Breaking News

Wi-Fi news from ENEA

OpenRoaming for IoT Onboarding

When you switch on a brand-new cellular or wired IoT device, it can be bootstrapped to connect to a provisioning server immediately. The IoT connectivity is secure and seamless from the moment the device is switched on.

This is not the case with Wi-Fi-based IoT devices. We have all tried to onboard these devices to the Wi-Fi network using an app, QR code, or Bluetooth, which may be okay for consumer devices. But what about industrial and enterprise use cases with thousands of devices? The onboarding issue is currently the largest showstopper for a mass market of Wi-Fi-based IoT devices.

At Enea, we have tried to solve this with the Zero-touch Wi-Fi IoT onboarding invention utilizing the already installed device certificates. The idea is excellent, but it requires industrywide acceptance and deployment. This was before OpenRoaming.

We now see the potential in using OpenRoaming to make Wi-Fi IoT onboarding as secure and seamless as Cellular and Wired IoT. It is a complex task with many use cases, and it may require a separate base RCOI for IoT and a different set of CAG policies. But it can be done.

Update March 2024

The FIDO Alliance is leading the way in automatically onboarding IoT and headless devices. They have a well-thought-out process with their FIDO Device Onboard (FDO), an automatic onboarding protocol for edge nodes and IoT devices. FDO enables late binding of device credentials so that one manufactured device may be onboarded to many different cloud and edge management platforms. But to perform this late binding of credentials, the device needs connectivity to reach a so-called Rendezvous Service. This works well for wired and cellular devices that get connected when powered up but not for Wi-Fi-based IoT devices.

We are happy to announce that Enea and Intel have taken the initiative to form a working group within WBA called OpenRoaming & FIDO Device Onboarding with the mission to use OpenRoaming for a zero-touch connectivity for Wi-Fi-based IoT devices. The work is still in its initial stage,  the goal is to make FDO as seamless for Wi-Fi as it is for fixed and cellular.

AAA & Access Management – VoWiFi

In previous articles we have talked about the critical nature of AAA / Access Manager and why the functions remain at the core of telecom services. Enabling Voice over Wi-Fi for a telecom operator is a case in point; this is also called Wi-Fi Calling, but for the rest of this article the label VoWiFi is used. At a simple level it enables telephony services over available Wi-Fi access points. In effect, Wi-Fi Calling links telephony from a telecom operator to an internet environment, so you can make, answer, and maintain calls seamlessly when moving in and out of Wi-Fi and mobile networks.

VoWifi provides for low-cost coverage expansion of voice communications for Telcos to create and maintain reliable voice connectivity using pre-existing Wi-Fi access/IP connectivity. It is complementary to voice over LTE (VoLTE) but different, in that it uses Wi-Fi access points not LTE. The business case for this is driven by:

  • Necessity – disabling older circuit switched technology
  • maintaining quality of experience for voice calls
  • creating new service offers such as sponsored roaming.

In a world of apps, it may seem old fashioned, but making a phone call (and expecting it connect reliably and with quality) is still what customers do. A USwitch[1] survey in the UK rated phone calls as the third most popular activity (73%) (just behind messaging (78%) & email (74%)). Long call or short call it doesn’t matter – if the call quality is bad, users blame the network and there is plenty of choice if they want to switch networks. Voice quality and coverage is also a key factor on network assessment with leaders in testing like Umlaut[2] in their ‘Walk tests’ in big cities, or RootMetrics Call Performance tests.[3] Further, it can also be a misconception that coverage issues will be fixed by 5G – as 5G is a mix of radio technologies and pure 5G frequencies can be more affected in dense urban areas.

The voice use case matters for a third reason – a strategy to provide more capacity cost effectively is needed to meet the increasing data demands of the network. An integrated Wi-Fi solution is a building block of that strategy, in urban scenarios; data follows voice and integrating access for mobile and IP networks provides seamless, cost effective, capacity expansion.

