How do you implement Wi-Fi Hotspot 2.0?

Implementing Hotspot 2.0 requires six steps: (1) Deploy Passpoint-certified access points that support 802.11u and ANQP, (2) Set up a RADIUS server that supports EAP-TLS or EAP-SIM authentication, (3) Configure 802.11u parameters including domain names, NAI realm lists, and roaming consortium OIs on each access point, (4) Configure ANQP elements to advertise network capabilities and authentication types, (5) Create and distribute Passpoint profiles to client devices via MDM, SCEP, or an online sign-up server, and (6) Optionally join the OpenRoaming federation through the Wireless Broadband Alliance to enable automatic roaming with millions of devices.

What is the difference between Hotspot 2.0 and a captive portal?

Hotspot 2.0 (Passpoint) authenticates devices automatically before they associate with the network, using 802.1X and EAP methods like EAP-TLS or EAP-SIM. Connection takes under 1 second with no user interaction. Captive portals require the device to connect to an open network first, then redirect the browser to a login page - a process that takes 30-60 seconds, breaks non-browser apps, fails on IoT devices, and transmits credentials over an unencrypted initial connection. Hotspot 2.0 provides WPA2/WPA3-Enterprise encryption from the first frame, while captive portals rely on open or WPA2-Personal encryption at best.

What hardware is required for Hotspot 2.0?

Hotspot 2.0 requires access points certified for Wi-Fi Alliance Passpoint (Release 1 minimum, Release 2 or 3 preferred). The access points must support 802.11u for network discovery, ANQP for capability advertisement, and 802.1X for authentication. On the backend, you need a RADIUS server that supports EAP-TLS and optionally EAP-SIM/EAP-AKA for SIM-based authentication, plus X.509 certificates for server and optionally client authentication. Most enterprise-grade APs from Ruckus, Cisco, Aruba, Juniper/Mist, and Extreme Networks shipped since 2018 support Passpoint.

What is OpenRoaming and how does it work with Hotspot 2.0?

OpenRoaming is a federation framework managed by the Wireless Broadband Alliance (WBA) that builds on top of Hotspot 2.0. It defines a standard set of roaming consortium identifiers, trust policies, and RADIUS proxy chains so that any OpenRoaming-enabled device can automatically authenticate on any OpenRoaming-enabled network worldwide. The device uses its existing identity (corporate certificate, SIM, or identity provider credential) to connect without any manual configuration. OpenRoaming effectively makes Hotspot 2.0 interoperable at global scale - think of it as the roaming agreement layer that Hotspot 2.0 needs to work across different network operators.

Which industries benefit most from deploying Hotspot 2.0?

Airports and transportation hubs benefit from seamless passenger connectivity across terminals and carriers. Hotels and hospitality venues eliminate repetitive captive portal logins for returning guests. Stadiums and convention centers handle high-density connections without captive portal bottlenecks. Public transit systems provide uninterrupted connectivity across buses and stations. Smart cities deploy municipal Wi-Fi with automatic authentication for residents. Enterprises with campus environments use Hotspot 2.0 for secure, seamless connectivity across buildings. Any venue where users expect instant, secure Wi-Fi without manual login is a strong candidate.

Back to Blog

Security February 13, 2026 16 min read

Hotspot 2.0 Solutions for Public Wi-Fi Networks: Complete Implementation Guide

Q: What are the top Hotspot 2.0 solutions for public networks?

The top Hotspot 2.0 solutions for public networks include IronWiFi (cloud RADIUS with built-in Passpoint and OpenRoaming support), CommScope Ruckus (enterprise-grade APs with native Hotspot 2.0), Cisco Meraki (cloud-managed with Passpoint profiles), HPE Aruba (ClearPass integration for Passpoint policy), Juniper Mist (AI-driven with Passpoint support), Extreme Networks (fabric-based Passpoint), Enea Aptilo (dedicated Hotspot 2.0 service management platform), and Boingo Wireless (managed Passpoint network operator for venues). The right choice depends on whether you need a cloud RADIUS backend, access point hardware, or a fully managed network service.

Hotspot 2.0 eliminates captive portals and delivers automatic, encrypted Wi-Fi connections on public networks. This guide covers the top solutions, hardware requirements, and a step-by-step implementation path from 802.11u configuration to OpenRoaming federation.

