WHITE PAPERWi-Fi CERTIFIEDPasspoint High Performance Wireless Networks

Wi-Fi CERTIFIED Passpoint Background – Market DriversWi-Fi CERTIFIED PasspointTMThe proliferation of smartphones and tablets hascreated a skyrocketing demand for data-hungrymobile applications. Users expect a homecomputer-like experience from their mobiledevices as well as the ease of cellular servicesin accessing the network. Creating a homecomputer-like experience for mobile servicesrequires a high speed network with significantresources available per user. Converting cellularnetworks to LTE increases the available speedof the network and deploying small cells makesmore network resources available per user.However user demand still far outstrips networkcapabilities. Carriers must find ways to addnetwork capacity and do so at lower costs.These issues have blocked full use of Wi-Fi and have made itsuse as an adjunct to cellular less than appealing. Functionalitymust be added to allow automated network discovery,selection and authentication along with guaranteed security.In addition, it is necessary for Wi-Fi to operate seamlessly withthe licensed services and support roaming. To address all ofthese issues, the Wi-Fi Alliance (WFA) has developed their Wi-FiCERTIFIED PasspointTM program. This initiative establishes acommon protocol for all equipment so that accessing Wi-Fibecomes as easy and secure as cellular networks. The WFAmembership is made up of industry manufacturers, broadbandoperators and cellular carriers making Passpoint an acceptedstandard globally.Passpoint requires upgrades to both mobile devices and Wi-Fiinfrastructure. At present carriers employ numerous proprietarymethods to connect Wi-Fi devices to their networks. Passpointprovides a common way for all devices to securely discover,authenticate and roam among participating networks.Features available in the current Passpoint Release 1:For these reasons, most global carriers have accepted Wi-Fias the additional radio resource of choice. With three nonoverlapping 20MHz channels at 2.4GHz and twenty one (twentyfour internationally) at 5GHz, Wi-Fi more than doubles theavailable bandwidth of all licensed cellular services. And sincevirtually all smartphones and tablets support Wi-Fi, it is verymuch in the interest of every carrier to ensure a high quality andeasily accessible Wi-Fi experience for their subscribers.Although the Wi-Fi bandwidth is available, it is currently not easyor very secure to access it from most public hotspots. Users mustfirst check the list of available SSIDs shown on their device andmanually select one that is either relevant to the venue (stadium,concert hall, etc.) or represents a service they subscribe to.Having selected the network, users are required to open abrowser where they are directed to a web portal for that service.If they do not have a user ID and password for that service,they are prompted to enter a personal profile and credit cardinformation. And all of this may be for a five minute session tocheck e-mail. On top of this, many public hotspots are “open”having little or no security. This makes personal information suchas passwords, financial information, personal web pages ande-mail available for theft from threats such as evil twin attacks,session hi-jacking, side-jacking and eavesdropping.Cellular: Turn on phoneand make callHotspot: Turn on Wi-Fi and ctionManagerAssociatewithSSID?2. Automatic network access: Devices are authenticatedautomatically, using Extensible Authentication Protocols (EAP)based on a Subscriber Identity Module (SIM), a username andpassword, or certificate credentials. This eliminates the need tolog on through a browser-based portal.3. Secure authentication and connectivity: All connections aresecured with WPA2 -Enterprise, which provides a level ofsecurity comparable to that of cellular networks.Features to be implemented in 2013:1. Immediate account provisioning: Streamlined process toestablish a new user account at the point of access, drivinga common provisioning methodology across vendors.2. Operaor policy: Mechanisms to support operator-specificsubscriber policies, including network selection policy.PasspointTM ElementsEnhanced Beacon & Probe ResponseScanforSSIDsUsers take too many steps to associate to the Wi-Fi networkXIRRUS1. Wi-Fi network discovery and selection: Devices identifyPasspoint-certified networks and associate in thebackground, without any active intervention from thesubscriber.Current Wi-Fi systems announce their presence periodicallyby sending out a beacon frame. This frame includes basicinformation such as the beacon interval, network SSID,supported data rates and security protocols. Wi-Fi devices canalso send out a probe request rather than wait for the beacon.The probe request response from the network then provides thebeacon information to the device.WI-FI CERTIFIED PASSPOINT TM WHITE PAPER // 2