The core case for VoWiFi is maintaining the quality of connection. In areas where circuit switched is being disconnected it is essential to link IPv4/IPv6 IMS to HSS authentication and this the role played by the AAA / Access Manager. Working in collaboration with a Telcos’ entitlement services, on device application and packet gateways the access management authenticates the IP telecom access for a voice call using the SWa | SWm diameter protocol to the request received from the evolved packet gateway (ePDG). The response from access manager contains the right authorization and additional attributes so that access is authorized. The additional attributes can be used to create different offers based on geo location and sponsored data/voice roaming for example – enabling new monetization options.

What Enea is doing is solving this use case and more across AAA / Access Manager deployments directly and with our partners. Enea provides AAA / Access Manager as virtualized software (VNF | CNF) increasing the cost benefit of capacity expansion for VoWiFi. The Access Manager has been deployed in more than 40 Operator networks including several large Tier 1 Telecom Operators. It has demonstrable interoperability across a wide range of interfaces and solution use cases.

For more information


[1] USwitch Survey 2023 –

[2] Vodafone Umlaut tests

[3] RootMetrics – UK test:

As discussed in a recent blog post, we have noticed a growing interest in Mobile Data Offloading solutions. Operators of 4G networks that have not yet invested in 5G need the extra capacity as the volumes of video traffic continue to grow and when shutting down legacy 3G networks. Operators of 5G networks are also interested in the same type of solutions but for a different reason. The higher frequencies of the 5G spectrum make it difficult and expensive to provide good indoor coverage.

With Enea Aptilo Service Management Platform (SMP) and equipment based on the latest Wi-Fi 6 and 6E standards, operators can roll out complementing and cost-effective solutions indoors as well as in high-density locations to meet subscribers’ expectations in terms of user experience and quality of service.

In this interview on Wi-Fi Now, Johan Terve, Senior Marketing Director, elaborates on the current drivers for Wi-Fi offload, stresses the importance of seamless and secure connectivity, and explains how Wi-Fi potentially can help operators reduce energy costs.

Wi-Fi Offload is back as it is 2013 again, says Johan Terve

Today, at World Wi-Fi Day, we remind ourselves how Wi-Fi has played a transformative role in bridging the digital divide worldwide. Wi-Fi can also help save our planet. With its localized transmission, lower signal strength requirements, and power-saving features, it is a greener alternative to cellular and beneficial for the environment we all care about.

We all know that it is the relatively small initiatives that sum up to deliver a significant positive environmental impact. One of those initiatives is our new purpose-built database, released in Enea Aptilo SMP 5.6, which we have optimized for our platform. As we celebrate World Wi-Fi Day, we have received reports from some of our customers showing the extreme efficiency gains when going from a general-purpose database to our new database, which we have purpose-built for the telecom use case.

Less than half the number of Enea Aptilo SMP servers needed to perform the same job

The efficiency of Enea Aptilo SMP


One of our customers has reduced the number of server nodes from 10 to 4 while still performing the same job. Furthermore, each node also has significantly less memory and CPU utilization. This correlates well with stress tests in our labs, where we have simulated 16 million accounts with heavy database activity. The CPU utilization was down by a factor of ten going from 300% to 30% (Three cores running at 100% to one running at 30%).

It is fantastic and surprising how a few skilled software engineers can fundamentally impact energy consumption. And this is just in the daily operation of the machines. Add to this the energy and overall environmental cost of manufacturing and distributing twice as many servers.

We challenge our industry and all other industries to make the same effort. Together, we can help save our environment bit by bit, day by day, leaving a better world for our children.


Is the green agenda another reason for the sudden surge in interest in Wi-Fi offload?

The Technology – All Stars Are Finally Aligned for Convergence

In our recent blog post – Wi-Fi Offload 2.0 – Why a Surge in Interest Right Now? – we attributed the reason for operators’ increasing interest in Wi-Fi to the paradigm shifts in Wi-Fi technology and the urgent need for additional capacity and indoor coverage. But maybe there is also a green agenda behind this interest. With offloading, operators are saving costs on equipment and energy consumption. This means they can better fulfill their commitments to their Environmental, social, and corporate governance (ESG) agendas.

We are committed to ensuring that Wi-Fi and Cellular coexist to bring the best user experience and save the environment any way we can.