Public Wi-Fi in 2026 still largely works the way it did in 2010: connect to an open network, wait for a captive portal to load, tap through a terms page, and hope the connection is encrypted. For billions of daily connections at airports, hotels, stadiums, and transit hubs, that experience is slow, insecure, and incompatible with the devices that increasingly need connectivity - IoT sensors, digital signage, connected vehicles.

Hotspot 2.0, the technology behind the Wi-Fi Alliance Passpoint certification program, replaces that entire workflow. A device discovers the network, authenticates automatically using stored credentials or certificates, and connects with WPA2/WPA3-Enterprise encryption - all before the user notices. No portal, no password, no unencrypted frames.

This guide covers what Hotspot 2.0 is, how it compares to captive portals, which solutions are available, and how to implement it step by step. Whether you're evaluating vendors or configuring access points, the goal is to give you everything in one place.

What Is Hotspot 2.0 (Passpoint)?

Hotspot 2.0 is a set of protocols defined by the Wi-Fi Alliance that enable automatic network discovery, selection, and authentication on public Wi-Fi networks. The underlying standard is IEEE 802.11u, which adds a network advertisement layer to Wi-Fi so that devices can evaluate available networks before associating.

The terminology can be confusing, so here's how the pieces fit together:

IEEE 802.11u is the amendment to the 802.11 standard that defines how access points advertise their network capabilities (operator name, authentication types, roaming agreements) to nearby devices.
ANQP (Access Network Query Protocol) is the query/response mechanism defined in 802.11u. Devices send ANQP queries to access points to learn details like supported EAP methods, NAI realms, venue information, and roaming consortium memberships - all before connecting.
Hotspot 2.0 is the Wi-Fi Alliance's specification that builds on 802.11u and ANQP, adding online sign-up (OSU), release-specific features, and interoperability requirements.
Passpoint is the Wi-Fi Alliance's certification program. An access point or device that passes Passpoint testing is guaranteed to interoperate with other Passpoint-certified equipment.

In practice, when someone says "Hotspot 2.0," "Passpoint," or "802.11u," they're referring to the same core technology: a way for devices to automatically discover, evaluate, and securely connect to Wi-Fi networks without user interaction.

How a Hotspot 2.0 Connection Works

Discovery: The device scans for access points broadcasting 802.11u interworking capabilities and the Hotspot 2.0 indication element.
Query: The device sends ANQP queries asking about the network's NAI realm list, roaming consortium OIs, domain names, and authentication types.
Selection: Based on the ANQP responses and the device's stored Passpoint profiles, the device selects the best matching network automatically.
Authentication: The device associates and authenticates via 802.1X using an EAP method (EAP-TLS, EAP-TTLS, EAP-SIM, or EAP-AKA) against a RADIUS server.
Encryption: WPA2-Enterprise or WPA3-Enterprise encryption is established from the first data frame. No open-network phase ever occurs.

The entire process takes less than one second. The user opens their laptop or walks into a venue with their phone, and they're connected. This is the same experience people expect from cellular networks - and that's exactly the model Hotspot 2.0 was designed to replicate for Wi-Fi.

How Does Hotspot 2.0 Compare to Captive Portals?

Captive portals have been the default for public Wi-Fi authentication for over two decades. They work, but they were never designed for the scale and security requirements of modern networks. Here's a direct comparison.

Aspect	Captive Portal	Hotspot 2.0 (Passpoint)
Connection time	30-60 seconds (portal load + interaction)	Under 1 second (automatic)
User interaction	Required (tap, scroll, accept, sometimes pay)	None - fully automatic
Encryption	Open network initially; encrypted only after portal	WPA2/WPA3-Enterprise from first frame
Authentication method	Web form (email, social login, room number)	802.1X with EAP-TLS, EAP-SIM, or EAP-TTLS
IoT device support	No - devices without browsers can't use portals	Yes - any 802.1X-capable device
Roaming between APs	May trigger re-authentication or portal reload	Seamless - PMKSA caching and fast roaming
Cross-venue roaming	Not supported - each venue has its own portal	Supported via OpenRoaming federation
App compatibility	Non-browser apps fail until portal is completed	All apps work immediately after connection
Evil twin protection	Minimal - users trained to connect to any open network	Server certificate validation prevents rogue APs

Captive portals aren't going away overnight - they still serve a purpose for one-time guest access where no prior credential exists. But for venues that serve repeat visitors, corporate guests, or any user with a Passpoint profile, Hotspot 2.0 is the technically superior path. For a deeper comparison, see our detailed Passpoint vs. captive portals analysis.

