Breaking News

Wi-Fi news from ENEA

As discussed in a recent blog post, we have noticed a growing interest in Mobile Data Offloading solutions. Operators of 4G networks that have not yet invested in 5G need the extra capacity as the volumes of video traffic continue to grow and when shutting down legacy 3G networks. Operators of 5G networks are also interested in the same type of solutions but for a different reason. The higher frequencies of the 5G spectrum make it difficult and expensive to provide good indoor coverage.

With Enea Aptilo Service Management Platform (SMP) and equipment based on the latest Wi-Fi 6 and 6E standards, operators can roll out complementing and cost-effective solutions indoors as well as in high-density locations to meet subscribers’ expectations in terms of user experience and quality of service.

In this interview on Wi-Fi Now, Johan Terve, Senior Marketing Director, elaborates on the current drivers for Wi-Fi offload, stresses the importance of seamless and secure connectivity, and explains how Wi-Fi potentially can help operators reduce energy costs.

Wi-Fi Offload is back as it is 2013 again, says Johan Terve

Today, at World Wi-Fi Day, we remind ourselves how Wi-Fi has played a transformative role in bridging the digital divide worldwide. Wi-Fi can also help save our planet. With its localized transmission, lower signal strength requirements, and power-saving features, it is a greener alternative to cellular and beneficial for the environment we all care about.

We all know that it is the relatively small initiatives that sum up to deliver a significant positive environmental impact. One of those initiatives is our new purpose-built database, released in Enea Aptilo SMP 5.6, which we have optimized for our platform. As we celebrate World Wi-Fi Day, we have received reports from some of our customers showing the extreme efficiency gains when going from a general-purpose database to our new database, which we have purpose-built for the telecom use case.

Less than half the number of Enea Aptilo SMP servers needed to perform the same job

The efficiency of Enea Aptilo SMP


One of our customers has reduced the number of server nodes from 10 to 4 while still performing the same job. Furthermore, each node also has significantly less memory and CPU utilization. This correlates well with stress tests in our labs, where we have simulated 16 million accounts with heavy database activity. The CPU utilization was down by a factor of ten going from 300% to 30% (Three cores running at 100% to one running at 30%).

It is fantastic and surprising how a few skilled software engineers can fundamentally impact energy consumption. And this is just in the daily operation of the machines. Add to this the energy and overall environmental cost of manufacturing and distributing twice as many servers.

We challenge our industry and all other industries to make the same effort. Together, we can help save our environment bit by bit, day by day, leaving a better world for our children.


Is the green agenda another reason for the sudden surge in interest in Wi-Fi offload?

The Technology – All Stars Are Finally Aligned for Convergence

In our recent blog post – Wi-Fi Offload 2.0 – Why a Surge in Interest Right Now? – we attributed the reason for operators’ increasing interest in Wi-Fi to the paradigm shifts in Wi-Fi technology and the urgent need for additional capacity and indoor coverage. But maybe there is also a green agenda behind this interest. With offloading, operators are saving costs on equipment and energy consumption. This means they can better fulfill their commitments to their Environmental, social, and corporate governance (ESG) agendas.

We are committed to ensuring that Wi-Fi and Cellular coexist to bring the best user experience and save the environment any way we can.

Monetizing through Wi-Fi Advertising banners on the captive portal or through messages sent via email or SMS is an obvious alternative to offset the cost of a free Wi-Fi service. But it may not be that simple. This blog post addresses the challenges with Wi-Fi advertising, and what service providers must do to compete effectively with online media and get their fair share of advertisers’ budgets.

Wi-Fi Advertising Challenges

To a large extent, online advertising is a volume game with just a few USD cents per click. Some of Enea’s service provider customers have millions of users passing the captive portal daily. Those operators can compete with the number of eyeballs offered by major online media, but how about smaller installations with just a few thousand daily Wi-Fi users?
The need for sufficient volume is the biggest challenge for making enough money on Wi-Fi advertising.