Monetizing through Wi-Fi Advertising banners on the captive portal or through messages sent via email or SMS is an obvious alternative to offset the cost of a free Wi-Fi service. But it may not be that simple. This blog post addresses the challenges with Wi-Fi advertising, and what service providers must do to compete effectively with online media and get their fair share of advertisers’ budgets.

Wi-Fi Advertising Challenges

To a large extent, online advertising is a volume game with just a few USD cents per click. Some of Enea’s service provider customers have millions of users passing the captive portal daily. Those operators can compete with the number of eyeballs offered by major online media, but how about smaller installations with just a few thousand daily Wi-Fi users?
The need for sufficient volume is the biggest challenge for making enough money on Wi-Fi advertising.

Another challenge is that the venue owners may need to approve external advertising campaigns paid by third-party advertisers in a business-to-business (B2B) Wi-Fi context, which makes the administration more complex. Conversely, suppose the venue owner wants to display their own advert. In that case, even a low volume of advertising can be valuable for them if they can handle the administration of their adverts.

A third challenge with Wi-Fi advertising is that users may find adverts intrusive if they must see information that does not interest them before gaining access to the internet.

Finally, there is a technical challenge. When the user is at the captive portal, they have no access to the internet, as this is the primary purpose of a captive portal. Thus, the Wi-Fi service management system must ensure that the addresses of any advertising assets, such as videos, are allowed and accessible if located on the public internet.

With the right tools, service providers can address all these challenges. So let’s start with the two most important ones. First, how can we make Wi-Fi advertising worthwhile for service providers with lower audience volume? Second, how make advertising acceptable from a user experience point of view?

Make Wi-Fi Advertising Hyper-Targeted

Hyper-targeted Wi-Fi advertisingAs discussed, in a B2B context, it can be valuable for venue owners to handle their internal adverts, and this could be a premium service that the service provider charge for.

But, to monetize from third-party advertisers and compete with online media, Wi-Fi service providers must be able to offer hyper-targeted high-value advertising.

Targeted Wi-Fi advertising is more valuable for advertisers and users because it allows for more efficient and effective marketing strategies. By using data and analytics to understand a user’s preferences, interests, and behaviors, advertisers can create highly personalized and relevant ads that are more likely to resonate with the individual.

Targeted advertising means higher conversion rates and a better return on investment for advertisers. By targeting specific demographics or individuals, they can reduce wasted advertising spend and focus their efforts on reaching the right people at the right time. They can also increase brand loyalty and customer engagement, as users are more likely to respond positively to ads tailored to their interests.

The bottom line is this. Advertisers are more likely to pay a premium price for adverts they know will hit their target group than paying pennies for adverts spread over a vast audience, where only a fraction of them are of interest to the advertiser.

Using hyper-targeted Wi-Fi advertising is also very beneficial for the service provider. They can monetize more by charging a premium price for the advert and by being able to fit more advertisers on the same advertising space at the captive portal.

For users, targeted Wi-Fi advertising can be seen as a more positive experience because it provides them with more relevant and useful ads. Instead of being bombarded with irrelevant ads, they can receive ads tailored to their needs and interests, which can help them discover new products and services they may be interested in.

Overall, targeted advertising allows for a more personalized and effective approach to marketing, benefiting both advertisers and users. However, it is essential to note that there are concerns about data privacy and the ethical use of user data in targeted advertising. This brings us to the next subject, compliance with regulations and ethical principles.

Data Privacy and Consent Management

Most users of free Wi-Fi services understand the fundamental truth that has been cited many times; “if you’re not paying for the product, you are the product.”

We realised early on that consent, and personal data management is about more than just following regulations such as the European General Data Protection Regulation (GDPR) to avoid heavy fines. It is also about protecting your brand as a service provider. To gain the user’s trust and be known as a fair player. You need to transparently show what data you have collected and let the end-user handle their consent to use that data.

Enea Aptilo SMP award-winning consent management

We have your back covered. Learn more about the Enea Aptilo SMP award-winning consent and personal data management functionality.

