Transcription
123Wi-Fi Alliance Hotspot 2.0 Technical Task Group4567Wi-Fi CERTIFIED Passpoint (Release 1)Deployment Guidelines8910Version 1.0 - October 20121112131415161718192021WI-FI ALLIANCE PROPRIETARY – SUBJECT TO CHANGE WITHOUT NOTICE222324252627The following document and the information contained herein regarding Wi-Fi Alliance programs andexpected dates of launch is subject to revision or removal at any time without notice. THIS DOCUMENT ISPROVIDED ON AN "AS IS", "AS AVAILABLE" AND "WITH ALL FAULTS" BASIS. THE WI-FI ALLIANCEMAKES NO REPRESENTATIONS, WARRANTIES, CONDITIONS OR GUARANTEES AS TO THEUSEFULNESS, QUALITY, SUITABILITY, TRUTH, ACCURACY OR COMPLETENESS OF THISDOCUMENT AND THE INFORMATION CONTAINED IN THIS DOCUMENT. 2012 Wi-Fi Alliance. All Rights Reserved.Page 1 of 25
28Table of Contents29301.Introduction . 4311.1Terminology . 4321.2Scope . 4331.3Related Documents . 4341.4Acronyms/Terms and Definitions . 5352.Minimum Reference Architectures . 8362.1Deployment with Cellular Network Credentials . 8372.2Deployment with Non-cellular Network Credentials . 9383.Network Discovery and Selection. 93.139SP Identification and Authentication Methods: ANQP Elements and Beacon Elements 10403.1.13GPP Cellular Network Information ANQP Element . 10413.1.2NAI Realm List ANQP Element . 10423.1.3Roaming Consortium List ANQP and Beacon Frame Elements . 113.243Hotspot Identification: ANQP Elements . 12443.2.1Domain Name List ANQP Element . 12453.2.2Venue Name Information ANQP Element . 13463.2.3Venue Info Field ANQP Element . 13473.2.4Operator's Friendly Name Hotspot 2.0 ANQP Element . 133.348Network Characteristics: ANQP Elements . 14493.3.1IP Address Type Availability Information ANQP Element. 14503.3.2WAN Metrics Hotspot 2.0 ANQP Element . 15513.3.3Connection Capability Hotspot 2.0 ANQP Element . 16523.3.4Operating Class Indication Hotspot 2.0 ANQP Element. 16533.3.5Network Authentication Type Information ANQP Element . 173.454Capability Query: ANQP Elements . 17553.4.1HS Query List Hotspot 2.0 ANQP Element. 17563.4.2HS Capability List Hotspot 2.0 ANQP Element . 17573.4.3NAI Home Realm Query Hotspot 2.0 ANQP Element . 17583.5Other Beacon Elements . 17593.5.1HESSID Information Element . 17603.5.2Access Network Type Field . 18613.5.3Internet Available Field . 18623.5.4BSS Load Information Element . 18634.Mobile Device Configuration and Operation . 18 2012 Wi-Fi Alliance. All Rights Reserved.Page 2 of 25
644.1Mobile Device Operation in a Passpoint Hotspot and in a Legacy Hotspot . 18654.2Mobile Device Operation in a Home SP Hotspot and in a Visited SP Hotspot . 19664.3Hotspot 2.0 Indication Element . 19675.Security Features and Hotspot Network Security . 195.168WPA2-Enterprise Security . 19695.1.1Mutual Authentication . 19705.1.2Strong Encryption . 20715.2L2 Traffic Inspection and Filtering . 20725.3Deactivation of Broadcast/Multicast Functionality . 20735.4AAA RADIUS Parameters Supported by Passpoint Certified APs . 21746.Legacy Interactions . 21757.Appendix: Hotspot Operator’s Network Security . 23767.1.1Physical Security. 23777.1.2AP Management . 23787.1.3Network Security beyond the AP . 23797.1.4Backhaul Security for Hotspot Networks . 24807.1.5AP Authentication . 24818.About the Wi-Fi Alliance . 2582 2012 Wi-Fi Alliance. All Rights Reserved.Page 3 of 25
831. Introduction84858687This document provides guidelines and recommended best practices for deployment of featurescontained in the Wi-Fi CERTIFIED Passpoint certification program. The guidelines in thisdocument are not mandatory for equipment certification; however, their use will contribute towardrealizing maximum benefit from certified equipment.881.1 Terminology899091The Passpoint certification program is based on technology defined in the Wi-Fi Alliance Hotspot2.0 Specification. Products that have passed certification testing according to the Hotspot 2.0 testplan may use the Passpoint name.929394Throughout the paper, the term “mobile device” refers to any mobile device that has been certified