Another challenge is that the venue owners may need to approve external advertising campaigns paid by third-party advertisers in a business-to-business (B2B) Wi-Fi context, which makes the administration more complex. Conversely, suppose the venue owner wants to display their own advert. In that case, even a low volume of advertising can be valuable for them if they can handle the administration of their adverts.

A third challenge with Wi-Fi advertising is that users may find adverts intrusive if they must see information that does not interest them before gaining access to the internet.

Finally, there is a technical challenge. When the user is at the captive portal, they have no access to the internet, as this is the primary purpose of a captive portal. Thus, the Wi-Fi service management system must ensure that the addresses of any advertising assets, such as videos, are allowed and accessible if located on the public internet.

With the right tools, service providers can address all these challenges. So let’s start with the two most important ones. First, how can we make Wi-Fi advertising worthwhile for service providers with lower audience volume? Second, how make advertising acceptable from a user experience point of view?

Make Wi-Fi Advertising Hyper-Targeted

Hyper-targeted Wi-Fi advertisingAs discussed, in a B2B context, it can be valuable for venue owners to handle their internal adverts, and this could be a premium service that the service provider charge for.

But, to monetize from third-party advertisers and compete with online media, Wi-Fi service providers must be able to offer hyper-targeted high-value advertising.

Targeted Wi-Fi advertising is more valuable for advertisers and users because it allows for more efficient and effective marketing strategies. By using data and analytics to understand a user’s preferences, interests, and behaviors, advertisers can create highly personalized and relevant ads that are more likely to resonate with the individual.

Targeted advertising means higher conversion rates and a better return on investment for advertisers. By targeting specific demographics or individuals, they can reduce wasted advertising spend and focus their efforts on reaching the right people at the right time. They can also increase brand loyalty and customer engagement, as users are more likely to respond positively to ads tailored to their interests.

The bottom line is this. Advertisers are more likely to pay a premium price for adverts they know will hit their target group than paying pennies for adverts spread over a vast audience, where only a fraction of them are of interest to the advertiser.

Using hyper-targeted Wi-Fi advertising is also very beneficial for the service provider. They can monetize more by charging a premium price for the advert and by being able to fit more advertisers on the same advertising space at the captive portal.

For users, targeted Wi-Fi advertising can be seen as a more positive experience because it provides them with more relevant and useful ads. Instead of being bombarded with irrelevant ads, they can receive ads tailored to their needs and interests, which can help them discover new products and services they may be interested in.

Overall, targeted advertising allows for a more personalized and effective approach to marketing, benefiting both advertisers and users. However, it is essential to note that there are concerns about data privacy and the ethical use of user data in targeted advertising. This brings us to the next subject, compliance with regulations and ethical principles.

Data Privacy and Consent Management

Most users of free Wi-Fi services understand the fundamental truth that has been cited many times; “if you’re not paying for the product, you are the product.”

We realised early on that consent, and personal data management is about more than just following regulations such as the European General Data Protection Regulation (GDPR) to avoid heavy fines. It is also about protecting your brand as a service provider. To gain the user’s trust and be known as a fair player. You need to transparently show what data you have collected and let the end-user handle their consent to use that data.

Enea Aptilo SMP award-winning consent management

We have your back covered. Learn more about the Enea Aptilo SMP award-winning consent and personal data management functionality.

Now you have advertising space, the captive portal, and privacy protection complying with users’ expectations and government regulations. So how do you collect enough detailed data to fulfill the ‘hyper’ in hyper-targeted Wi-Fi advertising?

Fulfilling the ‘hyper’ in hyper-targeted Wi-Fi Advertising

A popular method of gaining user data is to offer login to the Wi-Fi service using social media credentials. But that method will not give much more details beyond email and the person’s name.

So how do you gather data to create hyper-targeted profiles such as:
  • Men between 25-55 in age, using iPhones, flying between Madrid and Barcelona twice a month or more.
  • Women under 60 in age, living in a single-family detached home, driving BMW or Volvo.
  • Single men 20-40 in age interested in Golf.

