Download this guide ⬇
INTRODUCTION
Scope and Purpose
Thank you for purchasing Trusted WiFi solution.This document is a hardware configuration guide describing how to setup an ExtremeCloud IQ management platform for a Trusted WiFi Passpoint service.
For more information on how to setup an end-to-end Trusted WiFi Passpoint service, please refer to the Trusted WiFi Passpoint Administration Guide.
For complete information on how to setup an ExtremeCloud IQ management platform, please refer to the vendor’s original documentation.
Documentation Conventions
The following conventions are used throughout this document:
Notes: Helpful information, suggestions or references.
Warning: Important notification that something might result in a configuration not working, loss of data, equipment damage or personal injury.
Bold and/or green: commands, command options and keywords.
Italics: variable, input requirement for a valid parameter.
Passpoint Overview
Passpoint – also known as Hotspot 2.0 – is an industry-wide next generation approach to public internet access driven by the Wi-Fi Alliance that brings the following benefits:
Frictionless onboarding and roaming, thanks to a one-time registration followed by automatic access to interconnected hotspots
More secure and private Wi-Fi connections, compared with general visitor networks
Passpoint is based on the IEEE 802.11u standard, which is a set of protocols enabling cellular-like roaming. Following the initial enrollment, frequent users such as visitors, guests or employees bypass repeated logins, forms and passwords, as their mobile devices automatically join the Wi-Fi subscriber service when they return to a venue or roam between inter-linked Passpoint enabled hotpots and providers, while being better protected against potential cyber threats.
If a device supports 802.11u and is enrolled to a service, it automatically communicates with the Wi-Fi infrastructure via the access points to discover the network SSID and connects securely to it by presenting its access credentials. Upon successful authentication, the device is provisioned with Passpoint standards-based management objects - known as Per-Provider Subscription Management Objects (PPS-MO).
GlobalReach - an ASSA ABLOY company - has been involved with Passpoint since its inception and even contributed to the creation and initial pilot testing of the standard. As a result, it is one of the few trusted worldwide experts on this topic, with a proven platform backed by real-world operational experiences at scale.
The best user experience is to offer Passpoint through a customer/brand mobile app integration, as it further simplifies the onboarding process, while incentivizing app downloads and customer loyalty, leading to further engagement and monetization opportunities. To this effect, Trusted WiFi offers a Software Development Kit (SDK) for easy app integration.
End-to-End Service Components
Implementing an end-to-end Trusted WiFi Passpoint service requires a combination of the following software and hardware components:
Trusted WiFi Passpoint:
The core services are offered and managed centrally via the Trusted WiFi Cloud Passpoint Module (hosted and operated by GlobalReach),
Each site requires a Nomadix Internet Gateway acting as a local an edge connector. At the time of writing, the supported models include the EG 1000, EG 3000/L and EG 6000.
Following an initial setup performed by the GlobalReach Operations team, Managed Service Providers (MSPs) can then add sites to customer realms and monitor the solution.
Customer Realm: the service requires connectivity to a realm including domain, security certificate and private key, as well as the database holding the users’ Personally Identifiable Information (PII). It is the responsibility of the Identity Provider – typically the customer/brand – to make this part available.
Mobile App: the best user experience is to offer Passpoint through a customer/brand mobile app integration. Trusted WiFi offers a Software Development Kit (SDK) for easy implementation. It is the responsibility of the app owner – typically the customer/brand – to perform the integration.
Local Networks: the local networks must be compliant with Passpoint (Hotspot 2.0). – Most recent Wi-Fi access points and controllers from major vendors support Passpoint today, however older models or products from more exotic manufacturers might not do. The configuration of the local infrastructure is typically handled by the Managed Service Providers (MSPs).
User Devices: the subscribers’ mobile devices (belonging to visitors, guests, employees, etc.) must be compliant with Passpoint (Hotspot 2.0) – All recent iOS and Android-based smartphones or tablets support Passpoint today, however older models or products running less popular operating systems might not do. Laptops compatibility is also more erratic. It is therefore essential to maintain a traditional onboarding service in parallel with Passpoint to handle non-compatible devices.
High-Level Topology
The diagram below illustrates the high-level topology for the end-to-end Trusted WiFi Passpoint service:
Glossary
The following is a glossary of the most common terms used regarding this solution.
Term | Abbreviation | Description |
|---|---|---|
Deployment | - | Enabling of a Trusted WiFi product module for a property via the Trusted WiFi interface. |
Module | - | Product or service purchased from Trusted WiFi that is managed through its own sub-section via the Trusted WiFi interface. |
License | - | Legal agreement that grants users the right to use specific software, outlining terms and conditions for its usage, distribution, and potential modifications, while protecting the intellectual property of the software developer. GlobalReach licenses comprise of two different types:
Trusted WiFi is sold as a combination of one-off licenses to activate the service and recurring licenses based on a price per Wi-Fi access point per month. |
Managed Service Provider | MSP | The third-party company that remotely manages and monitors a client's IT infrastructure and end-user systems, offering services like network and infrastructure management, security, and 24/7 technical support. |
Organization | Org | A company account in Trusted WiFi. |
Operator | - | An organization type account in Trusted WiFi that is used by MSPs to manage a property’s Wi-Fi network. |
Customer | - | An organization type account in Trusted WiFi typically used for customers/brands that allows grouping to view all properties belonging to the same company even if managed by several different MSPs. |
Linked Organization | Linked Org | A link creating a relationship between an operator and a customer account, allowing a customer to view a property while allowing an operator to manage it. |
User | - | An individual accessing a product, service or system.
