Download this guide⬇
Introduction
Scope and Purpose
Thank you for purchasing the Trusted WiFi solution. The aim of this document is to cover the configuration, monitoring and troubleshooting of an end-to-end Trusted WiFi Passpoint service, with a focus on the core services delivered by Trusted WiFi.
Separate complementary documents are available, covering a selection of network hardware equipment configuration, as well as integration with the Trusted WiFi Passpoint Software Development Kit (SDK).
Documentation Conventions
The following conventions are used throughout this document:
Notes: Helpful information, suggestions or references.
Warning: Important notification that something might result in a configuration not working, loss of data, equipment damage or personal injury.
Bold and/or green: commands, command options and keywords.
Italics: variable, input requirement for a valid parameter.
Passpoint Overview
Passpoint – also known as Hotspot 2.0 – is an industry-wide next generation approach to public internet access driven by the Wi-Fi Alliance that brings the following benefits:
Frictionless onboarding and roaming, thanks to a one-time registration followed by automatic access to interconnected hotspots
More secure and private Wi-Fi connections, compared with general visitor networks
Passpoint is based on the IEEE 802.11u standard, which is a set of protocols enabling cellular-like roaming. Following the initial enrollment, frequent users such as visitors, guests or employees bypass repeated logins, forms and passwords, as their mobile devices automatically join the Wi-Fi subscriber service when they return to a venue or roam between inter-linked Passpoint enabled hotpots and providers, while being better protected against potential cyber threats.
If a device supports 802.11u and is enrolled to a service, it automatically communicates with the Wi-Fi infrastructure via the access points to discover the network SSID and connects securely to it by presenting its access credentials. Upon successful authentication, the device is provisioned with Passpoint standards-based management objects - known as Per-Provider Subscription Management Objects (PPS-MO).
GlobalReach - an ASSA ABLOY company - has been involved with Passpoint since its inception and even contributed to the creation and initial pilot testing of the standard. As a result, it is one of the few trusted worldwide experts on this topic, with a proven platform backed by real-world operational experiences at scale.
The best user experience is to offer Passpoint through a customer/brand mobile app integration, as it further simplifies the onboarding process, while incentivizing app downloads and customer loyalty, leading to further engagement and monetization opportunities. To this effect, Trusted WiFi offers a Software Development Kit (SDK) for easy app integration.
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
End-to-End Service Components
Implementing an end-to-end Trusted WiFi Passpoint service requires a combination of the following software and hardware components:
Trusted WiFi Passpoint: the core services are offered and managed centrally via the Trusted WiFi Passpoint Module (hosted and operated by GlobalReach). Following an initial setup performed by the GlobalReach Operations team, Managed Service Providers (MSPs) can then add sites to customer realms and monitor the solution.
Customer Realm: the service requires connectivity to a realm including domain, security certificate and private key, as well as the database holding the users’ Personally Identifiable Information (PII). It is the responsibility of the Identity Provider – typically the customer/brand – to make this part available.
Mobile App: the best user experience is to offer Passpoint through a customer/brand mobile app integration. Trusted WiFi offers a Software Development Kit (SDK) for easy implementation. It is the responsibility of the app owner – typically the customer/brand – to perform the integration.
Local Networks: the local networks must be compliant with Passpoint (Hotspot 2.0). – Most recent Wi-Fi access points and controllers from major vendors support Passpoint today, however older models or products from more exotic manufacturers might not do. The configuration of the local infrastructure is typically handled by the Managed Service Providers (MSPs).
User Devices: the subscribers’ mobile devices (belonging to visitors, guests, employees, etc.) must be compliant with Passpoint (Hotspot 2.0) – All recent iOS and Android-based smartphones or tablets support Passpoint today, however older models or products running less popular operating systems might not do. Laptops compatibility is also more erratic. It is therefore essential to maintain a traditional onboarding service in parallel with Passpoint to handle non-compatible devices.
High-Level Topology
The diagram below illustrates the high-level topology for the end-to-end Trusted WiFi Passpoint service:
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
Glossary
The following is a glossary of the most common terms used regarding this solution.