There is only one way. Ask them! This is where using surveys as a login method to the Wi-Fi service comes in.


Next-Generation Surveys

We have designed our next-generation surveys with the mobile user experience in mind.

Survey functionality a Wi-Fi captive portal design for a mobile user experience

Instead of the traditional single captive portal page with form fields asking for information, we have designed the user onboarding experience with several pages. Each page asks for information using clickable icons. It is a much better mobile user experience. In the example above, the user can swiftly navigate through the pages, using one hand and clicking on the icons. It may even be the same amount of clicks or less as it typically takes to enter the user’s first name. The user’s browser will normally auto-complete the email address, so there are no additional clicks.

It is also possible to add an optional advert screen at the end, where the user needs to view a message from the advertiser. For example, one of our service provider customers had 15% more users completing the login process when moving to the survey user experience rather than the old-school captive portal. For them, it also meant a 15% increase in revenues as they monetized through the sponsor adverts at the end.

So, using our survey functionality will improve the mobile user experience for onboarding users to the Wi-Fi service. But the primary purpose is to ask more detailed questions to build up the user profile over time. Over time is the keyword here. The administrator can arrange multiple surveys in a ‘carousel’ to be shown in order when the user returns, so don’t ask more than a few questions in each survey. The conversion rate, i.e., users completing the Wi-Fi service onboarding, will go down for every question added to the survey. A good practice is keeping the number of questions for each survey to 5 or below.

Think hard about how intrusive a question is. It is never worth discouraging a user from using the Wi-Fi service because the question challenges their integrity.

Connecting the Dots With SmartAds

Service providers can make the most out of the consent-based user profile data gained through the Wi-Fi service. They can do that through Enea’s SmartAds concept:

Enea Aptilo SMP SmartAd concept

  1. The user login through the captive portal
  2. We capture personal profile data through next-generation surveys and device information. Using only a few questions will keep the user motivated to connect. Therefore, we recommend asking additional questions on the next visits using the survey carousel. 2b: Optionally you may use our consent and personal data management functionality to get users’ consent for using their personal data. This is beneficial for them as well, as they will only see relevant adverts. We say optionally, as it may not be legally required in some countries, but it is always a good idea to have it enabled.
  3. We save the personal profile data.
  4. The captive portal administrator adds the SmartAd asset to the right banner advertising space. Users will see adverts tailored to their user profile (segment). If there is no matching adverts, the user will see a default advert.
  5. The service provider can produce reports per advertiser to charge a premium price for the hyper-targeted ads.

It is an ever-ongoing process for marketing to define campaigns, segments, and SmartAds.

SmartAds Behind the Scenes

Different administrators with different roles are handling various aspects of the SmartAds concept. Note that the same administrator could have multiple roles.

Enea Aptilo SMP SmartAds Behind-the-scene.

Campaign Admin

The campaign admin creates the campaign for the advertiser and allocates duration and allowed time slots and segments for the campaign. The campaign admin also defines which Ad approval administrator should approve the advert.

Segment Admin

The segment administrator creates and maintains segments based on the user profile data.
These segments can be as complex as allowed by the depth of details available.

Ad Admin

The ad admins creates advertising assets such as banners, videos, or text messages for the campaign. They can choose time slots and segment for each advert based on what is allowed in the selected campaign. It is also possible to set ‘any’ for the time slot and segment for an ad asset, within the limitations set by the campaign, in which case any allowed time slot and segment will match the ad asset.

The ad admin can be one of the service provider’s staff. Still, we generally anticipate that the most effective process will be to let the advertiser handle this as a self-management service. Once the asset is ready, it is sent to the ad approval admin for approval. Once it is approved, it will be added to the selected campaign.

Ad Approval Admin

The ad approval admins approves the ad assets created by the ad admins. They can also reject already approved ad assets if needed.

