Voice traffic is migrating from cellular towers to enterprise WiFi networks. Whether employees make calls from a basement office with no cell signal or a carrier offloads data to reduce spectrum pressure, WiFi is becoming a critical transport for voice and mobile services. Understanding the infrastructure behind this shift is essential for network architects building reliable enterprise connectivity.
This guide covers the two key technologies driving this convergence: WiFi Calling (VoWiFi), which routes phone calls over WiFi, and WiFi Offload, which redirects mobile data from cellular to WiFi networks. Both require careful network engineering, but they serve different purposes and use different authentication mechanisms.
What Is WiFi Calling (VoWiFi)?
WiFi Calling, also known as Voice over WiFi (VoWiFi), allows smartphones to place and receive standard cellular calls over a WiFi connection instead of a cellular tower. From the user's perspective, the experience is identical to a regular phone call: the same phone number, the same dialer, the same call quality expectations.
Under the hood, the device establishes an encrypted IPSec tunnel from the smartphone through the WiFi network to the carrier's evolved Packet Data Gateway (ePDG). The ePDG acts as the bridge between the WiFi-connected device and the carrier's IMS (IP Multimedia Subsystem) core, which handles call routing, voicemail, and other telephony services.
Carriers benefit from extended indoor coverage without deploying femtocells or small cells. Users benefit from making calls in areas where cellular signal is weak or unavailable, such as deep inside buildings, underground spaces, or rural locations with WiFi but poor cell coverage.
VoWiFi Adoption
Over 90% of smartphones sold today support WiFi Calling. Most major carriers worldwide have enabled VoWiFi, making it one of the most widely available yet least understood features on modern phones.
What Is WiFi Offload?
WiFi Offload is the practice of redirecting mobile data traffic from the cellular Radio Access Network (RAN) to WiFi infrastructure. Unlike WiFi Calling, which specifically targets voice, offload addresses all data traffic: web browsing, streaming, app updates, and background synchronization.
There are two distinct approaches to WiFi Offload:
Managed offload (Passpoint/Hotspot 2.0) uses standardized protocols to automatically discover and authenticate to WiFi networks. The device seamlessly transitions from cellular to WiFi without user intervention, using SIM-based credentials verified through RADIUS infrastructure.
Unmanaged offload occurs when users manually select and connect to WiFi networks. While this represents the majority of WiFi offload traffic today, it offers no Quality of Service guarantees and no carrier visibility into the connection.
From a carrier economics perspective, offloading data to WiFi reduces pressure on expensive licensed spectrum and delays the need for additional cell site deployments. Industry estimates suggest that WiFi carries over 50% of all mobile data traffic globally, though most of this is unmanaged.
Managed vs. Unmanaged Offload
Managed offload (via Passpoint) provides automated discovery, SIM-based authentication, QoS awareness, and carrier analytics. Unmanaged offload requires manual connection, offers no authentication guarantee, and gives carriers zero visibility. Enterprise deployments increasingly favor managed offload for reliability and accountability.
The Architecture Behind WiFi Calling
Understanding how a WiFi call is established reveals why network configuration matters so much. The architecture involves several components working together across the enterprise network and carrier infrastructure.
The ePDG (evolved Packet Data Gateway) is the carrier-side endpoint that terminates IPSec tunnels from WiFi-connected devices. It authenticates devices using EAP-AKA or EAP-AKA' (Authentication and Key Agreement), which derives credentials from the SIM card. The IKEv2 (Internet Key Exchange version 2) protocol negotiates the IPSec tunnel parameters.
Once the tunnel is established, the device registers with the carrier's IMS core over this secure path. Voice packets travel encrypted through the WiFi network, across the internet, through the IPSec tunnel to the ePDG, and into the carrier's core network, just as if the device were connected to a cell tower.
- WiFi Association: The device connects to the enterprise WiFi network through standard 802.11 authentication (open, PSK, or 802.1X).
- ePDG Discovery: The device resolves the carrier's ePDG address via DNS, typically using an FQDN derived from the carrier's PLMN (Public Land Mobile Network) identity.
- IPSec Tunnel Establishment: The device initiates IKEv2 negotiation with the ePDG, authenticating via EAP-AKA/EAP-AKA' using SIM credentials.
- IMS Registration: Over the established tunnel, the device registers with the carrier's IMS core for voice service, receiving a P-CSCF (Proxy Call Session Control Function) address.
- Call Placement: Voice traffic flows as encrypted SIP/RTP packets through the IPSec tunnel, with the ePDG bridging to the carrier's voice infrastructure.