Now you have advertising space, the captive portal, and privacy protection complying with users’ expectations and government regulations. So how do you collect enough detailed data to fulfill the ‘hyper’ in hyper-targeted Wi-Fi advertising?

Fulfilling the ‘hyper’ in hyper-targeted Wi-Fi Advertising

A popular method of gaining user data is to offer login to the Wi-Fi service using social media credentials. But that method will not give much more details beyond email and the person’s name.

So how do you gather data to create hyper-targeted profiles such as:
  • Men between 25-55 in age, using iPhones, flying between Madrid and Barcelona twice a month or more.
  • Women under 60 in age, living in a single-family detached home, driving BMW or Volvo.
  • Single men 20-40 in age interested in Golf.

There is only one way. Ask them! This is where using surveys as a login method to the Wi-Fi service comes in.


Next-Generation Surveys

We have designed our next-generation surveys with the mobile user experience in mind.

Survey functionality a Wi-Fi captive portal design for a mobile user experience

Instead of the traditional single captive portal page with form fields asking for information, we have designed the user onboarding experience with several pages. Each page asks for information using clickable icons. It is a much better mobile user experience. In the example above, the user can swiftly navigate through the pages, using one hand and clicking on the icons. It may even be the same amount of clicks or less as it typically takes to enter the user’s first name. The user’s browser will normally auto-complete the email address, so there are no additional clicks.

It is also possible to add an optional advert screen at the end, where the user needs to view a message from the advertiser. For example, one of our service provider customers had 15% more users completing the login process when moving to the survey user experience rather than the old-school captive portal. For them, it also meant a 15% increase in revenues as they monetized through the sponsor adverts at the end.

So, using our survey functionality will improve the mobile user experience for onboarding users to the Wi-Fi service. But the primary purpose is to ask more detailed questions to build up the user profile over time. Over time is the keyword here. The administrator can arrange multiple surveys in a ‘carousel’ to be shown in order when the user returns, so don’t ask more than a few questions in each survey. The conversion rate, i.e., users completing the Wi-Fi service onboarding, will go down for every question added to the survey. A good practice is keeping the number of questions for each survey to 5 or below.

Think hard about how intrusive a question is. It is never worth discouraging a user from using the Wi-Fi service because the question challenges their integrity.

Connecting the Dots With SmartAds

Service providers can make the most out of the consent-based user profile data gained through the Wi-Fi service. They can do that through Enea’s SmartAds concept:

Enea Aptilo SMP SmartAd concept

  1. The user login through the captive portal
  2. We capture personal profile data through next-generation surveys and device information. Using only a few questions will keep the user motivated to connect. Therefore, we recommend asking additional questions on the next visits using the survey carousel. 2b: Optionally you may use our consent and personal data management functionality to get users’ consent for using their personal data. This is beneficial for them as well, as they will only see relevant adverts. We say optionally, as it may not be legally required in some countries, but it is always a good idea to have it enabled.
  3. We save the personal profile data.
  4. The captive portal administrator adds the SmartAd asset to the right banner advertising space. Users will see adverts tailored to their user profile (segment). If there is no matching adverts, the user will see a default advert.
  5. The service provider can produce reports per advertiser to charge a premium price for the hyper-targeted ads.

It is an ever-ongoing process for marketing to define campaigns, segments, and SmartAds.

SmartAds Behind the Scenes

Different administrators with different roles are handling various aspects of the SmartAds concept. Note that the same administrator could have multiple roles.

Enea Aptilo SMP SmartAds Behind-the-scene.

Campaign Admin

The campaign admin creates the campaign for the advertiser and allocates duration and allowed time slots and segments for the campaign. The campaign admin also defines which Ad approval administrator should approve the advert.

Segment Admin

The segment administrator creates and maintains segments based on the user profile data.
These segments can be as complex as allowed by the depth of details available.

Ad Admin

The ad admins creates advertising assets such as banners, videos, or text messages for the campaign. They can choose time slots and segment for each advert based on what is allowed in the selected campaign. It is also possible to set ‘any’ for the time slot and segment for an ad asset, within the limitations set by the campaign, in which case any allowed time slot and segment will match the ad asset.