Term | Abbreviation | Description |
|---|---|---|
Deployment | - | Enabling of a Trusted WiFi product module for a property via the Trusted WiFi interface. |
Module | - | Product or service purchased from Trusted WiFi that is managed through its own sub-section via the Trusted WiFi interface. |
License | - | Legal agreement that grants users the right to use specific software, outlining terms and conditions for its usage, distribution, and potential modifications, while protecting the intellectual property of the software developer. GlobalReach licenses comprise of two different types:
Trusted WiFi is sold as a combination of one-off licenses to activate the service and recurring licenses based on a price per Wi-Fi access point per month. |
Managed Service Provider | MSP | The third-party company that remotely manages and monitors a client's IT infrastructure and end-user systems, offering services like network and infrastructure management, security, and 24/7 technical support. |
Organization | Org | A company account in Trusted WiFi. |
Operator | - | An organization type account in Trusted WiFi that is used by MSPs to manage a property’s Wi-Fi network. |
Customer | - | An organization type account in Trusted WiFi typically used for customers/brands that allows grouping to view all properties belonging to the same company even if managed by several different MSPs. |
Linked Organization | Linked Org | A link creating a relationship between an operator and a customer account, allowing a customer to view a property while allowing an operator to manage it. |
User | - | An individual accessing a product, service or system.
|
Property | - | Trusted WiFi concept representing an Individual site or location where products are deployed. |
Linked Property | - | Site or location shared between operator and customer accounts. |
Passpoint Software Development Kit | Passpoint SDK | The service that sits within the customer’s mobile app and that is connected to the Trusted WiFi RADIUS infrastructure allowing Passpoint profiles to be created for a given Passpoint realm. |
Passpoint Realm | - | The customer specific domain that is used to provision Passpoint profiles that are approved for connection to any associated network. |
Passpoint Profile | - | The security certified profile that sits on a subscriber’s device. If installed correctly it allows seamless authentication to the secure Passpoint SSID. |
Secure Passpoint Service Set Identifier | Secure Passpoint SSID | The Wi-Fi network that is associated to the Passpoint realm configured to allow subscriber devices with a valid Passpoint profile to seamlessly connect to the Passpoint network at a property. |
Subscriber | - | An individual person using a service. |
Subscriber Device | - | The equipment – typically a smartphone, tablet or computer – the subscriber is using to connect to the service. |
Collision-Resistant Unique Identifier | CUID | A unique identifier designed to be collision-resistant – meaning engineered to minimize the likelihood of generating duplicate IDs even in distributed systems – and more efficient in terms of space and database indexing performance due to its sequential nature. In the context of Passpoint, a CUID is delivered to a subscriber device when it requests a Passpoint profile. |
Customer Loyalty Mobile Application | Mobile App | The iOS and/or Android digital application used by businesses to engage and reward their customers through loyalty programs. In the context of Passpoint, the best user experience is to offer Passpoint through a customer/brand mobile app integration using the Trusted WiFi SDK. |
TRUSTED WIFI PASSPOINT CORE SERVICES
Prerequisites
Trusted WiFi Components
The following Trusted WiFi products, licenses and services must be purchased:
Trusted WiFi Passpoint core services module
A one-time Passpoint activation fee per customer realm
A recurring yearly Passpoint hosting fee per customer realm
A recurring license per month per AP
Trusted WiFi Passpoint Software Development Kit (SDK)
A one-time SDK activation fee per customer realm, available either standalone or in combination with the one-time Passpoint activation fee
Warning
A purchase order is required to be sent to support@globalreachtech.com including:
Operator details – company responsible for installing and managing the network at the site
Customer name
User contact details (name and email address)
Third-Party Components
The following third-party services must be available:
A customer realm including domain, security certificate and private key, as well as the database holding the users’ Personally Identifiable Information (PII). It is the responsibility of the Identity Provider – typically the customer/brand – to make this part available. This information must be emailed to support@globalreachtech.com for the GlobalReach’s team to provision the realm on Trusted WiFi.