What Are the Top Hotspot 2.0 Solutions for Public Networks?

Deploying Hotspot 2.0 requires three components: access points that support Passpoint, a RADIUS backend for authentication, and optionally a federation membership (like OpenRoaming) for cross-network roaming. Different vendors cover different parts of that stack.

Cloud RADIUS and Backend Platforms

IronWiFi provides a cloud-hosted RADIUS service with built-in Passpoint and OpenRoaming support. It handles the authentication backend - EAP-TLS, EAP-TTLS, EAP-SIM - and integrates with identity providers like Azure AD, Google Workspace, and Okta. Because IronWiFi is a RADIUS backend, it works with Passpoint-certified access points from any hardware vendor. It also provides SCEP certificate provisioning for devices that need client certificates for EAP-TLS authentication.

Enea Aptilo is a dedicated Hotspot 2.0 service management platform used by mobile operators and large venue operators. It handles OSU (Online Sign-Up), policy management, and RADIUS proxy functions for carrier-grade deployments. Aptilo is common in large-scale operator environments where SIM-based authentication (EAP-SIM/EAP-AKA) is the primary method.

Nomadix offers gateway and service management solutions for hospitality and public Wi-Fi. Their platform supports Passpoint alongside traditional captive portal workflows, making it a transitional option for venues migrating from portal-based to Passpoint-based authentication.

Access Point Hardware Vendors

CommScope Ruckus has some of the longest-standing Passpoint support in the enterprise AP market. Ruckus SmartZone and Cloud controllers provide full Hotspot 2.0 configuration including 802.11u, ANQP, and OSU. Ruckus is widely deployed at airports, stadiums, and convention centers.

Cisco Meraki supports Passpoint through its cloud-managed dashboard. Meraki APs can be configured with Hotspot 2.0 profiles, NAI realms, and roaming consortium OIs. The cloud management model simplifies deployment across distributed sites.

HPE Aruba integrates Passpoint through Aruba Central and ClearPass Policy Manager. ClearPass handles the RADIUS and policy side while Aruba APs handle the 802.11u advertisement. Aruba's strength is in complex policy environments where Passpoint is one of several authentication pathways.

Juniper Mist supports Passpoint with its AI-driven cloud architecture. Mist access points handle 802.11u configuration through the Mist dashboard, with Mist Edge providing local RADIUS proxy capabilities for low-latency authentication.

Extreme Networks provides Passpoint support across its AP portfolio, with ExtremeCloud IQ handling policy configuration. Their fabric-based architecture can integrate Passpoint authentication into broader network segmentation strategies.

Managed Network Operators

Boingo Wireless operates as a managed Wi-Fi provider at airports, military bases, and large venues. Boingo deploys and manages the entire Passpoint infrastructure - APs, RADIUS, federation membership - as a service. Venues that don't want to operate their own Wi-Fi infrastructure contract with Boingo to provide Passpoint-enabled connectivity.

Solution Comparison

Solution	Type	Best For	OpenRoaming
IronWiFi	Cloud RADIUS backend	Multi-vendor AP environments, any venue size	Yes
Enea Aptilo	Service management platform	Mobile operators, carrier-grade deployments	Yes
Nomadix	Gateway / service platform	Hospitality, portal-to-Passpoint migration	Partial
CommScope Ruckus	AP hardware + controller	Airports, stadiums, high-density venues	Yes
Cisco Meraki	Cloud-managed AP hardware	Distributed multi-site enterprises	Yes
HPE Aruba	AP hardware + ClearPass	Complex policy environments, campus networks	Yes
Juniper Mist	AI-driven cloud AP hardware	AI-ops-focused enterprises, campus Wi-Fi	Yes
Extreme Networks	AP hardware + ExtremeCloud IQ	Fabric-based enterprise networks	Yes
Boingo Wireless	Managed network operator	Airports, military, venues wanting turnkey Wi-Fi	Yes

Most deployments combine a hardware vendor (for access points) with a RADIUS backend (for authentication and policy). For example, a hotel might use Ruckus APs with IronWiFi as the cloud RADIUS to handle Passpoint authentication, certificate provisioning, and OpenRoaming federation - without deploying on-premises RADIUS servers. See our compatible hardware list for supported AP vendors.

