lookup against your IdP (Entra ID, Okta, Google Workspace). It validates every connection against the user’s current status in your identity provider, so when someone leaves the organization, their network access is revoked immediately.
JoinNow Dynamic PKI issues and manages the X.509 certificates that EAP-TLS requires. It supports automated enrollment through SCEP, ACME Device Attestation, and MDM-based distribution. For BYOD devices, JoinNow MultiOS provides a self-service portal where users authenticate with their IdP credentials and receive a Passpoint profile with a provisioned certificate in under a minute.
For higher education institutions running eduroam, SecureW2 provides the RADIUS and PKI backend that supports both campus authentication and roaming. For venues and enterprises deploying Passpoint for guest or employee access, the same infrastructure applies.
Contact SecureW2 to learn how Cloud RADIUS and managed PKI can power your Passpoint deployment with certificate-based authentication.
Frequently Asked Questions
What is Passpoint secure Wi-Fi?
Passpoint secure Wi-Fi (also called Hotspot 2.0) is a Wi-Fi Alliance standard that automates how devices discover, authenticate to, and encrypt connections with Wi-Fi networks. It uses 802.1X authentication and WPA2/WPA3-Enterprise encryption to provide secure, automatic connectivity without captive portals or manual login.
How is Passpoint different from regular Wi-Fi?
Regular public Wi-Fi typically uses open networks or shared passwords with captive portal login pages. Passpoint uses 802.1X with EAP-TLS, EAP-TTLS, or EAP-SIM to authenticate each device individually, encrypts all traffic with WPA2-Enterprise or WPA3-Enterprise, and supports seamless roaming between access points and network operators.
Does Passpoint work on my device?
Most modern devices support Passpoint: iPhones running iOS 7 or later, Android devices running Android 6.0 or later, Windows 10 and later, and macOS. Older devices that do not support 802.11u will not be able to use Passpoint and will fall back to traditional Wi-Fi connection methods.
What is OpenRoaming and how does it relate to Passpoint?
OpenRoaming is a global Wi-Fi roaming federation built on the Passpoint framework. It connects identity providers (carriers, universities, enterprises) with network providers (venues, cities, ISPs) so that any user with a valid credential can automatically connect to any participating Passpoint network worldwide. It extends Passpoint’s local roaming capabilities to a global scale.
What authentication method should I use for Passpoint?
EAP-TLS with digital certificates provides the strongest security for Passpoint deployments. It uses mutual authentication between the device and the RADIUS server, and no passwords are transmitted over the air. For carrier deployments, EAP-SIM is standard. EAP-TTLS is an option for environments that still rely on username/password credentials but want encrypted transport.