The ad admin can be one of the service provider’s staff. Still, we generally anticipate that the most effective process will be to let the advertiser handle this as a self-management service. Once the asset is ready, it is sent to the ad approval admin for approval. Once it is approved, it will be added to the selected campaign.

Ad Approval Admin

The ad approval admins approves the ad assets created by the ad admins. They can also reject already approved ad assets if needed.

SmartAd Admin

The SmartAd admin creates the SmartAd assets. A SmartAd will contain several campaigns that, in turn, include several ad assets tied to different segments. If multiple ad assets match the same segment, they will be picked randomly at the captive portal for an even distribution among advertisers. The SmartAd admin must also define a default advert to show if there is no match for the individual user. This default advert could, for instance, be the service provider’s advert or the venue owner’s advert.

Captive Portal (CP) Admin

The complexity and logic around which ad will be shown for which user at a particular time is entirely hidden in the SmartAd. The captive portal admin selects the right SmartAd asset from a drop-down menu and puts it in the suitable banner advertising space at the right captive portal (location).

There is currently a hype around cellular IoT, especially with the new opportunities that 5G will bring. And it is not without cause; 5G will bring new real-time critical communication opportunities in industries such as automotive and remote surgery.

But a lesser-known fact is that around 70% of all IoT devices are connected through short-range technologies such as Bluetooth, Wi-Fi, Zigbee, and Z-wave. And at least one-third of all IoT devices connect through Wi-Fi.



Connecting Billions of Wi-Fi IoT Devices

IoT Analytics growth in IoT devices until 2025

The opportunity for operators to deliver connectivity services for IoT devices has long been touted as one of the most important growth segments in telecom. And the number of wireless IoT devices in need of connectivity is indeed growing at an impressive rate. As shown in the figure, IoT Analytics forecasts growth of the installed base from 10.0 billion in 2019 to 30.9 billion in 2025.  Ericsson’s slightly more conservative estimate predicts growth from 12.6 billion units in 2020 to a whopping 26.9 billion in 2026.

But here is a perhaps lesser-known fact: By far the largest proportion of IoT devices – approximately 7.5 billion out of a total of 11.7 billion units as of 2020, to be exact, see the figure above – are short-range, non-cellular devices.  And as mentioned, according to IoT Analytics, Wi-Fi-based IoT devices represent a third of all IoT devices in 2020 and are one of the fastest-growing tech product segments.

The number of Wi-Fi-based IoT devices is expected to increase to more than 7 billion by 2025. This number, of course, includes devices for the smart home, devices operated by businesses, and even machinery and automation-type devices for industrial applications.

Connecting billions of IoT devices with secure and reliable carrier-grade Wi-Fi services is clearly a big business opportunity. But it is also a significant challenge for any service provider because the IoT device market is notoriously fragmented and dominated by proprietary solutions.

Onboarding Must Be As Seamless and Secure As Cellular IoT

The secure and automatic onboarding of masses of IoT Wi-Fi devices – many of which are ‘headless’ without a user interface – has proven less than easy.

Thankfully there are new initiatives that allow service providers to achieve effective automatic onboarding. Enea’s Zero-Touch Wi-Fi IoT Connectivity concepts use certificates (x.509) that already exist in devices to auto-connect Wi-Fi IoT devices to Wi-Fi right out of the box.  We have partnered with Amazon Web Services (AWS) IoT Core to deliver an end-to-end, massively scalable Wi-Fi IoT onboarding proof of concept.

There is only one important puzzle piece missing for a mass market. The device must from factory try to connect to a “ZeroTouch” Hotspot 2.0 service or legacy ZeroTouch SSID.

The Zero-touch concept also lends itself well to the WBA OpenRoaming, described in a recent insights post. In this case, the OpenRoaming mechanisms could also be used for the Zero-touch concept. Different players could act as an ‘identity provider’ for IoT devices, allowing any enterprise, IoT solution provider, or operator to sign up for the service. The end result would be the onboarding and auto-connection of IoT devices not only within their own network but also within the extended coverage footprint enabled by the OpenRoaming federation.