Enterprise Network Requirements for WiFi Calling
WiFi Calling works on any WiFi network in principle, but call quality depends heavily on how the network is configured. Enterprise networks must address several requirements to deliver reliable voice over WiFi.
QoS and WMM (Wi-Fi Multimedia): WiFi Calling traffic must be prioritized over bulk data. WMM defines four access categories: Voice (AC_VO), Video (AC_VI), Best Effort (AC_BE), and Background (AC_BK). Voice packets should be classified into AC_VO to receive the highest priority on the wireless medium. DSCP marking on the wired side should map to WMM appropriately.
Signal strength and AP density: Voice is far less tolerant of packet loss and latency than web browsing. Access points should provide signal strength of -67 dBm or better in all areas where WiFi Calling is expected. Dead spots that are merely annoying for data become call-dropping zones for voice.
Fast roaming (802.11r/k/v): When a user moves between access points during a call, the handoff must complete in under 50 milliseconds to avoid audible disruption. 802.11r (Fast BSS Transition) pre-authenticates with the target AP. 802.11k (Radio Resource Management) helps devices discover nearby APs. 802.11v (BSS Transition Management) allows the network to steer devices to better APs.
Voice VLAN separation: Placing voice traffic on a dedicated VLAN with appropriate QoS policies ensures it isn't competing with bulk data transfers, large downloads, or broadcast storms on the data VLAN.
| Requirement | WiFi Calling | Standard Data WiFi |
|---|---|---|
| WMM QoS | Required (AC_VO priority) | Optional |
| Signal Strength | -67 dBm minimum | -75 dBm acceptable |
| Roaming Speed | <50ms (802.11r/k/v) | Seconds acceptable |
| VLAN Separation | Dedicated voice VLAN | Single VLAN common |
| Firewall Rules | ESP, UDP 500/4500 required | Standard HTTP/HTTPS |
| Packet Loss Tolerance | <1% | 5-10% acceptable |
| Latency | <150ms one-way | <300ms acceptable |
How Passpoint Enables Carrier WiFi Offload
Passpoint (Hotspot 2.0) is the technology that makes managed WiFi offload possible. It eliminates the manual network selection step by enabling devices to automatically discover, evaluate, and connect to WiFi networks based on pre-configured credentials.
The process begins with ANQP (Access Network Query Protocol), which allows devices to query access points about the network capabilities before associating. The device learns what authentication methods are supported, which roaming consortiums are present, and whether the network meets its requirements, all without connecting.
For carrier offload, authentication uses SIM-based EAP methods: EAP-SIM (for 2G SIM cards), EAP-AKA (for 3G/4G USIM), and EAP-AKA' (an improved version with stronger key derivation). These methods allow the WiFi network to authenticate the subscriber through the carrier's AAA infrastructure, exactly as the cellular network would.
Passpoint compared to captive portals offers a dramatically different experience: no splash pages, no credential entry, no user friction. The device connects automatically when it detects a compatible Passpoint network, authenticated by the SIM card the user already has.
The OpenRoaming federation extends this further, creating a global mesh where credentials from any participating identity provider are accepted at any participating network. For carrier offload, this means a subscriber can roam onto any OpenRoaming venue's WiFi and offload data automatically, regardless of which specific carrier agreement exists with that venue.
The Role of RADIUS in WiFi Calling Quality
While WiFi Calling itself uses SIM-based authentication to the carrier's ePDG, the underlying WiFi network authentication often runs through RADIUS. The quality of the RADIUS infrastructure directly impacts WiFi Calling reliability.
802.1X authentication: Enterprise WiFi networks using WPA-Enterprise authenticate devices via RADIUS before granting network access. For WiFi Calling to work, the device must first successfully authenticate to the WiFi network. Slow or unreliable RADIUS responses delay network access and, by extension, call setup.
Dynamic VLAN assignment: RADIUS can dynamically assign devices to VLANs based on their identity or device type. Voice-capable devices can be placed on a voice VLAN with appropriate QoS policies, while data-only devices go to a standard VLAN. This segmentation is essential for maintaining voice quality under load.
Fast re-authentication: When devices roam between access points, re-authentication must be fast. RADIUS solutions that support EAP session caching (PMKSA caching) and fast re-auth reduce the time a device spends re-authenticating during roaming, preventing call drops during AP transitions.
Accounting and monitoring: RADIUS accounting data provides visibility into device session duration, data usage, and roaming patterns. For WiFi Calling deployments, this data helps identify areas with frequent re-authentication events (potential voice quality issues) and track the adoption of WiFi Calling across the enterprise.
For enterprises deploying certificate-based WiFi authentication, the RADIUS infrastructure becomes even more important. Certificate-based auth (EAP-TLS) provides the strongest security and fastest re-authentication, making it ideal for environments where WiFi Calling quality is critical.