How Do You Implement Hotspot 2.0?

Implementation follows a logical sequence: verify hardware, set up authentication infrastructure, configure the radio-level protocols, provision client devices, and optionally join a roaming federation. Here's each step in detail.

Step 1: Verify Hardware Prerequisites

Before any configuration, confirm that your access points support Passpoint. The requirements are specific.

Minimum Hardware Requirements

Passpoint certification: The AP must be Wi-Fi Alliance Passpoint certified (Release 1 minimum; Release 2 or 3 preferred for OSU and terms-and-conditions support).
802.11u support: The AP firmware must implement the interworking element, including domain name, venue information, and network authentication type advertisement.
ANQP support: The AP must respond to ANQP queries for NAI realm list, 3GPP cellular network information, roaming consortium list, and domain name list.
802.1X support: The AP must support WPA2-Enterprise or WPA3-Enterprise authentication with RADIUS forwarding.
X.509 certificate: A server certificate signed by a publicly trusted CA for the RADIUS server, so client devices can validate the server identity during EAP authentication.

Most enterprise-grade APs from Ruckus, Cisco, Aruba, Juniper/Mist, and Extreme shipped since 2018 meet these requirements. Consumer-grade and small-business APs generally do not. Check the Wi-Fi Alliance product finder to verify certification for specific models.

Step 2: Deploy RADIUS Authentication

Hotspot 2.0 uses 802.1X authentication, which means you need a RADIUS server that speaks the right EAP methods. The three EAP methods relevant to Hotspot 2.0 are:

EAP-TLS: Certificate-based authentication. Both the server and client present X.509 certificates. This is the strongest method - credentials cannot be phished, shared, or replayed. Requires certificate provisioning on client devices via MDM or SCEP.
EAP-TTLS: Creates a TLS tunnel, then authenticates the user with an inner method (usually MSCHAPv2 with username/password). Easier to deploy than EAP-TLS since only the server needs a certificate, but passwords can be compromised. Common for BYOD and guest scenarios.
EAP-SIM / EAP-AKA: Uses the SIM card in mobile devices for authentication. Deployed by mobile operators for Wi-Fi offload - the same credentials that authenticate the device to the cellular network also authenticate it to Wi-Fi. Requires integration with an HLR/HSS.

For most organizations deploying Hotspot 2.0 on their own infrastructure, the choice is between EAP-TLS (for managed devices with provisioned certificates) and EAP-TTLS (for BYOD and guest devices). A cloud RADIUS service like IronWiFi supports both methods and handles certificate lifecycle management, eliminating the need to run on-premises RADIUS servers. For a deeper comparison of EAP methods, see our EAP methods guide.

Step 3: Configure 802.11u and ANQP on Access Points

This is the core of Hotspot 2.0 configuration. You're telling the access point what to advertise about your network so that client devices can make informed connection decisions.

802.11u Configuration Parameters

Interworking element: Enable 802.11u interworking and set the access network type (e.g., "Free public network," "Chargeable public network," "Private network with guest access").
Venue information: Set the venue group and type (e.g., Group 2 = Business, Type 8 = Hotel/Resort). These are standardized IEEE values that help devices categorize the network.
HESSID: The Homogeneous ESS Identifier, typically set to the BSSID of one AP in the ESS. Identifies all APs that belong to the same Hotspot 2.0 network.
Domain name: Your organization's domain (e.g., "ironwifi.com"). Devices match this against Passpoint profiles to identify trusted networks.
NAI realm list: Specifies the Network Access Identifier realms your network supports and the corresponding EAP methods. Example: realm "ironwifi.com" with EAP-TLS, realm "guest.ironwifi.com" with EAP-TTLS.
Roaming consortium OIs: Organization Identifiers that indicate which roaming federations your network participates in. For OpenRoaming, you'll add the WBA-assigned OI (5A03BA0000).
3GPP cellular network info: If supporting EAP-SIM/EAP-AKA, list the MCC/MNC (Mobile Country Code/Mobile Network Code) pairs of supported operators.