The best user experience is to offer Passpoint through a customer/brand mobile app integration. Once they have access to the Trusted WiFi Passpoint SDK, it is the responsibility of the app owner – typically the customer/brand – to perform the integration.
Local networks must be Passpoint compliant. Most recent Wi-Fi access points and controllers from major vendors support Passpoint today, however older models or products from smaller manufacturers might not do. The configuration of the local infrastructure is typically handled by the Managed Service Providers (MSPs).
The subscribers’ mobile devices (belonging to visitors, guests, employees, etc.) must be Passpoint compliant. All recent iOS and Android-based smartphones or tablets support Passpoint today, however older models or products running less popular operating systems might not do. Laptops compatibility is also more erratic. It is therefore essential to maintain a traditional onboarding service in parallel with Passpoint to handle non-compatible devices.
Assumptions
The instructions provided in this document assume the following:
Warning
The Trusted WiFi Passpoint module is activated and licensed.
The Trusted WiFi Passpoint SDK is activated and licensed.
Wi-Fi networks are Passpoint compliant, installed and ready on site.
Subscriber devices are Passpoint compliant.
The Managed Service Provider (MSP) has Trusted WiFi account with operator permissions.
All properties must share the same NAI realm, RADIUS IP / port settings and SSID name for the Passpoint service (CustomerPasspoint).
Each property requires a separate RADIUS secret and NAS identifier, both generated when a configuration is activated within the Trusted WiFi management platform.
Note
This document focuses on the core services delivered via Trusted WiFi. Separate complementary documents are available, covering a selection of network hardware equipment configuration, as well as integration with the Trusted WiFi Passpoint Software Development Kit (SDK).
Trusted WiFi Configuration
Trusted WiFi Login
In a web browser, navigate to: https://trustedwifi.cloud.global/ and enter your email and password.
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
Note
If you don’t yet have an account, click the Don’t have an account? option and follow the process.
Property Creation
Note
If the property is already configured in Trusted WiFi and linked to the Customer’s account, please proceed straight to the next step. The following instructions are only required if the property does not already exist in Trusted WiFi.
Select Properties from the left navigation menu and click on the + New Property button at the top of the page to display the New Property form:
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
|
|
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
Complete the mandatory fields as per the description below:
Field
Description
Name
The hotel or site name.
Site Code
This can be any unique alpha-numeric identifier. It is best practice to use the same ID assigned to the property from the hotel brand. If the Gateway is going into a lab, then this can be a random number.
Country Code
Select the appropriate country from the pull-down list.
Timezone
The time zone where the hotel is located. This is important as it affects operations scheduled to take place at a specific time.
Default Locale
Refers to the local language. Currently only English (en) is supported.
Temperature Unit
Whether the administrator prefers to display temperature information using Fahrenheit or Celsius.
Distance Unit
Whether the administrator prefers to display distance measurements in Imperial or Metric.
Currency
The currency of the property.
Select the Customer from the drop-down list. This will link the property to the correct account where the Passpoint realm is then shared with the property.
Click Create Property to save the details.
Warning
All properties from a given customer must share the same realm, which is pre-provisioned to their account by the GlobalReach Support team – as explained further in this document.
Please check with GlobalReach what is the correct customer name to use and contact support@globalreachtech.com to link your operator account if the customer name doesn’t appear in the drop-down list.
Passpoint Module Deployment
Scroll down the list or use the search field at the top to find the desired property:
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
Select the property and click the + Deploy Product button. Then Select the Passpoint module from the drop-down list and accept the End User License Agreement (EULA), then click the Deploy button:
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
The Passpoint deployment is now featured on the property page and the service can be configured:
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
Warning
Once a property features deployed products, it cannot be deleted until the individual product deployments are first deleted to avoid deletion of live implementations.
Property Realm Details
Once a Passpoint module is linked to a property, the realm details can be accessed.
Scroll down the list or use the search field at the top to find the desired property:
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
Select the property and click the Passpoint tile to display the dashboard page below:
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
Note
Once the Passpoint service is running, the activity graphs will populate.
Warning
If the Passpoint Unlicensed message is displayed, it means this deployment is not showing valid licenses. Please contact the GlobalReach Support team urgently to resolve.
