Introduction to Hotspot 2.0
The Hotspot 2.0 feature enables IEEE 802.11 devices to interwork with external networks. The interworking service aids network discovery and selection, enabling information transfer from external networks. It provides information to the stations about the networks before association.
Interworking not only helps users within the home, enterprise, and public access domains, but also assists manufacturers and operators to provide common components and services for IEEE 802.11 customers. These services are configured on a per-WLAN basis on the Cisco Wireless Controller (controller).
Hotspot 2.0, also known as HS2 and Wi-Fi Certified Passpoint, is based on the IEEE 802.11u and Wi-Fi Alliance Hotspot 2.0 standards. It seeks to provide better bandwidth and services-on-demand to end users. The Hotspot 2.0 feature allows mobile devices to join a Wi-Fi network automatically, including during roaming, when the devices enter the Hotspot 2.0 area.
The Hotspot 2.0 feature has four distinct parts:
-
Hotspot 2.0 Beacon Advertisement: Allows a mobile device to discover Hotspot 2.0-compatible and 802.11u-compatible WLANs.
-
Access Network Query Protocol (ANQP) Queries: Sends queries about the networks from IEEE 802.11 devices, such as network type (private or public); connectivity type (local network, internet connection, and so on), or the network providers supported by a given network.
-
Online Sign-up: Allows a mobile device to obtain credentials to authenticate itself with the Hotspot 2.0 or WLAN.
-
Authentication and Session Management: Provides authentication (802.1x) and management of the STA session (session expiration, extension, and so on).
In order to mark a WLAN as Hotspot 2.0-compatible, the 802.11u-mandated information element and the Hotspot 2.0 information element is added to the basic service set (BSS) beacon advertised by the corresponding AP, and in WLAN probe responses.
Note |
The Hotspot 2.0 feature supports only local mode or FlexConnect mode (central switching and central authentication). FlexConnect local switching is only supported when the Open Roaming configuration template is set up using the wireless hotspot anqp-server server-name type open-roaming command. If the configuration diverges from this template, FlexConnect local switching will not be supported. |
The following figure shows a standard deployment of the Hotspot 2.0 network architecture:
Hotspot 2.0 Enhancements
From Cisco IOS XE Amsterdam 17.3.1, the Hotspot 2.0 feature has been enhanced with the following options:
-
New ANQP elements:
-
Advice of charge: Provides information on the financial charges for using the SSID of the NAI realm
-
Operator icon metadata
-
Venue URL: Defines an optional URL for each of the configured venue names
-
-
Introduction of Terms and Conditions: This requires a user to accept certain Terms and Conditions before being allowed internet access, after connecting to a Hotspot SSID.
-
Integration of OSEN security and WPA2 security on the same SSID.
From Cisco IOS XE Amsterdam 17.3.1 onwards, two encryption methods are supported on a single SSID, namely WPA2 802.1x for Hotspot 2.0 and OSEN for online sign-up. Based on the type of encryption selected during client association, the client will be put on Hotspot 2.0 VLAN or online sign-up VLAN.
In WPA2 802.1x authentication, a client should match the credentials provisioned on a device. In online sign-up, a service provider WLAN is used by a client to perform online sign-up. For Hotspot 2.0 SSIDs, the RADIUS server enforces the terms and conditions before allowing internet connectivity to clients.
This release also supports OSEN-specific VLAN in a policy profile. If an OSEN VLAN is defined in a policy profile, OSEN clients are added to the VLAN. Otherwise, clients are added to the regular policy profile VLAN or to the default VLAN. If OSEN is enabled with WPA2 on an SSID, it is mandatory to define an OSEN VLAN in the policy profile. Otherwise, clients cannot join the VLAN.
In FlexConnect mode, if an OSEN VLAN is defined in a policy profile, the same VLAN needs to be added to the flex profile. Failing to do so excludes the clients from the VLAN.
Note |
When Hotspot 2.0 is enabled in a WLAN, the Wi-Fi direct clients that support cross-connect feature should not be allowed to associate to the Hotspot 2.0 WLAN. To make sure this policy is enforced, ensure that the following configuration is in place:
|
Restrictions
-
Clients are excluded if an OSEN VLAN is not added to a flex profile.
-
In FlexConnect mode, clients are excluded if an OSEN VLAN is not added in a flex profile.
-
In FlexConnect deployments, the URL filter should reference an existing URL filter (configured using the urlfilter list urlfilter-name command). Otherwise, a client is added to the excluded list, after authentication.
-
Only central authentication is supported.
-
Fragmented ANQP replies are not synchronized to the standby controller in high-availability mode. Therefore, clients have to re-issue a query if there is a switchover.