The exact interface for configuring these parameters varies by vendor - Ruckus SmartZone has a dedicated Hotspot 2.0 section, Meraki exposes it in the SSID wireless settings, and Aruba configures it through the Hotspot 2.0 profile in Central or Mobility Controller. Consult your vendor's documentation for the specific UI path, but the parameters above are universal across all Passpoint-certified equipment.

Step 4: Create and Distribute Passpoint Profiles

For devices to automatically connect to your Hotspot 2.0 network, they need a Passpoint profile installed. This profile contains the matching criteria (domain name, roaming consortium OI, NAI realm) and the credentials (certificate or username/password) the device will use for authentication.

Distribution methods:

MDM (Mobile Device Management): Push Passpoint profiles to managed devices via Intune, Jamf, Workspace ONE, or similar platforms. This is the most reliable method for enterprise-managed fleets.
SCEP enrollment: Use SCEP (Simple Certificate Enrollment Protocol) to provision both the Passpoint profile and the client certificate in a single workflow. IronWiFi's SCEP service handles this for both managed and unmanaged devices.
Online Sign-Up (OSU): Hotspot 2.0 Release 2 defines an OSU framework where devices can discover and enroll via a web-based workflow on first visit. The device connects to a restricted OSU network, completes enrollment, receives a Passpoint profile, and reconnects automatically to the production network.
Manual installation: Distribute .mobileconfig files (Apple) or Wi-Fi configuration XML (Android/Windows) via email, web portal, or QR code. Least elegant, but works for ad-hoc scenarios.

Step 5: Test and Validate

Before going live, validate the entire chain end-to-end.

Verify 802.11u advertisement: Use a Wi-Fi scanner (e.g., Wi-Fi Explorer, InSSIDer, or the "iw" command on Linux) to confirm your APs are broadcasting the interworking element and Hotspot 2.0 indication.
Test ANQP responses: Send ANQP queries to your APs and verify they return correct NAI realm, domain name, and roaming consortium information.
Test authentication: Connect a device with a Passpoint profile and verify it authenticates automatically via 802.1X. Check RADIUS logs for the complete EAP exchange.
Verify encryption: Confirm the connection uses WPA2-Enterprise or WPA3-Enterprise (not open or WPA2-Personal).
Test roaming: Walk between access points and verify the device roams without re-authentication (PMKSA caching or 802.11r fast transition).
Test multiple device types: Validate on iOS, Android, Windows, macOS, and ChromeOS. Passpoint support varies slightly across operating systems.

Step 6: Join the OpenRoaming Ecosystem

If you want devices from other organizations and identity providers to connect to your network automatically, join OpenRoaming. This is optional but increasingly standard for public-facing venues.

OpenRoaming membership involves registering with the Wireless Broadband Alliance (WBA), configuring the OpenRoaming roaming consortium OI on your access points, and setting up RADIUS proxy or federation to route authentication requests to the appropriate identity provider. Cloud RADIUS services like IronWiFi handle the federation plumbing - you configure the OI on your APs, and IronWiFi routes authentication through the OpenRoaming RADIUS proxy chain. More on this in our OpenRoaming enterprise guide.

What Hardware Supports Hotspot 2.0?

Hotspot 2.0 support is now standard in enterprise-grade Wi-Fi equipment but remains uncommon in consumer and small-business devices. Here's what to look for across the infrastructure stack.

Access Points

Any AP with Wi-Fi Alliance Passpoint certification supports Hotspot 2.0. In practice, this includes most enterprise APs from the major vendors shipped in the last five to seven years:

CommScope Ruckus: R750, R850, T750 (outdoor), and newer models. SmartZone and Cloud controllers provide full Hotspot 2.0 configuration.
Cisco Meraki: MR series (MR36, MR46, MR56, MR57, and current-generation models). Configured via Meraki Dashboard.
HPE Aruba: AP-500 series, AP-630 series, and newer. Configured via Aruba Central or Mobility Controller with ClearPass for RADIUS.
Juniper Mist: AP43, AP45, AP63, and newer. Configured via Mist Cloud dashboard.
Extreme Networks: AP4000 series and newer. Configured via ExtremeCloud IQ.

