Skip to main content

Passpoint Onboarding Experience

Configure user onboarding for Passpoint (Hotspot 2.0) networks using IronWifi's cloud platform. This guide covers OSU portal setup, MDM-based provisioning, OpenRoaming federation, and device-specific configuration for seamless automatic WiFi authentication.

Overview

Passpoint onboarding is the process by which users receive credentials and configuration profiles that enable automatic connection to Passpoint-enabled networks. Unlike traditional WiFi that requires manual network selection and password entry, Passpoint provides a seamless, secure connection experience.

Prerequisites

In IronWifi Console (complete these first):

  1. Log in to IronWifi Management Console
  2. Navigate to Networks > select your network
  3. Enable Passpoint
  4. Configure your preferred onboarding method (OSU portal, MDM, etc.)

Onboarding Methods

1. MDM-Based Provisioning

For managed devices (enterprise, education):

Supported MDM Platforms:

  • Microsoft Intune
  • Jamf Pro
  • Google Admin (Chromebook)
  • VMware Workspace ONE
  • Kandji
  • Meraki Systems Manager

How It Works:

  1. IT admin creates WiFi profile with Passpoint settings
  2. Profile pushed to managed devices
  3. Device automatically connects to Passpoint networks
  4. No user action required

Best For: Corporate devices, school devices, managed BYOD

2. OSU (Online Sign-Up) Portal

For BYOD and guest devices:

IronWifi OSU Portal: https://osu.ironwifi.com

How It Works:

  1. User visits OSU portal (via QR code, link, or captive portal redirect)
  2. User authenticates (email, social login, or identity provider)
  3. Profile automatically downloads and installs
  4. Device connects to Passpoint networks automatically

Best For: Guests, BYOD, public hotspots

3. OpenRoaming Federation

For users with existing credentials:

How It Works:

  1. User already has OpenRoaming credentials (from carrier, employer, etc.)
  2. Device automatically discovers Passpoint network
  3. Authenticates using existing credentials
  4. Seamless connection with no user action

Best For: Roaming users, carrier WiFi, federated access

OSU Portal Configuration

Setting Up OSU Portal

  1. Log in to IronWifi Console
  2. Navigate to Networks > Passpoint
  3. Enable OSU (Online Sign-Up)
  4. Configure OSU settings:

Basic Settings:

  • OSU Server URI: Your branded URL or use IronWifi default
  • OSU Friendly Name: Display name shown to users
  • OSU NAI: Network Access Identifier for OSU
  • OSU Method: SOAP-XML or OMA-DM

Authentication Options

Configure how users authenticate during onboarding:

MethodDescriptionUse Case
EmailUser enters email, receives verificationGeneral access
Social LoginGoogle, Apple, Facebook, etc.Consumer venues
Identity ProviderSAML/OAuth with enterprise IdPCorporate BYOD
SMSPhone verificationHigh-security venues
VoucherPre-generated access codesEvents, hotels

Branding

Customize the OSU portal appearance:

  1. Go to OSU Settings > Branding
  2. Configure:
    • Logo: Upload your organization logo
    • Colors: Match your brand colors
    • Welcome Message: Custom text for users
    • Terms of Service: Link to your ToS
    • Privacy Policy: Link to privacy policy

User Onboarding Flow

First-Time Connection

1. User Discovers Network
   └── Device scans for Passpoint networks
   └── Finds network matching installed profile OR
   └── Sees OSU-capable network

2. Profile Installation (if needed)
   └── User directed to OSU portal
   └── Authenticates (email, social, etc.)
   └── Profile downloads automatically
   └── User approves profile installation

3. Automatic Connection
   └── Device connects using installed credentials
   └── EAP authentication with RADIUS
   └── Access granted

4. Ongoing Access
   └── Device auto-connects when in range
   └── No further user action needed
   └── Works across all federated networks

Returning Users

For users with installed profiles:

  1. Device detects Passpoint network
  2. Automatically authenticates
  3. Connected in under 1 second
  4. No user interaction required

Profile Types

Certificate-Based (EAP-TLS)

Highest Security:

  • Unique certificate per device
  • No passwords to manage
  • Automatic renewal via SCEP/EST
  • Ideal for managed devices

Profile Contents:

  • Root CA certificate
  • Client certificate
  • Private key (protected)
  • Network configuration

Username/Password (EAP-TTLS)

Good Balance:

  • Username derived from identity
  • Password or token-based
  • Easier to deploy
  • Works on any device

Profile Contents:

  • Root CA certificate
  • Username/NAI configuration
  • Authentication method

SIM-Based (EAP-SIM/AKA)

For Carrier WiFi:

  • Uses mobile SIM credentials
  • Automatic, no user setup
  • Carrier-managed
  • Best for WiFi offload

Device-Specific Onboarding

iOS / macOS

Profile Installation:

  1. User clicks profile link or scans QR
  2. Profile downloads to device
  3. User goes to Settings > General > VPN & Device Management
  4. Taps profile and selects "Install"
  5. Enters device passcode
  6. Profile installed, auto-connect enabled

MDM Deployment:

  • Push configuration profile via MDM
  • No user interaction required
  • Supports supervised and unsupervised devices

Android

Profile Installation:

  1. User downloads Passpoint profile (.conf or via app)
  2. Goes to Settings > Network > WiFi > Add Network
  3. Selects "Passpoint" option
  4. Imports profile
  5. Auto-connect enabled

Android 11+:

  • Passpoint R2 support
  • Improved profile handling
  • Better auto-connection

Windows

Profile Installation:

  1. Download WiFi profile XML
  2. Import via Settings or command line
  3. Auto-connect enabled

Command Line:

netsh wlan add profile filename="passpoint-profile.xml"

Chromebook

MDM Deployment:

  • Configure via Google Admin Console
  • Push to managed Chromebooks
  • Supports certificate and password auth

QR Code Onboarding

Generate QR Codes

Create QR codes for easy onboarding:

  1. In IronWifi Console, go to Networks > Passpoint > QR Codes
  2. Generate QR code with OSU portal link
  3. Download or print QR codes
  4. Display at venue entry points

QR Code Content

The QR code typically contains:

https://osu.ironwifi.com/org/YOUR_ORG_ID?location=LOCATION

Placement Recommendations

  • Reception/front desk
  • Elevator lobbies
  • Conference rooms
  • Guest room welcome materials
  • Digital signage
  • Website/email communications

Troubleshooting Onboarding

Profile Won't Install

iOS:

  1. Check device isn't in supervised mode blocking profiles
  2. Verify profile isn't expired
  3. Ensure device has internet for verification
  4. Check Settings > General > Profiles for stuck profiles

Android:

  1. Verify Android version supports Passpoint
  2. Check WiFi settings for Passpoint option
  3. Clear WiFi cache and retry
  4. Ensure profile format is correct

Auto-Connect Not Working

  1. Verify profile installed correctly

    • Check device WiFi settings for Passpoint entries

  2. Check network configuration

    • Ensure RCOI matches profile
    • Verify NAI realm configured

  3. Test manually

    • Try connecting manually to isolate issue

Authentication Failures

  1. Check credentials

    • Verify certificate validity
    • Check username/password

  2. Check RADIUS

    • Review IronWifi authentication logs
    • Verify realm routing

  3. Check profile

    • Ensure EAP method matches server
    • Verify CA certificate trusted

Best Practices

For Smooth Onboarding

  1. Clear Instructions: Provide step-by-step guides for users
  2. Multiple Methods: Offer QR, link, and manual options
  3. Test All Platforms: Verify on iOS, Android, Windows
  4. Monitor Success Rate: Track onboarding completion
  5. Support Ready: Train staff on troubleshooting

For Security

  1. Use Certificates: Prefer EAP-TLS when possible
  2. Short Expiry: Rotate credentials regularly
  3. Verify Identity: Require authentication during onboarding
  4. Audit Access: Log all onboarding events

For User Experience

  1. Minimize Steps: Reduce friction in onboarding
  2. Brand Consistently: Match your organization's look
  3. Clear Messaging: Explain benefits of Passpoint
  4. Instant Access: Ensure quick connection after onboarding