Select the Configuration option in the left-hand navigation menu and click on Edit:
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
Select the relevant customer NAI Realm from the drop-down list and click Apply to save the changes.
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
Note
Since the Passpoint core services realm is pre-provisioned by the GlobalReach Support team, there is minimal configuration required by the operator.
More information about customer realms can be found in a later chapter in this document.
Take note of the details for your respective installation as they will be required at a later step to configure the network hardware.
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
Note
Hardware configuration guides for the Gateway and WLAN Controllers are provided separately.
Warning
The NAS Identifier and the RADIUS Secret are always unique per property.
Analytics Dashboards
Trusted WiFi provides analytics dashboards containing anonymous information on usage of the Passpoint service, available both at global and individual property levels.
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
Warning
Some of the analytics might not be available depending on the operator account permissions.
Global Profiles View
The global profiles view is available to customers/brands accounts only, as it offers an estate-wide summary showing the number of profiles being requested via the loyalty app, as well as the number of subscriber profiles being used across the estate. This information includes all sites, irrespective of the different Managed Service Providers.
Operator accounts will see profiles requests only across the properties that manage.
Profiles Widget:
The Profiles Widget shows all profiles requests, broken down by the selected period. It can also be further filtered by device type (toggles these on/off as required):
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
Deployments and Profiles Widget
The deployments widget shows how many instances of Passpoint have been setup across all customer properties, and associated to the customer’s Passpoint realm. The profiles widget shows the total number of Passpoint profiles requested to date, across all properties.
|
|
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
Global Activity View
The global activity view is available to customers/brands accounts only, as it offers an estate-wide summary showing the profiles activity across the estate. This information includes all sites, irrespective of the different Managed Service Providers.
Operator accounts will see profile activity only across the properties that manage.
New vs Returning Filter
The new vs returning filter shows how many unique profiles were seen as new connections vs returning connections across all the customer’s Passpoint networks during the selected period.
New filter: total unique profiles seen as connecting for the first time (anywhere) during the selected period.
Returning filter: total unique profiles seen as returning (from anywhere) connections during the selected period.
All filter: total of all unique profiles seen connecting.
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
Property Level Activity View
This view is available to all users who have access to property information within the Trusted WiFi management platform.
New Vs Returning Filter
The new vs returning filter shows how many unique profiles were seen as new connections vs returning connections at a specific property during the selected period.
New filter: total unique profiles seen as connecting for the first time (first time ever using the customer’s realm) during the selected period.
Returning filter: total unique profiles seen as returning connections (previously seen using the customer’s realm at this property or another property using the same realm) during the selected period.
All filter: total of all unique profiles seen connecting to this specific property during the selected period.
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
Troubleshooting
RADIUS Logs
Network Device Issues
RADIUS logs are accessed from the left-hand navigation menu for an individual property’s Passpoint deployment:
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
Indicate the NAS MAC to find an individual device.
Use the Period Filter to narrow-down the search if you know the timeframe you are looking for.
Use the Message Type to narrow-down by Rejects or Accepts seen on RADIUS from that device.
Note
When a network is configured with Passpoint and a subscriber device attempts to connect to it, a Wi-Fi access point sends the Passpoint RADIUS request on its behalf. The Management Portal will properly identify the calling station and validate the request if the call is approved - based on RADIUS secret and NAS ID.
Warning
If the RADIUS configuration is not setup correctly, all Passpoint RADIUS requests will be seen to be coming from unidentified subscriber devices, meaning they will get dropped silently.
The table in the RADIUS requests details section below provides a description of the error messages.
Subscriber Access Issues
From the same RADIUS logs page as above, indicate the CUI to find an individual device.
Use the Period Filter to narrow-down the search if you know the timeframe you are looking for.
Use the Message Type to narrow-down by Rejects or Accepts seen on RADIUS from that device.
Note
The User MAC filter option can also be used if required, however the assumption is that troubleshooting for Passpoint service will usually be done by using the customers CUI number.
The table in the RADIUS requests details section below provides a description of the error messages.
