Cisco Cisco 5508 Wireless Controller Technical References
2
Cisco WLAN Passpoint Configuration Guide
Overview
One of the other benefits of Passpoint is hardened security from Rogue APs. During the network
discovery process, the legitimacy of the service provider AP is identified preventing phone client devices
from attaching to rogue APs. The information present in the validation process specific to the Passpoint
device prevents inadvertent connection to rogue devices such as ad-hoc and other malicious APs
broadcasting falsely labeled SSIDs. There are several other technics and methods introduced by
Passpoint system to make WPA2-Enterprise security even stronger. GTK randomization is one such
technic that is introduced to mitigate WPA2-“hole-196” vulnerability and for more wide usage of P2P
blocking at the public WiFi hotspot.
discovery process, the legitimacy of the service provider AP is identified preventing phone client devices
from attaching to rogue APs. The information present in the validation process specific to the Passpoint
device prevents inadvertent connection to rogue devices such as ad-hoc and other malicious APs
broadcasting falsely labeled SSIDs. There are several other technics and methods introduced by
Passpoint system to make WPA2-Enterprise security even stronger. GTK randomization is one such
technic that is introduced to mitigate WPA2-“hole-196” vulnerability and for more wide usage of P2P
blocking at the public WiFi hotspot.
The configuration described in this document lists in sequence the steps necessary to demonstrate and
test the functionality. In this demonstration, through the WLAN configuration of the Wireless LAN
Controller (WLC), single SSID and multiple SSID will be configured with necessary Passpoint
information. This additional Passpoint information will be added on beacon or probe response
information, so that Passpoint-enabled phone client device can detect and query AP to get further
information. During the query process, standard protocol format called ANQP–Access Network Query
Protocol–is followed. Here, the protocol describes the standard 2-way or 4-way handshake process to get
enough information from the AP and ANQP server to determine the best AP that the phone client device
can authenticate and associate with. This handshake process is called GAS–Generic Advertisement
Service–protocol that is defined on IEEE 802.11u standard.
test the functionality. In this demonstration, through the WLAN configuration of the Wireless LAN
Controller (WLC), single SSID and multiple SSID will be configured with necessary Passpoint
information. This additional Passpoint information will be added on beacon or probe response
information, so that Passpoint-enabled phone client device can detect and query AP to get further
information. During the query process, standard protocol format called ANQP–Access Network Query
Protocol–is followed. Here, the protocol describes the standard 2-way or 4-way handshake process to get
enough information from the AP and ANQP server to determine the best AP that the phone client device
can authenticate and associate with. This handshake process is called GAS–Generic Advertisement
Service–protocol that is defined on IEEE 802.11u standard.
Figure 1
Basic Passpoint behavior
Throughout the query process, the phone client device will gather information beyond just SSID, such
as name of the actual venue, name of the actual HotSpot operator and realm name that can be used as
the key element to identify its authentication eligibility. There are many other parameters and
information that can be used as criteria to initiate auto connection from the phone client device. In this
document, we will go through different use cases and configuration in detail.
as name of the actual venue, name of the actual HotSpot operator and realm name that can be used as
the key element to identify its authentication eligibility. There are many other parameters and
information that can be used as criteria to initiate auto connection from the phone client device. In this
document, we will go through different use cases and configuration in detail.