Passpoint adds a number of elements to the beacon and proberesponse:1. Network type: Identifying whether hotspot is for public,private or guest access2. Internet bit: Indicates if the network can be used for Internetaccess – a network may be for internal services only andblock internet access3. Advertisement protocol: Indicates whether the hotspot isPasspoint-certified4. Roaming consortium element: A list of up to 3 names ofreachable service providers5. Venue information6. Homogenous ESSID: A label identifying hotspots in acontinuous zone – this distinguishes APs in a particularnetwork that may have overlapping coverage fromother networks7. BSS load element: An indication of current load on theaccess pointGAS/ANQPOnce the mobile device has made the preliminary determinationthat it wants to connect to given Passpoint-certified hotspot, itcan then send out a request for more information before makingthe final decision. This is a new protocol Passpoint has addedcalled GAS/ANQP (Generic Advertising Service/Access NetworkQuery Protocol).The mobile device sends out a GAS query and the hotspotresponds with a GAS response. The GAS response is in theform of the Access Network Query Protocol that includes a widerange of information including but not limited to:1. Venue Name – the user may want to connect to a particularnetwork associated with a particular location such as astadium or hotel in order to receive special services2. Network Authentication Type3. Roaming Consortium List – Whereas the beacon and proberesponses include up to 3 supported roaming partners, theGAS response can provide a complete list4. IP Address Type Availability – Ipv4 or Ipv6 or NetworkAddress Translated for a private LAN5. NAI Realm list – a list of potential service providers that canauthorize by the user’s Network Address Identifier6. 3GPP Cellular Network information – subscriptionauthorized cellular service provider partners7. Domain Name list – a list of potential service providers thatcan authorize by domain name8. Hotspot Operator Friendly Name – permits a choice ofauthorized networksXIRRUS9. Operating Class – list of channels the hotspot can operateon. It can also encourage devices that discovered thenetwork at 2.4 GHz to move to 5 GHz10. Hotspot WAN Metrics – indicates whether or not thehotspot is running near capacityAuthenticationPasspoint requires WPA2TM-Enterprise security which specifiesEAP (Extensible Authorization Protocol) authentication methods.Passpoint supports four of these.1. EAP-SIM: Credentials from the SIM card on a GSM cellulardevice. Authentication is via the service provider’s AAA server.2. EAP-AKA: Same as EAP-SIM but uses the USIM card inUMTS devices.3. EAP-TLS: Uses X.509 certificates for mutual authentication.No user ID or password is required.4. EAP-TTLS: Uses an X.509 certificate on the server, butrequires client authentication using a user ID/password.Devices issued by cellular service providers would generally beexpected to use EAP-SIM and EAP-AKA although such networksmust also support the other two methods.SecurityThe Advanced Encryption Standard (AES) encryption is usedover the wireless interface between the mobile device and theaccess point. AES is one of the most advanced standards-basedencryption algorithms available in the industry. The strongencryption used between a mobile device and Passpointcertified access point makes it extremely difficult for an attackerto eavesdrop. AES, along with Passpoint’s requirement thatproxy Address Resolution Protocol (ARP) be enabled at theaccess point, prevents ARP spoofing attacks whether thehotspot is private, enterprise or public. In addition, Passpointrequires that hotspot operators deploy a firewall function toprotect each device from all others connected to the network.RoamingPasspoint enables service providers to offer seamless roamingfrom one Wi-Fi network to another. To enable roaming, serviceoperators have to first establish mutual roaming agreementsthat cover credential validation and billing and which utilize acommon protocol for network selection and user authentication.This functionality will be available in Passpoint Release 2. TheWFA is working with the WBA (Wireless Broadband Alliance) indefining and establishing these roaming agreements.WI-FI CERTIFIED PASSPOINT TM WHITE PAPER // 3