SmartAd Admin

The SmartAd admin creates the SmartAd assets. A SmartAd will contain several campaigns that, in turn, include several ad assets tied to different segments. If multiple ad assets match the same segment, they will be picked randomly at the captive portal for an even distribution among advertisers. The SmartAd admin must also define a default advert to show if there is no match for the individual user. This default advert could, for instance, be the service provider’s advert or the venue owner’s advert.

Captive Portal (CP) Admin

The complexity and logic around which ad will be shown for which user at a particular time is entirely hidden in the SmartAd. The captive portal admin selects the right SmartAd asset from a drop-down menu and puts it in the suitable banner advertising space at the right captive portal (location).

There is currently a hype around cellular IoT, especially with the new opportunities that 5G will bring. And it is not without cause; 5G will bring new real-time critical communication opportunities in industries such as automotive and remote surgery.

But a lesser-known fact is that around 70% of all IoT devices are connected through short-range technologies such as Bluetooth, Wi-Fi, Zigbee, and Z-wave. And at least one-third of all IoT devices connect through Wi-Fi.



Connecting Billions of Wi-Fi IoT Devices

IoT Analytics growth in IoT devices until 2025

The opportunity for operators to deliver connectivity services for IoT devices has long been touted as one of the most important growth segments in telecom. And the number of wireless IoT devices in need of connectivity is indeed growing at an impressive rate. As shown in the figure, IoT Analytics forecasts growth of the installed base from 10.0 billion in 2019 to 30.9 billion in 2025.  Ericsson’s slightly more conservative estimate predicts growth from 12.6 billion units in 2020 to a whopping 26.9 billion in 2026.

But here is a perhaps lesser-known fact: By far the largest proportion of IoT devices – approximately 7.5 billion out of a total of 11.7 billion units as of 2020, to be exact, see the figure above – are short-range, non-cellular devices.  And as mentioned, according to IoT Analytics, Wi-Fi-based IoT devices represent a third of all IoT devices in 2020 and are one of the fastest-growing tech product segments.

The number of Wi-Fi-based IoT devices is expected to increase to more than 7 billion by 2025. This number, of course, includes devices for the smart home, devices operated by businesses, and even machinery and automation-type devices for industrial applications.

Connecting billions of IoT devices with secure and reliable carrier-grade Wi-Fi services is clearly a big business opportunity. But it is also a significant challenge for any service provider because the IoT device market is notoriously fragmented and dominated by proprietary solutions.

Onboarding Must Be As Seamless and Secure As Cellular IoT

The secure and automatic onboarding of masses of IoT Wi-Fi devices – many of which are ‘headless’ without a user interface – has proven less than easy.

Thankfully there are new initiatives that allow service providers to achieve effective automatic onboarding. Enea’s Zero-Touch Wi-Fi IoT Connectivity concepts use certificates (x.509) that already exist in devices to auto-connect Wi-Fi IoT devices to Wi-Fi right out of the box.  We have partnered with Amazon Web Services (AWS) IoT Core to deliver an end-to-end, massively scalable Wi-Fi IoT onboarding proof of concept.

There is only one important puzzle piece missing for a mass market. The device must from factory try to connect to a “ZeroTouch” Hotspot 2.0 service or legacy ZeroTouch SSID.

The Zero-touch concept also lends itself well to the WBA OpenRoaming, described in a recent insights post. In this case, the OpenRoaming mechanisms could also be used for the Zero-touch concept. Different players could act as an ‘identity provider’ for IoT devices, allowing any enterprise, IoT solution provider, or operator to sign up for the service. The end result would be the onboarding and auto-connection of IoT devices not only within their own network but also within the extended coverage footprint enabled by the OpenRoaming federation.

Because we encourage the industry to participate in this initiative, we have chosen not to patent the Zero-Touch innovation. We believe that the time is now for operators to invest in massively scalable and standardized onboarding for Wi-Fi IoT.

What is clear, is that the seamless and secure onboarding of IoT Wi-Fi devices must be solved, one way or another.