under the Passpoint and the Wi-Fi Protected Access 2 (WPA2) - Enterprise certificationprograms, except when the term “legacy mobile device” is used.951.2 Scope96979899100101This guide covers the deployment and operation of infrastructure and mobile devices that havesuccessfully completed testing under the Wi-Fi CERTIFIED Passpoint program. Topics includereference architectures, security recommendations, configuration and provisioningrecommendations for hotspot-access network equipment (including Access Network QueryProtocol [ANQP] servers and mobile devices), guidance for interoperability of certified equipmentand legacy equipment in the same hotspot deployment.1021.3 Related DocumentsDocumentDateLocation[1] Wi-Fi CERTIFIED Passpoint : A Program from the Wi-Fi Alliance to Enable Seamless Wi-Fi Access inHotspotsJune wi-fi-alliance%C2%AEenable-seamless[2] Wi-Fi Alliance Hotspot 2.0SpecificationJune d-specifications[3] IEEE 802.11-2007, Part 11:Wireless LAN Medium Access Control(MAC) and Physical Layer (PHY)SpecificationsJune 802.11-2007.pdf[4] IEEE 802.11u-2011, Part 11:Wireless LAN Medium Access Control(MAC) and Physical Layer (PHY)Specifications. Amendment 9:Interworking with External NetworksFebruary 802.11u-2011.pdf[5] Wi-Fi CERTIFIED WPA2 withProtected Management FramesJanuary 2012https://www.wifi.org/certification/programs[6] 3GPP TS 23.003 Numbering,March 2012http://www.3gpp.org/ftp/Specs/html- 2012 Wi-Fi Alliance. All Rights Reserved.Page 4 of 25
Addressing and Identificationinfo/23003.htm[7] IEEE P802.11-REVmb/D12, Part11: Wireless LAN Medium AccessControl (MAC) and Physical Layer(PHY) SpecificationsMarch er 6074904[8] International Code Council, Inc.,“International Building Code 2006”November x?id 3000X061031041.4 Acronyms/Terms and DefinitionsTermDefinition3GPPThe 3rd Generation Partnership ProjectAccessA mobile device has access after it successfully associates andauthenticates securely to the Wi-Fi network. A subscription mayprovide authentication credentials for access, but it is not required.AAAAuthentication, Authorization and AccountingAESAdvanced Encryption StandardANQPAccess Network Query ProtocolANQP ServerAn advertisement server [5] in the hotspot operator’s networkcontaining ANQP elements or information that can be used to derivethe required ANQP elements. An ANQP server is a functional entitythat supports proxy relationships with other ANQP servers.APAccess PointARPAddress Resolution ProtocolASRAAdditional Step Required for AccessBSSBasic Service SetBSSIDBasic Service Set IdentifierDHCPDynamic Host Configuration ProtocolDiscoveryA mobile device is performing discovery when it scans for networkswith which to associate, and to find related information useful fornetwork selection. During the discovery process, the mobile device isnot yet associated to the Wi-Fi access networks it is scanning.DLSDirect Link SetupDoSDenial of Service 2012 Wi-Fi Alliance. All Rights Reserved.Page 5 of 25
EAPExtensible Authentication ProtocolEAP-AKAEAP–Authentication and Key AgreementEAP-SIMEAP–Subscriber Identity ModuleEAP-TLSEAP–Transport Layer SecurityEAP-TTLSEAP–Tunneled Transport Layer SecurityEPCEvolved Packet CoreESSExtended Service SetFQDNFully Qualified Domain NameGASGeneric Advertisement ServiceGTKGroup Temporal KeyHDHigh DefinitionHESSIDHomogeneous Extended Service Set IdentifierHLRHome Location RegisterHotspotA site that offers public access to packet data services (e.g., theInternet) via a Wi-Fi access network. It may include one AP or multipleAPs.Hotspot operatorThe entity that is responsible for the configuration and operation of thehotspot.Hotspot serviceproviderAn entity providing a packet data service as a business. A subscriberhas credentials from this entity, which has authentication authority forthe subscriber and provides subscribers with authenticationcredentials.IEEEInstitute of Electrical and Electronics EngineersIETFInternet Engineering Task ForceIPInternet ProtocolIPv4Internet Protocol Version 4IPv6Internet Protocol Version 6IPsecInternet Protocol SecurityLMDLoad Measurement Duration 2012 Wi-Fi Alliance. All Rights Reserved.Page 6 of 25