Some SOHO and prosumer APs also support Passpoint - TP-Link Omada and certain Ubiquiti UniFi models include basic Hotspot 2.0 configuration. However, these generally lack the full ANQP and OSU capabilities of enterprise platforms.

Client Devices

On the client side, Passpoint support is built into every major operating system:

Apple iOS / macOS: Full Passpoint support since iOS 7 and macOS 10.9. Apple devices are the most reliable Passpoint clients.
Android: Passpoint support since Android 6.0 (Marshmallow), with improvements in each subsequent release. Android 11+ added Passpoint R2 support with suggestion API.
Windows: Passpoint support since Windows 10. Profile installation via provisioning packages or MDM.
ChromeOS: Passpoint support available through managed policies in Google Admin Console.

RADIUS Server

The RADIUS server must support the EAP methods your deployment requires. For Hotspot 2.0, this typically means EAP-TLS and EAP-TTLS at minimum. Options include cloud RADIUS services (IronWiFi, Cisco ISE cloud), on-premises solutions (FreeRADIUS, Microsoft NPS, Cisco ISE appliance), and carrier-grade AAA servers (Enea Aptilo, Oracle CGBU) for mobile operator deployments.

What Is OpenRoaming and How Does It Relate to Hotspot 2.0?

Hotspot 2.0 solves the technical problem of automatic, secure Wi-Fi authentication. OpenRoaming solves the business problem of making that authentication work across different network operators.

Without OpenRoaming, each Hotspot 2.0 network is an island. A device with a Passpoint profile for Airport A's network won't automatically connect to Hotel B's network - there's no trust relationship between them. The user needs a separate Passpoint profile for each network, which defeats the purpose.

OpenRoaming, managed by the Wireless Broadband Alliance (WBA), creates a global federation that connects identity providers (who vouch for users) with network operators (who provide Wi-Fi access). Here's how it works:

OpenRoaming Architecture

Identity Providers (IdPs): Organizations that authenticate users - enterprises (via their corporate directory), mobile operators (via SIM), or consumer identity providers (Google, Apple, Samsung). Each IdP issues credentials that are trusted across the federation.
Access Network Providers (ANPs): Venues that operate Wi-Fi networks - airports, hotels, stadiums, cities. They configure their APs with the OpenRoaming roaming consortium OI and connect their RADIUS to the federation.
RADIUS Proxy Chain: When a device presents credentials from IdP X to a network operated by ANP Y, the authentication request is routed through the OpenRoaming RADIUS proxy to reach IdP X for validation. This happens transparently to the user.
Policy Profiles: OpenRoaming defines different policy profiles (Settled, Unsettled) that determine whether financial settlement occurs between IdP and ANP. Most public Wi-Fi deployments use the Unsettled profile, where the venue provides free access to federated users.

For venue operators, joining OpenRoaming means your Hotspot 2.0 network becomes accessible to any device with an OpenRoaming-compatible identity - which includes billions of devices with Google, Apple, or Samsung accounts, plus enterprise devices with corporate certificates. The value proposition is straightforward: deploy Passpoint once, and your network automatically serves a global user base without managing individual accounts.

Which Industries Benefit Most from Hotspot 2.0?

Hotspot 2.0 delivers value wherever users expect instant, secure Wi-Fi without manual login. The following industries see the highest return on deployment.

Airports and Transportation Hubs

Airports were among the first Hotspot 2.0 adopters because the captive portal failure mode is amplified by scale. Thousands of passengers per hour, many in transit between terminals, need connectivity that works instantly and doesn't break when they move between gates. Boingo's Passpoint deployments at major U.S. airports demonstrate the model: passengers with mobile operator or OpenRoaming credentials connect automatically as they walk through the terminal.

Hotels and Hospitality

Hotel guests connect to Wi-Fi on arrival and expect it to work in their room, the lobby, the restaurant, and the pool area - without re-authenticating at each location. Hotspot 2.0 with OpenRoaming eliminates the room-number-plus-last-name captive portal login and provides WPA2/WPA3-Enterprise encryption that privacy-conscious business travelers expect. Returning guests connect automatically on subsequent visits.