Unified IoT Connectivity Control

With the Enea Aptilo IoT Connectivity Control Service™ (IoT CCS), mobile operators get a hyperscale programmable layer for cellular IoT connectivity control, security, and automation. The IoT CCS service features next-generation firewalls from Fortinet so operators can offer managed security with individual settings for each IoT customer. Nothing technically stops us from adding support for other radio technologies, such as Wi-Fi, to the IoT CCS service. This would enable service providers to offer a unified IoT connectivity service with the same policy control and security level over both cellular and Wi-Fi. In this Wi-Fi Now article, our Jonas Björklund further elaborates on the vision of a unified connectivity control delivered from the Cloud.

The Telecom Infra Project

The Telecom Infra Project (TIP) is an industry initiative aiming to break open the markets for Wi-Fi hardware, software, and services to reduce costs and increase Wi-Fi network availability.



Can hardware and software for Wi-Fi infrastructure be disaggregated – meaning, can the two be made independent or even open-sourced? If you ask the Wi-Fi subgroup of the Telecom Infra Project (TIP), the answer is yes.

The TIP OpenWi-Fi project is working to remove the lock-in effects of proprietary Wi-Fi hardware, software, and general architectures, with a view to reducing network costs and increasing ubiquity.

Thus far, the collaborative project – which is widely supported by, e.g., Facebook – is mostly working to develop disaggregated residential Wi-Fi service architectures.

OpenWiFi is a community-developed, open-source software for Wi-Fi. It includes both a cloud controller SDK and an Enterprise-grade Access Point (AP) firmware.  Both are designed and validated to work seamlessly together.

TIP is also working on improved collaborative schemes to facilitate mobile and Wi-Fi convergence, including Wi-Fi offload.

The work by TIP may lend itself well to reducing the cost and complexity of deploying carrier Wi-Fi networks.

OpenRoaming is a Wi-Fi roaming initiative initially conceived and launched by Cisco but since taken over and today operated by the Wireless Broadband Alliance (WBA).

OpenRoaming is a Passpoint-based roaming scheme bringing together identity providers and network providers into a so-called open roaming federation with currently over 1 million Wi-Fi hotspots and counting.


OpenRoaming Architecture

OpenRoaming Identity Providers
Identity providers can be any organization providing accounts for users. The most common and numerous types of identity providers within the context of OpenRoaming are fixed and mobile service providers. Still, anyone providing a user account can also be an identity provider. Both Samsung and Google are identity providers, and OpenRoaming is enabled by default in all Samsung devices from Galaxy S9 and in Google Pixel phones with Android 11 and above. Apple is largely expected to follow suit.

Game Changer for Passpoint

OpenRoaming is a game changer for the live deployment of Passpoint. The industrywide Passpoint project has been in the works since 2014, but the issue has always been the provisioning of Passpoint profiles.

Now finally, Passpoint is pre-enabled in devices from the factory for OpenRoaming. With this, Passpoint can achieve mass-market success not only in theory but also in practice, at least for the settlement-free use case within OpenRoaming.

Other identity providers could potentially be Internet giants like Facebook, Amazon, or Netflix and public networks such as WiFi4EU and Eduroam. Such companies and organizations would then be able to offer their subscribers auto-connect and secure access to Wi-Fi at participating Wi-Fi networks.

OpenRoaming Network Providers

The term network provider describes the participating venues or service providers who own and operate Wi-Fi networks. A network provider can be anything from major Wi-Fi service providers to hotel chains, malls, airports, or congress centers. The Wi-Fi roaming can be free or paid – the details are up to the roaming partners to agree upon.

OpenRoaming aims to build renewed popular support – among carriers and venues – for ubiquitous Wi-Fi roaming and Passpoint. We also see a use case for it together with Aptilo’s Zero-touch Wi-Fi IoT Connectivity invention.

STOCKHOLM – October 5,  2020 – Telkom Indonesia, owner of one of the world’s largest Wi-Fi networks, Indonesia Wi-Fi, celebrates six years in partnership with Aptilo Networks. Telkom has now completed an upgrade to the lastest version of the Aptilo Service Management Platform™ (SMP) with increased capacity and enhanced geographical redundancy.