MACMedia Access ControlMAPMobile Application PartMCCMobile Country CodeMIB-IIManagement Information Base IIMNCMobile Network CodeMS-CHAPv2Microsoft Challenge-Handshake Authentication Protocol Version 2MSDUMAC Service Data UnitNAINetwork Access IdentifierNATNetwork Address TranslationOIOrganizational IdentifierP2PPeer to PeerPLMNPublic Land Mobile NetworkPMFProtected Management FramesPMKPairwise Master KeyPTKPairwise Transient KeyRADIUSRemote Authentication Dial In User ServiceRFRadio FrequencySIMSubscriber Identity ModuleSNMPSimple Network Management ProtocolSPService ProviderSSIDService Set IdentifierTDLSTunneled Direct Link SetupTKIPTemporal Key Integrity ProtocolTLSTransport Layer SecurityTTLSTunneled Transport Layer SecurityUDPUser Datagram Protocol 2012 Wi-Fi Alliance. All Rights Reserved.Page 7 of 25
UICCUniversal Integrated Circuit CardUSIMUniversal Subscriber Identity ModuleVPNVirtual Private NetworkWANWireless Area NetworkWEPWired Equivalent PrivacyWPA2Wi-Fi Protected Access 2 1051062. Minimum Reference Architectures107108Minimum reference architectures for deploying hotspots when using cellular network credentialsand when using non-cellular network credentials follow.1092.1 Deployment with Cellular Network Credentials110Network discovery and authentication includes the following steps (Figure 1):1111121131141151161171181191201211221231. Device detects Hotspot 2.0 indication in access point (AP) beacon frame.2. Device queries ANQP server for 3rd Generation Partnership Project (3GPP) cellularnetwork information and roaming consortium organizational identifiers (OIs).3. Device matches the information and OIs received against its list of credentials andpreferred networks.4. Device automatically associates with Passpoint AP.5. Device performs Institute of Electrical and Electronics Engineers (IEEE) 802.1Xauthentication to the home authentication, authorization and accounting (AAA) serverusing Extensible Authentication Protocol–Subscriber Identity Module (EAP-SIM) orEAP-Authentication and Key Agreement (EAP-AKA).6. Home AAA server communicates with home location register (HLR) using the MobileApplication Part (MAP).124125Figure 1. Passpoint hotspot reference architecture: SIM device126 2012 Wi-Fi Alliance. All Rights Reserved.Page 8 of 25
1271281291301311321331341351361372.2 Deployment with Non-cellular Network CredentialsNetwork discovery and authentication includes the following sequence of steps (Figure 2):1. Device detects Hotspot 2.0 indication in AP beacon frame.2. Device queries ANQP server for network access identifier (NAI) realm list and roamingconsortium OIs.3. Device matches the realms and OIs received against its list of credentials and preferrednetworks.4. Device automatically associates with Passpoint AP.5. Device performs IEEE 802.1X authentication to the Home AAA server usingEAP-Transport Layer Security (EAP-TLS) or EAP-Tunneled TLS (EAP-TTLS) withMS-CHAPv2.138139140Figure 2. Passpoint hotspot reference architecture: non-SIM device1411423. Network Discovery and Selection143144145146147A mobile device uses ANQP to perform network discovery. The connection manager within themobile device compares the information obtained from the hotspot via ANQP against theconfiguration information stored in the device, including home service provider (HSP) policy anduser preferences, to automatically select a hotspot network. The policy information is provisionedusing methods that are outside the scope of the Passpoint certification.148149150151152153A mobile device transmits one or more Generic Advertisement Service (GAS) query frames todetermine key service provider (SP) identification and authentication information. If required, themobile device can perform further queries to make more informed network selection decisions. Inresponse, ANQP elements are provided to the mobile device by either Passpoint APs or acombination of the AP and the ANQP server, as described above in sections 2.1 and 2.2. Theresponse is generated using parameters configured by the hotspot operator.154155156157Once the mobile device has automatically associated and mutually authenticated with thenetwork, it has network access. The device may be connected through the hotspot to the Internetor the SP's core network; or, using functionality in the device, it can establish a connectionthrough a virtual private network (VPN), to an enterprise or 3GPP network. 2012 Wi-Fi Alliance. All Rights Reserved.Page 9 of 25