Because we encourage the industry to participate in this initiative, we have chosen not to patent the Zero-Touch innovation. We believe that the time is now for operators to invest in massively scalable and standardized onboarding for Wi-Fi IoT.

What is clear, is that the seamless and secure onboarding of IoT Wi-Fi devices must be solved, one way or another.



Unified IoT Connectivity Control

With the Enea Aptilo IoT Connectivity Control Service™ (IoT CCS), mobile operators get a hyperscale programmable layer for cellular IoT connectivity control, security, and automation. The IoT CCS service features next-generation firewalls from Fortinet so operators can offer managed security with individual settings for each IoT customer. Nothing technically stops us from adding support for other radio technologies, such as Wi-Fi, to the IoT CCS service. This would enable service providers to offer a unified IoT connectivity service with the same policy control and security level over both cellular and Wi-Fi. In this Wi-Fi Now article, our Jonas Björklund further elaborates on the vision of a unified connectivity control delivered from the Cloud.

The Telecom Infra Project

The Telecom Infra Project (TIP) is an industry initiative aiming to break open the markets for Wi-Fi hardware, software, and services to reduce costs and increase Wi-Fi network availability.



Can hardware and software for Wi-Fi infrastructure be disaggregated – meaning, can the two be made independent or even open-sourced? If you ask the Wi-Fi subgroup of the Telecom Infra Project (TIP), the answer is yes.

The TIP OpenWi-Fi project is working to remove the lock-in effects of proprietary Wi-Fi hardware, software, and general architectures, with a view to reducing network costs and increasing ubiquity.

Thus far, the collaborative project – which is widely supported by, e.g., Facebook – is mostly working to develop disaggregated residential Wi-Fi service architectures.

OpenWiFi is a community-developed, open-source software for Wi-Fi. It includes both a cloud controller SDK and an Enterprise-grade Access Point (AP) firmware.  Both are designed and validated to work seamlessly together.

TIP is also working on improved collaborative schemes to facilitate mobile and Wi-Fi convergence, including Wi-Fi offload.

The work by TIP may lend itself well to reducing the cost and complexity of deploying carrier Wi-Fi networks.

OpenRoaming is a Wi-Fi roaming initiative initially conceived and launched by Cisco but since taken over and today operated by the Wireless Broadband Alliance (WBA).

OpenRoaming is a Passpoint-based roaming scheme bringing together identity providers and network providers into a so-called open roaming federation with currently over 1 million Wi-Fi hotspots and counting.


OpenRoaming Architecture

OpenRoaming Identity Providers
Identity providers can be any organization providing accounts for users. The most common and numerous types of identity providers within the context of OpenRoaming are fixed and mobile service providers. Still, anyone providing a user account can also be an identity provider. Both Samsung and Google are identity providers, and OpenRoaming is enabled by default in all Samsung devices from Galaxy S9 and in Google Pixel phones with Android 11 and above. Apple is largely expected to follow suit.

Game Changer for Passpoint

OpenRoaming is a game changer for the live deployment of Passpoint. The industrywide Passpoint project has been in the works since 2014, but the issue has always been the provisioning of Passpoint profiles.

Now finally, Passpoint is pre-enabled in devices from the factory for OpenRoaming. With this, Passpoint can achieve mass-market success not only in theory but also in practice, at least for the settlement-free use case within OpenRoaming.

Other identity providers could potentially be Internet giants like Facebook, Amazon, or Netflix and public networks such as WiFi4EU and Eduroam. Such companies and organizations would then be able to offer their subscribers auto-connect and secure access to Wi-Fi at participating Wi-Fi networks.

OpenRoaming Network Providers

The term network provider describes the participating venues or service providers who own and operate Wi-Fi networks. A network provider can be anything from major Wi-Fi service providers to hotel chains, malls, airports, or congress centers. The Wi-Fi roaming can be free or paid – the details are up to the roaming partners to agree upon.

OpenRoaming aims to build renewed popular support – among carriers and venues – for ubiquitous Wi-Fi roaming and Passpoint. We also see a use case for it together with Aptilo’s Zero-touch Wi-Fi IoT Connectivity invention.