Telkom’s Indonesia Wi-Fi network is one of the businest in the world serving more than 70 million users with 400,000+ Wi-Fi access points. To be ready for the future, this upgrade further improves capacity and strengthens geographical redundancy to ensure a consistent service.

Indonesia Wi-Fi is available with high-capacity fiber backhaul nationwide in the world’s largest archipelago country with 237 million people spread across 17,000 islands. Users are consuming 15-25 Petabyte (PB) of data per month. To put things in perspective, 25 PB is equivalent to eight million hours of full HD video.

“Managing Wi-Fi services with 400,000+ access points (including homespot) and 70 million users across 17,000 islands puts extreme demands on the Wi-Fi service management core platform,” said Irwan Indriastanto, Senior Manager Wireless Product, Telkom Indonesia. “Our customers deserve the best high-performance Wi-Fi service available. We are very pleased to expand our relationship with Aptilo to enhance the capabilities of our Wi-Fi service.”

Telkom Indonesia also offers a first class business-to-business (B2B) Wi-Fi service which addresses all customer segments including enterprise, SME, wholesale and retail. Through their WICO (Wi-Fi Corner) product, Telkom Indonesia helps governments build smart cities and provide social services.

“We are proud to have enabled one of the world’s largest public Wi-Fi services for the last six years,” said Paul Mikkelsen, CEO, Aptilo Networks. “We are also impressed at how Telkom Indonesia makes the most out of the innovations from Aptilo and Wi-Fi equipment vendors.”

About Aptilo Networks

Aptilo Networks, an Enea company, is a leading provider of carrier-class systems to manage data services with advanced functions for authentication, policy control and charging. Aptilo Service Management Platform™ (SMP) has become synonymous with Wi-Fi service management and Wi-Fi offload in large-scale deployments with 100+ operators in more than 75 countries, and is a critical component of Wi-Fi calling and IoT.

In our previous post about Secure and Seamless Carrier Wi-Fi Services with Passpoint, we explained the differences between the Wi-Fi Alliance Passpoint® versions (R1-R3) and the challenge at this point in time with sufficient device support for the latest releases, Passpoint R2 and R3. In this post, we will discuss how it is possible to overcome these challenges by taking a pragmatic approach to Passpoint, using the least common denominator Passpoint R1 and the Captive Portal API.

At Enea, we strongly believe that standards drive down costs and improve the user experience. But, it is not enough if we in the telecom industry are ready for Passpoint R2 and R3, if the devices aren’t. It takes two to tango.

The Captive Portal API

IETF Captive Portal APIThe Internet Engineering Task Force (IETF) Captive Portal API (RFC8908 and RFC8910), introduced in September 2020, is a game-changer.

The Captive Portal API does not only improve the user experience in connection with traditional Captive Portal implementations. We believe that the Captive Portal API – in combination with Passpoint R1 – has the potential to deliver much of the user experience that Passpoint R2 and R3 were designed to accomplish.

The adoption of Captive Portal API among handset manufacturers has also been fast. Google was first to support the Captive Portal API for Android 11, and Apple soon followed with support in iOS14 and macOS Big Sur. With a critical mass of supporting devices, adoption across all the major operating systems appears imminent.

The Captive Portal API gives service management platforms, such as the Aptilo Service Management Platform™ (SMP), greater control of the Captive Portal flows for traditional hotspots. As a result, users will experience a more reliable service than ever before.

The overall user experience will also benefit hugely from the Captive Portal API. We have traditionally designed Access Gateways to intercept the user web request and redirect it to a Captive Portal. With the Captive Portal API, the gateway does not need to intercept such requests. Instead, when users join the Wi-Fi network and receive an IP address via DHCP (or Router Advertisement in IPv6), the DHCP server also provides the URL to the Captive Portal API. This will trigger the device to query the API to determine whether it is in captive mode, which is the state of captivity when device does not have access to internet. If the device is in the captive mode, it will open the captive portal for the user to perform login or sign-up. Devices that support the Captive Network Assistant (CNA) browser will open the captive portal on the CNA browser. If the API says the device is not in captive mode, the device will proceed directly to the Internet.