1593.1 SP Identification and Authentication Methods: ANQPElements and Beacon Elements160161162163164165166167As defined by the Hotspot 2.0 Specification [2], hotspot networks are created by hotspotoperators and hotspot service providers. A hotspot operator is an operator that deploys andoperates an access network of publicly accessible Passpoint APs. A service provider is an SPthat provides network services and operates the AAA infrastructure required to authenticatesubscribers. The hotspot operator and hotspot service provider may be the same or differententities. Service providers that can be accessed at a hotspot are referred to as the roamingpartners for that hotspot. In all cases, the SP performing the authentication can provide itssubscribers with AAA connectivity to its network through the hotspot.168169SPs can authenticate their customers using 3GPP cellular information, an NAI realm list, or aroaming consortium list.1703.1.1 3GPP Cellular Network Information ANQP Element171172173174The 3GPP cellular network information ANQP element contains the cellular network identitybased on public land mobile network (PLMN) information. This is to assist a mobile device withsubscriber identity module (SIM) or universal SIM (USIM) credentials issued by a 3GPP homeprovider to establish whether an AP has a roaming arrangement with 3GPP SPs.175176For each 3GPP SP that the hotspot operator provides service for, the operator shall configure the3GPP cellular network information element as follows:158177178179180181 The 3GPP cellular network information shall contain the cellular operator’s PLMN ID.EAP-SIM or EAP-AKA may be used to authenticate the SIM or USIM, respectively, asdescribed in Figure 1.The PLMN ID shall be composed of the mobile country code (MCC) and the mobilenetwork code (MNC) elements [7].182183184A mobile device with SIM or USIM credentials transmits a GAS/ANQP query for 3GPP cellularnetwork information, and compares the response to the PLMD ID stored on its SIM or USIM todetermine if the home cellular SP’s network can be accessed through the Passpoint AP.185186187If the 3GPP cellular network information matches any PLMN ID stored in the mobile devicethrough either cellular operator pre-provisioning or other means, the mobile device prioritizes thatAP for association based on the provisioned policies.188189190The mobile device knows the EAP method (EAP-SIM or EAP-AKA) required to authenticateagainst its home SP (for example, the type of Universal Integrated Circuit Card [UICC]), andautomatically uses it.191192The mobile device’s preconfigured user preferences and policy determine whether to associate toa Passpoint AP or to a non-Passpoint AP if both are available.1933.1.2 NAI Realm List ANQP Element194195196197The NAI realm list provides a list of NAI realms corresponding to the home SPs that canauthenticate a mobile device with username/password or certificate credentials. The NAI realmlist can also be used for devices with SIM or USIM credentials. The NAI realm list also containsthe realm of the hotspot operator if the operator is also a service provider.198199200201202203Each NAI realm list entry may optionally include one or more EAP method subfields, whichidentify the
Oct 10, 2012 · plan may use the Passpoint name. 92 Throughout the paper, the term “mobile device” refers to any mobile device that has been 93 certified under the Passpoint and the Wi-Fi Protected