STOCKHOLM – October 5,  2020 – Telkom Indonesia, owner of one of the world’s largest Wi-Fi networks, Indonesia Wi-Fi, celebrates six years in partnership with Aptilo Networks. Telkom has now completed an upgrade to the lastest version of the Aptilo Service Management Platform™ (SMP) with increased capacity and enhanced geographical redundancy.

Telkom’s Indonesia Wi-Fi network is one of the businest in the world serving more than 70 million users with 400,000+ Wi-Fi access points. To be ready for the future, this upgrade further improves capacity and strengthens geographical redundancy to ensure a consistent service.

Indonesia Wi-Fi is available with high-capacity fiber backhaul nationwide in the world’s largest archipelago country with 237 million people spread across 17,000 islands. Users are consuming 15-25 Petabyte (PB) of data per month. To put things in perspective, 25 PB is equivalent to eight million hours of full HD video.

“Managing Wi-Fi services with 400,000+ access points (including homespot) and 70 million users across 17,000 islands puts extreme demands on the Wi-Fi service management core platform,” said Irwan Indriastanto, Senior Manager Wireless Product, Telkom Indonesia. “Our customers deserve the best high-performance Wi-Fi service available. We are very pleased to expand our relationship with Aptilo to enhance the capabilities of our Wi-Fi service.”

Telkom Indonesia also offers a first class business-to-business (B2B) Wi-Fi service which addresses all customer segments including enterprise, SME, wholesale and retail. Through their WICO (Wi-Fi Corner) product, Telkom Indonesia helps governments build smart cities and provide social services.

“We are proud to have enabled one of the world’s largest public Wi-Fi services for the last six years,” said Paul Mikkelsen, CEO, Aptilo Networks. “We are also impressed at how Telkom Indonesia makes the most out of the innovations from Aptilo and Wi-Fi equipment vendors.”

About Aptilo Networks

Aptilo Networks, an Enea company, is a leading provider of carrier-class systems to manage data services with advanced functions for authentication, policy control and charging. Aptilo Service Management Platform™ (SMP) has become synonymous with Wi-Fi service management and Wi-Fi offload in large-scale deployments with 100+ operators in more than 75 countries, and is a critical component of Wi-Fi calling and IoT.

In our previous post about Secure and Seamless Carrier Wi-Fi Services with Passpoint, we explained the differences between the Wi-Fi Alliance Passpoint® versions (R1-R3) and the challenge at this point in time with sufficient device support for the latest releases, Passpoint R2 and R3. In this post, we will discuss how it is possible to overcome these challenges by taking a pragmatic approach to Passpoint, using the least common denominator Passpoint R1 and the Captive Portal API.

At Enea, we strongly believe that standards drive down costs and improve the user experience. But, it is not enough if we in the telecom industry are ready for Passpoint R2 and R3, if the devices aren’t. It takes two to tango.

The Captive Portal API

IETF Captive Portal APIThe Internet Engineering Task Force (IETF) Captive Portal API (RFC8908 and RFC8910), introduced in September 2020, is a game-changer.

The Captive Portal API does not only improve the user experience in connection with traditional Captive Portal implementations. We believe that the Captive Portal API – in combination with Passpoint R1 – has the potential to deliver much of the user experience that Passpoint R2 and R3 were designed to accomplish.

The adoption of Captive Portal API among handset manufacturers has also been fast. Google was first to support the Captive Portal API for Android 11, and Apple soon followed with support in iOS14 and macOS Big Sur. With a critical mass of supporting devices, adoption across all the major operating systems appears imminent.

The Captive Portal API gives service management platforms, such as the Aptilo Service Management Platform™ (SMP), greater control of the Captive Portal flows for traditional hotspots. As a result, users will experience a more reliable service than ever before.