It takes time for new standards to be natively implemented in every device, so there might be some details in the Captive Portal API that still needs to be implemented for some devices. However, the standardized interaction between the device and the captive portal, as defined in the Captive Portal API, is always there to help devices determine their state and auxiliary information, such as the remaining session time or data. This allows the device to take action before it reaches the time or data limits, allowing the user to extend the session in a controlled way. This provides a smoother interaction between the device and the Wi-Fi service management system. Previously, with the guesswork of device-only captive portal detection and system-only control, the device was unaware of what was happening after authentication. This could cause sessions that appear to freeze after the session time or data has run out.

Venue Info URL

IETF Captive Portal API Venue URLAnother benefit of the Captive Portal API is that it can also provide a Venue Info URL. This excellent feature allows service providers to empower their B2B customers to engage with users locally with information and offers. In current implementations, the user receives the link to the Venue Info URL via an on-screen system message appearing as a text alert available during the session. The message remains on their lock screen and in their message history. This makes it easy to go back to the Venue Info URL, as the message history is typically just a swipe away.

The Venue Info URL will appear when the user connects manually by selecting an open SSID or automatically through a secure Passpoint-enabled network. It will also offer otherwise anonymous Network Providers a way to show local information and customized advertising to users that connect through, for instance, OpenRoaming or Orion WiFi, described later in this paper.

To offer the user a portal experience like this on a secure SSID is something new to ensure venue owners can engage with users. This is crucial for making secure Wi-Fi the norm rather than the prevalent open SSID.


A Pragmatic Approach Building from Passpoint R1

A pragmatic approach to Passpoint certified Hotspot 2.0 before a critical mass of R2 and R3 devicesWe believe that the Captive Portal API, in combination with Passpoint R1, can deliver much of the user experience that Passpoint R2 and R3 were designed to accomplish.

It would make no sense to build special signup flows for the few devices that support an end-to-end Wi-Fi service based on Passpoint R2/R3. Why not use the R1 support as the least common denominator?

Devices that have not yet been provisioned for Passpoint R1 by other means, such as through a SIM profile (EAP-SIM/AKA) or App (EAP-TLS/TTLS), have to be provisioned ad-hoc through a sign-up portal over an open SSID or in advance via another connection.

The user will then download and install the Passpoint profile on their device. For Android phones, it is as easy as a click on a link and confirm installation, whereas users of other devices, such as iPhones, may need support from device-specific instructions at the portal before download. Once the Passpoint profile is installed, we will restart the Wi-Fi connection. When the device re-connects, it will be logged in to the secure SSID (802.1x) stated in the Passpoint profile. The Captive Portal API can then be used for approval of terms and conditions for new users or existing users if there is a need for an update. The Venue Info URL can also optionally be used to display venue-specific information and promotions.

Add Passpoint R2-R3 Later

Later when there is a critical mass of passpoint R2 and R3 devices

Support for Passpoint R2/R3 can be added later when a critical mass of device support has been achieved.

Note that we have moved the approval of terms and conditions from the sign-up page to the first connection on the Passpoint-enabled network. This means that the process can also be used for already provisioned devices and devices with Passpoint R2 support, as well as the large volume of devices that only support R1. Users of Passpoint R1 who sign-up at the site will see this as almost one flow since the connection can be terminated right after a user has installed the profile. A user will then immediately return as pre-provisioned.

Online signup through the R2 online signup server (OSU) has many benefits to users once there is sufficient device support.

It remains to be seen if the benefits of Passpoint R3 terms and conditions and user engagement features will be significant or if it would be more beneficial to use the same processes as with Passpoint R1/R2 capable devices (dotted line in the figure).

This is an excerpt from ENEA’s white paper Wi-Fi in the 5G Era – Strategy Guide for Operators. The full white paper is available here if you like what you read. Don’t hesitate to contact ENEA if you have any questions.