Deployment Strategies
Organizations can approach WiFi Calling and offload deployment in several ways, depending on their relationship with carriers and the level of integration desired.
Strategy 1: Carrier-Led Deployment. The mobile carrier deploys and manages WiFi access points at the venue. The carrier controls the entire stack from AP to authentication. This approach is common in high-traffic public venues like airports and stadiums where the carrier has a direct business interest in offloading traffic.
Strategy 2: Enterprise-Enabled. The enterprise owns and operates the WiFi network, but configures it to support carrier WiFi Calling and offload. This means ensuring QoS is properly configured, firewall rules allow IPSec traffic, and the network meets signal strength requirements. The enterprise manages the WiFi; the carrier manages the voice service.
Strategy 3: Neutral Host. A third-party operator deploys WiFi infrastructure that serves multiple carriers simultaneously. Using Passpoint and OpenRoaming, the neutral host network authenticates subscribers from any participating carrier, offloading traffic for all of them. This model is increasingly popular in shared spaces like shopping centers, office buildings, and transportation hubs.
Build Your WiFi Calling Infrastructure
IronWiFi provides the RADIUS and Passpoint infrastructure needed for all three deployment models. From enterprise WiFi Calling support to multi-carrier neutral host, our cloud-based platform handles EAP-SIM, EAP-AKA, EAP-TLS, and OpenRoaming authentication.
WiFi Calling Solutions Passpoint PlatformCommon Challenges and Solutions
Deploying WiFi Calling and offload in enterprise environments comes with predictable challenges. Addressing them proactively prevents poor user experience and support escalations.
Challenge: Inconsistent voice quality. Users report choppy audio, one-way audio, or dropped calls. The root cause is almost always QoS misconfiguration. Ensure WMM is enabled on all access points, DSCP markings are preserved across the wired network, and voice traffic is classified into the AC_VO queue. Monitor airtime utilization on busy APs; over 70% utilization degrades voice quality significantly.
Challenge: Call drops during roaming. Users walking between floors or across a campus experience dropped calls when their device transitions between access points. Deploy 802.11r (Fast BSS Transition) to pre-authenticate with target APs. Enable 802.11k to provide neighbor AP reports and 802.11v to steer devices to optimal APs before signal degrades to the point of disconnection.
Challenge: Authentication latency. Devices take too long to connect to the WiFi network, delaying WiFi Calling availability. Implement EAP session caching and PMKSA (Pairwise Master Key Security Association) caching to speed up re-authentication. Consider certificate-based authentication (EAP-TLS) for managed devices, which offers the fastest re-authentication times.
Challenge: Multi-carrier support. Venues need to support WiFi offload for subscribers from multiple carriers without deploying separate infrastructure for each. Deploy Passpoint with OpenRoaming to create a carrier-agnostic network. The Passpoint framework handles multi-carrier discovery and authentication through the ANQP protocol, and OpenRoaming provides the federation layer connecting carriers to venue networks.
Firewall Configuration Required
WiFi Calling requires specific firewall rules that many enterprise networks block by default. Allow the ESP protocol (IP protocol 50) and UDP ports 500 and 4500 for IKEv2 negotiation. Blocking these ports will prevent WiFi Calling from establishing the IPSec tunnel to the carrier's ePDG, even if the WiFi network itself is working perfectly.
Frequently Asked Questions
WiFi calling (VoWiFi) routes voice calls over WiFi via an IPSec tunnel to the carrier's ePDG, using your phone number. WiFi offload redirects mobile data traffic from cellular to WiFi to reduce carrier network congestion, often using Passpoint for automatic authentication.
Yes, WiFi calling works on most WiFi networks. However, quality depends on the network's QoS configuration, signal strength, and whether the firewall allows IPSec traffic (IKEv2 on UDP 500/4500 and ESP protocol).
Carrier WiFi offload uses SIM-based EAP methods (EAP-SIM, EAP-AKA, EAP-AKA') via RADIUS. The Passpoint/Hotspot 2.0 framework automates network discovery and secure connection without user interaction.
IronWiFi provides cloud-based RADIUS infrastructure supporting EAP-SIM, EAP-AKA, and EAP-TLS authentication. Combined with Passpoint and OpenRoaming support, IronWiFi enables enterprises and carriers to deploy WiFi calling with carrier-grade security.
Reliable WiFi calling requires WMM QoS enabled, AP signal strength of -67 dBm or better, 802.11r/k/v fast roaming, voice VLAN separation, and firewall rules allowing IPSec traffic to the carrier's ePDG.