|
Property | - | Trusted WiFi concept representing an Individual site or location where products are deployed. |
Linked Property | - | Site or location shared between operator and customer accounts. |
Passpoint Software Development Kit | Passpoint SDK | The service that sits within the customer’s mobile app and that is connected to the Trusted WiFi RADIUS infrastructure allowing Passpoint profiles to be created for a given Passpoint realm. |
Passpoint Realm | - | The customer specific domain that is used to provision Passpoint profiles that are approved for connection to any associated network. |
Passpoint Profile | - | The security certified profile that sits on a subscriber’s device. If installed correctly it allows seamless authentication to the secure Passpoint SSID. |
Secure Passpoint Service Set Identifier | Secure Passpoint SSID | The Wi-Fi network that is associated to the Passpoint realm configured to allow subscriber devices with a valid Passpoint profile to seamlessly connect to the Passpoint network at a property. |
Subscriber | - | An individual person using a service. |
Subscriber Device | - | The equipment – typically a smartphone, tablet or computer – the subscriber is using to connect to the service. |
Collision-Resistant Unique Identifier | CUID | A unique identifier designed to be collision-resistant – meaning engineered to minimize the likelihood of generating duplicate IDs even in distributed systems – and more efficient in terms of space and database indexing performance due to its sequential nature. In the context of Passpoint, a CUID is delivered to a subscriber device when it requests a Passpoint profile. |
Customer Loyalty Mobile Application | Mobile App | The iOS and/or Android digital application used by businesses to engage and reward their customers through loyalty programs. In the context of Passpoint, the best user experience is to offer Passpoint through a customer/brand mobile app integration using the Trusted WiFi SDK. |
EXTREMECLOUD IQ CONFIGURATION
Supported Versions
This document is based on ExtremeCloud IQ firmware 25.4.3-40.
Prerequisites
It is assumed the following prerequisites are met before configuring ExtremeCloud IQ for a Trusted WiFi Passpoint service:
A supported ExtremeCloud IQ platform, activated and licensed.
A Trusted WiFi account with operator permissions.
A core Trusted WiFi Passpoint service configured and tested.
A property in Trusted WiFi with deployed Passpoint modules.
A deployed and configured Wi-Fi network.
Note
This document focuses on a specific part of the ExtremeCloud IQ configuration only.
Please refer to the Passpoint Administration Guide for instructions on how to configure the end-to-end Passpoint service.
Please refer to the original Extreme documentation for complete instructions on ExtremeCloud IQ configuration.
Warning
All properties must share the same NAI realm, RADIUS IP / port settings and SSID name for the Passpoint service (CustomerPasspoint).
Each property requires a separate RADIUS secret and NAS identifier, both generated when a configuration is activated within the Trusted WiFi management platform.
Core Passpoint Settings
Log into Trusted WiFi, then click on the Properties icon in the left menu to view the properties list.
Select or search for the property you wish to work on. This will open its deployments page:
Click on the Passpoint tile and then click on the Configuration option in the left menu to display the Passpoint settings summary as per the example below:
Take note of the details for your respective installation as they will be required at a later step.
ExtremeCloud IQ Configuration
RADIUS Profile
Log into the ExtremeCloud IQ dashboard with your credentials to display the page below:
On the left-hand side menu items, click on Configure > Network Policies. The following screen will appear:
Click the Add Network Policy button and the following page will appear:
On the Policy Details tab, fill-in the screen as follows:
Under What type of policy are you creating?, check the Wireless checkbox and uncheck the others.
Under Please name your police, provide a Policy Name and optional Description.
Click Save, then click Next.
The Wireless tab will appear. Under the Wireless Network, click the + as shown below:
The following page will appear:
Complete the fields, as per the description below:
Field
Description
Wireless Network
Name (SSID)
Enter a internal SSID name
Broadcast Name
Enter the SSID you want your users to see.
SSID Usage
SSID Authentication
Select Enterprise.
Key Management
Select WPA2-802. 1X
Encryption Method
Select CCMP (AES)
Enable Captive Web Portal
Leave disabled.
Once the above is completed, scroll down to the Authentication Settings section.
Under the Authenticate via RADIUS Server, click + to add a RADIUS server group as shown below:
Enter a RADIUS Server Group Name and an optional RADIUS Server Group Description.
Select the Settings icon next to the description field box as shown below.
The Select RADIUS Settings dialog box appears:
Change the Accounting interim update interval to 300 (seconds).
Click Save RADIUS Settings on the bottom right.
Return to the Configure RADIUS Servers dialog box.