For roaming authentication, the local network’s AAA server actsas a proxy server that connects to the device’s home serviceprovider AAA through an IPsec tunnel. Once the device’scredentials are verified, an acknowledgement is sent back to thedevice and the network connection is spointCertified Wi-Fi Array7RADIUS ProxyRoamingHubsSPNetworksHRLs (Subscriber Info)The Figure indicates the steps for network discovery,authentication and connection with the Passpoint-certified XirrusWi-Fi Array.1. The Array beacon indicates Passpoint support.2. A Passpoint-certified device discovers the Array.3. The device sends a GAS query to the Array.4. The Array sends an ANQP response with a list of supportedservice providers along with the network condition.5. The connection manager in the device identifies the serviceproviders provided in the ANQP response and associateswith the appropriate SSID if the network condition is good.6. The device initiates EAP authentication.7. The user’s credentials are verified ether with the localnetwork or by proxy to the home service provider and theacknowledgement is sent.XIRRUSImpact on MobileNetwork OperatorsEstablishing roaming agreements has the great advantage ofproviding broad coverage for a service provider’s subscriberswithout the cost of additional infrastructure. With Passpointfully implemented and deployed, Wi-Fi service providers canbecome additional roaming partners. The advantage for acellular operator to own Wi-Fi infrastructure is that, as anotherradio service connected to the network core, all of the cellularservices can be offered seamlessly on both networks. This alsogives the cellular operator control over the quality of service andpermits the collection of roaming revenues.Whereas licensed services are a “spectrum grab,” owning Wi-Fiis a “land grab.” That is, the cost of owning licensed servicesis the auction for spectrum whereas, as an unlicensed service,owning Wi-Fi is the cost of securing access to real estate. Anytime a carrier has gained access to a venue for the purpose ofdeploying cellular infrastructure, adding support for seamlessWi-Fi services becomes an incremental cost that improves thesubscriber experience and adds roaming revenues. Because ofthis, every new cellular network deployment or upgrade mustinclude a Wi-Fi component whenever possible. This can takethe form of a macro site with imbedded Wi-Fi hotspots, smallcell deployments or multiservice DAS deployments. Passpointcompliance makes all of these architectures work togethersmoothly even when there is a mix of component manufacturers.With network selection and device authentication handled inthe background, the user experience is of a single, efficient andubiquitous network.The Xirrus Wi-Fi ArrayAdvantagePasspoint ensures that Wi-Fi becomes a necessary radioresource for cellular service providers. What remains is to ensurethat the Wi-Fi deployed, whether as a private network or as theWi-Fi component of a cellular system, is as robust as cellularservice. Where there is a high density of users, traditional Wi-Fisystems are overwhelmed and provide only a small fraction ofthe expected throughput. Legacy “thin AP” architectures quicklyresult in diminishing returns as capacity demands rise. The highcost of material and installation for more and more access pointseach requiring a backhaul cable, is aggravated by the availabilityof space along with the increase in co-channel interference. Theresult is higher costs and more disruption of the venue but withlittle improvement in throughput.WI-FI CERTIFIED PASSPOINT TM WHITE PAPER // 4

Wireless ArrayEthernetSwitch1 Multiple Radios (2 to 16 per Array)2 Directional AntennasIn addition, the Xirrus solution pushes the controller to theedge of the network by collocating it within the Array itself.This removes latencies resulting in a greatly reduced time toexecute all network functions including Passpoint networkdiscovery and authentication since the ANQP server function isresident on the Array. This also results in a distributed controllerfunction in a multi Array deployment which greatly increasesoverall system reliability.With unprecedented performance, low total cost of ownership,simple system upgradeability and optimized Passpoint support,the Xirrus Wi-Fi Array realizes the full potential of Wi-Fi for bothprivate networks and wireless service providers.3 Integrated Controller4 Modular Chassis-based DesignXirrus Wireless Array ArchitectureThe Xirrus Passpoint-certified Wi-Fi Array delivers the neededperformance but with a fraction of the number of devices.The patented Array architecture permits a high density ofnon-interfering radios aggregated in a single device. Cellularnetworks evolved to this architecture long ago when it wasrealized that sectoring existing base station sites added capacitywithout having to add real estate. And since the radios in theArray are modular, additional capacity and radios supportingnew technologies such as 802.11ac can be added in the fieldwithout the need to deploy any new Arrays or cables. Thisprotects the initial investment and minimizes disruption to thevenue in the future.SummaryPasspoint-certified networks and devices provide automatednetwork discovery, acquisition and authentication along withthe high level of security. This removes the barriers for cellularservice providers to greatly increase network resources thusensuring a high quality of service for their subscribers. And withthe addition of Passpoint-supported roaming, cellular serviceproviders can realize new revenue streams while providingtheir subscribers the experience of a high performance, globalcommunications system.About XirrusXirrus is the leader in high performance wireless networking. The enterprise-grade Xirrus Wi-Fi Array enables wireless connectivityfor small businesses to the Fortune 500. Headquartered in Thousand Oaks, CA, Xirrus is a privately held company that designs andmanufactures its family of wireless products.High Performance Wireless Networks1.800.947.7871 Toll Free in the US 1.805.262.1600 Sales 1.805.262.1601 Fax2101 Corporate Center DriveThousand Oaks, CA 91320, USA 2012 Xirrus, Inc. All Rights Reserved. The Xirrus logo is a registered trademark of Xirrus, Inc.All other trademarks are the property of their respective owners. Content subject to change without notice.To learn more oremail [email protected] CERTIFIED PASSPOINT TM WHITE PAPER // 5

access point. AES is one of the most advanced standards-based encryption algorithms available in the industry. The strong encryption used between a mobile device and Passpoint- certified access point makes it extremely difficult for an attacker to eavesdrop. AES,