RADIUS Summary
The RADIUS summary is accessed from the left-hand navigation menu for an individual property’s Passpoint deployment:
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
This page presents a quick overview of the RADIUS accepts and rejects for allow an operator to check at a glance what is happening across the property network devices.
Note
This data is shown in UTC time, broken down by hour.
Totals represent the total number of accepts and rejects within the selected period.
The latest accepts and rejects table shows the top 10 only.
RADIUS Requests Details
The following sequence is what is expected to occur when a network device (AP) gets a request from a subscriber device to use the Passpoint service.
Note
For ease of use in the management interface, the backend requests are removed from the logs. Only client, accepts and rejects message types will show and be searchable in the table.
A reject message can occur at any stage throughout the RADIUS request sequence. If a reject is seen, the description of this error will be displayed in the details column.
A reject means the authentication was unsuccessful and the subscriber device was unable to connect to the Passpoint service.
Warning
Logs showing these messages out of sequence could be a case of a step being skipped or having an issue when making that particular call. This is typically seen when there is a network issue or if the realm is not connected.
RADIUS Requests Sequence
Details | Description | Message Type |
|---|---|---|
Network/TTLS Authentication | Pre-starting of the authentication process. The NAS IP is the public IP address at this stage. | Client |
Profile Authentication | RADIUS request sent. | Accept |
MSCHAPv2 [Success] | Authentication was successful and the subscriber device should have access to the Passpoint service. | Accept |
RADIUS Rejects Descriptions
Details | Description | Message Type |
|---|---|---|
Missing username/realm | No profile or Corrupt profile. | Reject |
MS-CHAP2-Response is incorrect | Corrupt profile reject. | Reject |
CUI not found | No profile or Corrupt profile. | Reject |
CUSTOMER REALM
Prerequisites
Operating a Passpoint service requires connectivity to a customer realm including domain, security certificate and private key, as well as the database holding the users’ Personally Identifiable Information (PII).
Warning
It is the responsibility of the Identity Provider – typically the customer/brand – to make these components available.
This information must be emailed to support@globalreachtech.com for the GlobalReach Support team to provision the real on Trusted WiFi.
Custom Domain
Any fully qualified custom domain name (FQDN) can be used, but must be present within the TLS certificate – for example: passpoint.customer.com
Warning
The domain must be under administrative control such that certificate Extended Validation (EV) can be completed successfully by the certificate authority.
Custom Certificates
The Passpoint service requires that the RADIUS server has a TLS certificate installed that matches the domain for the secure SSID through which Passpoint will operate. The certificate will be used to sign Passpoint profiles installed on subscriber devices, so the domain and certificate details should reflect desired branding.
The RADIUS certificate must meet the following requirements:
CommonName (CN) must match the domain.
DNS subjectAltName must match the domain.
Must include Extended Validation (*EV).
For example, if the custom domain is passpoint.customer.com, the RADIUS certificate must have both the CN and subjectAltName fields set to passpoint.customer.com.
*EV SSL certificate validation: the CA will perform a rigorous verification of the site’s ownership as well as the legitimacy of the company before issuing your certificate. The vetting process is more intensive than any other validation level and thus commands higher trust with end-users. Website owners will need to provide acceptable documents for the company during the validation process. These verifying documents attest that they have rights to the specific domain and that the business itself is legitimate.
The EV process ensures a thorough investigation is performed on the organization, and this information is displayed on the certificate itself. Historically, it’s also been the only certificate that enables the organization’s name to appear on the browser to indicate your website’s identity.
Note
More information can be found here: https://sectigostore.com/page/ov-vs-ev-ssl-certificate/.
Trusted WiFi Realm Configuration
The following is required for the setup of the customer realm on the Trusted WiFi platform:
Chosen Realm (Domain) name
Security Certificates
Private key
Warning
These parameters are not self-configurable, so they must be emailed to support@globalreachtech.com to be provisioned on the Trusted WiFi platform.
The certificates must be kept up to date for the service to work as expected. If the certificate expires, the subscriber will get a security warning in their browser when they try to connect to the Passpoint service at a supporting property.