The overall user experience will also benefit hugely from the Captive Portal API. We have traditionally designed Access Gateways to intercept the user web request and redirect it to a Captive Portal. With the Captive Portal API, the gateway does not need to intercept such requests. Instead, when users join the Wi-Fi network and receive an IP address via DHCP (or Router Advertisement in IPv6), the DHCP server also provides the URL to the Captive Portal API. This will trigger the device to query the API to determine whether it is in captive mode, which is the state of captivity when device does not have access to internet. If the device is in the captive mode, it will open the captive portal for the user to perform login or sign-up. Devices that support the Captive Network Assistant (CNA) browser will open the captive portal on the CNA browser. If the API says the device is not in captive mode, the device will proceed directly to the Internet.

It takes time for new standards to be natively implemented in every device, so there might be some details in the Captive Portal API that still needs to be implemented for some devices. However, the standardized interaction between the device and the captive portal, as defined in the Captive Portal API, is always there to help devices determine their state and auxiliary information, such as the remaining session time or data. This allows the device to take action before it reaches the time or data limits, allowing the user to extend the session in a controlled way. This provides a smoother interaction between the device and the Wi-Fi service management system. Previously, with the guesswork of device-only captive portal detection and system-only control, the device was unaware of what was happening after authentication. This could cause sessions that appear to freeze after the session time or data has run out.

Venue Info URL

IETF Captive Portal API Venue URLAnother benefit of the Captive Portal API is that it can also provide a Venue Info URL. This excellent feature allows service providers to empower their B2B customers to engage with users locally with information and offers. In current implementations, the user receives the link to the Venue Info URL via an on-screen system message appearing as a text alert available during the session. The message remains on their lock screen and in their message history. This makes it easy to go back to the Venue Info URL, as the message history is typically just a swipe away.

The Venue Info URL will appear when the user connects manually by selecting an open SSID or automatically through a secure Passpoint-enabled network. It will also offer otherwise anonymous Network Providers a way to show local information and customized advertising to users that connect through, for instance, OpenRoaming or Orion WiFi, described later in this paper.

To offer the user a portal experience like this on a secure SSID is something new to ensure venue owners can engage with users. This is crucial for making secure Wi-Fi the norm rather than the prevalent open SSID.


A Pragmatic Approach Building from Passpoint R1

A pragmatic approach to Passpoint certified Hotspot 2.0 before a critical mass of R2 and R3 devicesWe believe that the Captive Portal API, in combination with Passpoint R1, can deliver much of the user experience that Passpoint R2 and R3 were designed to accomplish.

It would make no sense to build special signup flows for the few devices that support an end-to-end Wi-Fi service based on Passpoint R2/R3. Why not use the R1 support as the least common denominator?

Devices that have not yet been provisioned for Passpoint R1 by other means, such as through a SIM profile (EAP-SIM/AKA) or App (EAP-TLS/TTLS), have to be provisioned ad-hoc through a sign-up portal over an open SSID or in advance via another connection.

The user will then download and install the Passpoint profile on their device. For Android phones, it is as easy as a click on a link and confirm installation, whereas users of other devices, such as iPhones, may need support from device-specific instructions at the portal before download. Once the Passpoint profile is installed, we will restart the Wi-Fi connection. When the device re-connects, it will be logged in to the secure SSID (802.1x) stated in the Passpoint profile. The Captive Portal API can then be used for approval of terms and conditions for new users or existing users if there is a need for an update. The Venue Info URL can also optionally be used to display venue-specific information and promotions.

Add Passpoint R2-R3 Later

Later when there is a critical mass of passpoint R2 and R3 devices

Support for Passpoint R2/R3 can be added later when a critical mass of device support has been achieved.

Note that we have moved the approval of terms and conditions from the sign-up page to the first connection on the Passpoint-enabled network. This means that the process can also be used for already provisioned devices and devices with Passpoint R2 support, as well as the large volume of devices that only support R1. Users of Passpoint R1 who sign-up at the site will see this as almost one flow since the connection can be terminated right after a user has installed the profile. A user will then immediately return as pre-provisioned.

Online signup through the R2 online signup server (OSU) has many benefits to users once there is sufficient device support.

It remains to be seen if the benefits of Passpoint R3 terms and conditions and user engagement features will be significant or if it would be more beneficial to use the same processes as with Passpoint R1/R2 capable devices (dotted line in the figure).