Stadiums and Convention Centers

High-density venues with 40,000+ simultaneous users are where captive portals break down most visibly. When 70,000 fans enter a stadium and all try to load a captive portal simultaneously, the result is timeouts, failed logins, and frustrated users. Hotspot 2.0 removes the portal bottleneck entirely - devices authenticate via 802.1X in under a second, distributing the connection load evenly.

Public Transit

Buses, trains, and metro systems need Wi-Fi that connects automatically as passengers board and maintains connectivity across stops. Captive portals are impractical on a bus - passengers shouldn't need to open a browser and accept terms every time they ride. Hotspot 2.0 provides the automatic authentication these environments require, with OpenRoaming enabling a single credential to work across an entire transit authority's network.

Smart Cities

Municipal Wi-Fi networks in parks, public buildings, and downtown areas serve diverse populations and devices. Smart city deployments increasingly include IoT endpoints (environmental sensors, smart lighting controls, parking meters) that can't navigate captive portals. Hotspot 2.0 provides a unified authentication framework that serves both human users (via smartphone Passpoint profiles) and IoT devices (via provisioned certificates) on the same infrastructure.

Enterprise Campus

Large enterprises with campus environments, multiple buildings, and visiting employees from partner organizations benefit from Hotspot 2.0 as an alternative to guest Wi-Fi portals. Visitors from OpenRoaming-federated partner companies connect automatically using their corporate credentials, without the hosting company needing to provision guest accounts.

Deploy Passpoint with Cloud RADIUS

IronWiFi provides the RADIUS backend for Hotspot 2.0 deployments on any Passpoint-certified hardware. Built-in support for EAP-TLS, EAP-TTLS, SCEP certificate provisioning, and OpenRoaming federation - no on-premises servers required.

Explore Passpoint Talk to an Expert

Trusted by 1,000+ organizations in 108 countries

Implementation Checklist

Here's the condensed deployment sequence. Use it to track progress and ensure nothing is missed.

Hardware audit: Confirm all access points are Passpoint-certified and running firmware that supports 802.11u and ANQP. Replace or upgrade APs that don't meet requirements.
RADIUS deployment: Set up RADIUS with EAP-TLS and/or EAP-TTLS support. Test authentication independently before integrating with APs. Ensure server certificate is from a publicly trusted CA.
802.11u configuration: Enable interworking, set venue information, configure domain name, populate NAI realm list, and add roaming consortium OIs on every AP.
ANQP configuration: Verify APs respond correctly to ANQP queries for NAI realm, domain name, 3GPP info (if applicable), and roaming consortium.
Passpoint profile creation: Build profiles for each credential type (certificate, username/password, SIM) with correct matching rules.
Profile distribution: Push profiles via MDM, SCEP enrollment, OSU, or manual installation. Track distribution coverage.
End-to-end testing: Validate automatic connection, encryption, roaming, and multi-platform compatibility.
OpenRoaming (optional): Register with WBA, configure OpenRoaming OI, set up RADIUS federation or proxy. Test with external identity providers.
Monitor and optimize: Track authentication success rates, connection times, and roaming performance. Investigate and resolve failures.

What's Next for Hotspot 2.0?

Hotspot 2.0 is no longer an emerging technology - it's production infrastructure at the world's busiest airports, largest hotel chains, and most-visited stadiums. The pieces that were missing five years ago (OpenRoaming federation, cloud RADIUS services, broad client OS support) now exist. The barrier to deployment has shifted from "does this technology work?" to "have we configured it correctly?"

For organizations still running captive portals on public Wi-Fi, the question isn't whether to deploy Hotspot 2.0 but when. The technology is standardized, the hardware is widely available, the client support is universal, and the user experience improvement is dramatic. Start with a pilot on a single SSID, validate the authentication chain, and expand from there.

The captive portal served its purpose for two decades. It's time for Wi-Fi to work like cellular: automatic, encrypted, and invisible.

Tags: Hotspot 2.0 Passpoint OpenRoaming Wi-Fi Security 802.1X RADIUS Enterprise Wi-Fi