If your certificate or key is about to expire, please provide an updated version to support@globalreachtech.com so it can be updated in the Trusted WiFi platform.
Once the customer realm is setup by the GlobalReach’s Operations team, it will appear as the NIA Realm in the Passpoint configuration section in Trusted WiFi – as described in an earlier chapter of this document.
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
MOBILE APP INTEGRATION
Trusted WiFi Passpoint SDK
The best user experience is delivered through a loyalty app integration, offering the following benefits:
No additional user information to collect - guest or visitor is already known from the app.
One time download of the Passpoint profile in 3 “taps”.
Incentive to increase the app uptake.
Additional services and engagement possibilities once users have the app.
Non-compatible devices can still use the legacy onboarding process.
Note
Trusted WiFi offers a Passpoint SDK for easy integration with loyalty apps.
Warning
Access to the GlobalReach Passpoint SDK and its documentation are subject to the purchase of the one-time activation fee per customer realm.
The Trusted WiFi Passpoint SDK offers a customer/brand the ability to insert an option for their app members to pre-download a secure Passpoint profile to their subscriber device before they travel to a property connected to the customer realm.
It also allows for actions such as removing a Passpoint profile or requesting a new one. This is helpful for support, in case subscriber profiles become corrupted or broken.
Following the purchase of the one-time activation fee per customer realm, the GlobalReach Operations team will require the name and email address of the developers in need of access to the SDK GitHub repository containing the technical information required to perform the integration.
The following screenshots illustrate Passpoint profile download via a demo app:
iOS Profile Download
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
Android profile download
.png?sv=2022-11-02&spr=https&st=2026-04-17T13%3A05%3A50Z&se=2026-04-17T13%3A35%3A50Z&sr=c&sp=r&sig=JZXWh1bBa7ytUGteAGfh0svuFu4htUvla0u4oZzit6I%3D)
WI-FI NETWORKS CONFIGURATION
Prerequisites
The local networks must be compliant with Passpoint (Hotspot 2.0). – Most recent Wi-Fi access points and controllers from major vendors support Passpoint today, however older models or products from smaller manufacturers might not do. The configuration of the local infrastructure is typically handled by the Managed Service Providers (MSPs).
Warning
Wi-Fi networks must be within their vendor’s support lifecycle and running valid licenses.
Wi-Fi networks must be Passpoint compliant.
Configuration
Hardware configuration is addressed via separate guides. At the time of writing, the following documents are available:
Hardware Configuration Guide for Aruba Central
Hardware Configuration Guide for Aruba Mobility Controllers
• Hardware Configuration Guide for Cisco Meraki
Hardware Configuration Guide for Nomadix WLAN Controllers
Hardware Configuration Guide for Ruckus SmartZone
Hardware Configuration Guide for Ruckus ZoneDirector
Please refer to these documents for further configuration information.
SUBSCRIBER DEVICES
Prerequisites
The subscribers’ mobile devices (belonging to visitors, guests, employees, etc.) must be compliant with Passpoint (Hotspot 2.0) – All recent iOS and Android-based smartphones or tablets support Passpoint today, however older models or products running less popular operating systems might not do. Laptops compatibility is also more erratic. It is therefore essential to maintain a traditional onboarding service in parallel with Passpoint to handle non-compatible devices.
Operation
If a Passpoint profile is installed correctly, the subscriber device should connect automatically to the customer’s private Passpoint SSID on the supported property network.
Warning
The Passpoint service does not use captive portal or CNA pop-up, the subscriber devices automatically join the relevant Passpoint Wi-Fi SSID.
Do not manually connect to the SSID, as this will not work and will cause the subscriber device to prompt for a username and password.
Troubleshooting
If a subscriber device is prompted for user name/password, the following may help to further assess identifying Passpoint profile related issues:
If username/password are blank, this usually means there is no Passpoint profile found on the subscriber device
If username is filled in, but password is blank, this usually means the Passpoint profile is corrupted and will not work.
If the Passpoint profile is not installed, use the customer app to download it to the subscriber device.