Click + under External RADIUS Server to add a RADIUS Server to the server group.
The following screen will appear:
Enter a name, e.g. Primaryradius.
Click + next to IP/Host Name.
Select IP Address. The New IP Address or Host Name dialog box appears:
Enter the Name, such as “Primary”.
Enter the <Primary RADIUS IP> from Trusted WiFi in the IP Address field.
Click SAVE IP OBJECT on the bottom right.
Return to the New External RADIUS Server section. You see the name of the object you created in the IP/Host Name field as shown below:
Enter the <RADIUS Authentication Port> from Trusted WiFi.
Enter the <RADIUS Authentication Port> from Trusted WiFi.
Enter the <RADIUS Authentication Port> from Trusted WiFi.
Click Save External RADIUS on the bottom right.
Return to the Configure RADIUS Servers page where you see the server you added.
Click + under External RADIUS Server to add a RADIUS Server to the server group.
Repeat the above process for the Secondary RADIUS Server IP.
Check the box next to the server you added. This indicates you want to add it to the server group.
Return to the Authenticate via RADIUS Server section of the Wireless Networks page. You see the RADIUS server group and server you created.
Click Save on the bottom right to save your network policy configuration.
Return to the Wireless Networks page where you see the SSID you created:
The Network policy configuration Is completed.
Passpoint (Hotspot 2.0)
Use the supplemental CLI option to configure Hotspot 2.0. When you enable supplemental CLI, you enter the commands into the GUI. For that reason, we recommend composing the commands in a text file beforehand, so you have them ready when enabling the supplemental CLI.
Compose Your CLI
Create a text file with the commands that link your network policy to Hotspot 2.0.
Create a hotspot profile with a name “DemoPasspoint-profile”, anqp domain ID, and network type. anqp-domain-id default is 0, which means that the ANQP information is unique to this access point. A network type of 1 indicates a private network.
hotspot profile DemoPasspoint-profile hotspot profile DemoPasspoint -profile anqp-domain-id 0 hotspot profile DemoPasspoint -profile network-type 1 access-internetConfigure the operator name “OperatorPasspoint” and the language (English).
hotspot profile Cloud4Wi-profile operator-name OperatorPasspoint language-code engConfigure the hotspot to support IPv4 with a single NAT private IPv4 address by configuring ip-type ipv4 3 ipv6 0 indicating that IPv6 is not available.
hotspot profile DemoPasspoint-profile ip-type ipv4 3 ipv6 0Configure the domain name as set in your DemoPasspoint configuration page, for example: “<customer.cloud.global>”.
hotspot profile DemoPasspoint-profile domain-name customer.cloud.globalCreate the NAI-realm “customer.cloud.global” by specifying these parameters:
Encoding type—”0” (the default)
EAP method—”21” for EAP-TTLS
Inner authentication—”4” for MS-chapv2
Hotspot profile DemoPasspoint-profile nai-realm customer.cloud.global encoding-type 0 hotspot profile DemoPasspoint-profile nai-realm customer.cloud.global eap-method 21 inner-auth 4
Configure AAA attribute NAS-Identifier from your Trusted WiFi settings.
aaa attribute NAS-Identifier 2045454bConfigure wan-metrics.
hotspot profile DemoPasspoint-profile wan-metrics link-up symmetric link-speed 10000 hotspot profile DemoPasspoint-profile wan-metrics link-down symmetric link-speed 10000Apply the DemoPasspoint hotspot-profile to the DemoPasspoint SSID.
ssid DemoPasspoint hotspot-profile DemoPasspoint-profileSave the configuration.
save configuration
Enable the supplemental CLI
Select Global Settings on the top right of the Dashboard under your user icon.
On the left side of the Dashboard, click VIQ Management under Administration.
The VIQ Management page appears.
Verify that Supplemental CLI is ON. If not, enable it.
Add the Hotspot 2.0 configuration to the network policy
On the left-hand side menu items, click on Configure > Network Policies.
The Network Policies page will appear:
Click the name of the SSID you created in the above steps.
Click Next to the Wireless Network tab.
Under Policy Settings in the menu bar on the left, click Supplemental CLI.
The Supplemental CLI page appears:
Verify that Supplemental CLI is ON. If not, enable it
Enter a Name, such as “Hotspot”.
Paste the CLI commands in your text file into the CLI Commands box.
Click Save on the bottom right. A message appears on the top left indicating that the supplemental CLI was saved.
On the left-hand side, click Wireless Networks to go back to the tab:
Click Next on the bottom right hand side. The following tab will appear:
Click Eligible to display your access points:
Select your access points by checking the box next to them in the Status column.
Click Upload on the bottom right. The Device Update dialog box appears:
Under Update Network Policy and Configuration, select Complete Configuration Update. (Delta Configuration Update is the default; you want a complete update.)
Click Perform Update on the bottom right of the dialog box to save your configuration.
The access points are rebooted (this can take a few minutes). You see a message on the upper left indicating that the devices are successfully deployed.
The configuration is now completed, and you can now proceed with the testing.