In this post, we will talk about the different Passpoint releases (R1-R3) and the status of device support. Don’t miss our upcoming blog post, A Pragmatic Approach to Passpoint on how to overcome challenges with the lack of widespread device support for R2 and R3.

One of the essential tools in the Wi-Fi toolbox is Passpoint® with SIM authentication. It enables seamless and secure carrier-grade quality and highly monetizable Wi-Fi services. The Wi-Fi 6 and Wi-Fi 6E radio technology, capable of delivering high-quality wireless connectivity, is an excellent starting point. But for service providers, such capabilities must be transformed into user-friendly, secure, well-defined, and preferably carrier-class high-speed wireless data services.

To that end, the Wi-Fi industry has developed the Hotspot 2.0 standard, nowadays more commonly referred to by its equipment certification name of Passpoint. Once provisioned on the phone or other Wi-Fi device, Passpoint technology allows users to connect securely, instantly, and automatically to the public (or enterprise) Passpoint-capable Wi-Fi networks, for example, at public venues such as airports, stadiums, transport hubs, on aircraft, and so on.

The Passpoint technology also facilitates roaming onto Wi-Fi networks belonging to other service providers or third parties, given that a roaming agreement with the subscriber’s home service provider exists. The WBA OpenRoaming initiative has the potential to make Wi-Fi roaming just as seamless for the user as roaming with cellular phones.


A Passpoint-capable network is defined by supporting the following functions:

  • The network (Wi-Fi access point) should broadcast its capabilities and available services using 802.11u and a protocol called ANQP.
  • The network must use 802.1x-based authentication and WPA2 or WPA3 for over-the-air encryption.
  • Support for EAP-SIM/AKA (SIM identity-based) or EAP-TLS/TTLS (certificate-based methods usually for non-SIM devices) authentication.
  • Optional Wi-Fi roaming with home operator billing.

A critical component is the capability of Passpoint services to deliver ‘Wi-Fi offload’-type services based on credentials stored in the subscriber’s SIM. This means mobile operators can integrate carrier Wi-Fi services into their total service offering. Read more about this in our Wi-Fi and Cellular Convergence – Opportunities Today post.

Passpoint is designed to create a carrier-grade Wi-Fi service with a familiar and seamless user experience like that of cellular networks. However, mobile operators can comfortably apply EAP-SIM/AKA authentication and mobile core integration outside the complete Hotspot 2.0/Passpoint specification. Aptilo Networks was already providing such solutions long before the release of the first Passpoint-capable devices. This also means that EAP-based authentication (SIM/AKA and TLS/TTLS) is not equivalent to Passpoint as such, which is a common misunderstanding.

In the USA, Passpoint-capable Wi-Fi services and roaming are fairly readily available, for example, on the Boingo Wi-Fi network deployed at many airport locations and on some public Wi-Fi networks provided by US cablecos, for instance, on the former Time Warner Cable public Wi-Fi network today owned and operated by Charter Communications. Today, both Android and iOS operating systems natively support Passpoint, and many phones provided by US carriers are pre-provisioned to support Passpoint services.

In Europe and elsewhere, Passpoint-capable Wi-Fi services are less common but available from some major carriers in the form of EAP-SIM/AKA enabled ‘Wi-Fi offload’ convergent mobile services. Most enterprise-grade Wi-Fi access points are certified according to the Passpoint specifications.

Release 1 (R1)
The first release was introduced in 2012, and all the protocols and standards mentioned above, including 802.11u and ANQP, were included with the ability for the device to discover Passpoint-enabled networks and automatically connect to the optimal one.

Challenges still remain in the onboarding of new devices. Users need to provision Pass-point R1 credentials manually by downloading a particular file that contains profile and credential information. Many service providers use an app to make this process seamless for the user. More or less, all mobile phones and laptops support Passpoint RI. This includes Apple iPhones, although Apple has never formally certified them.

Release 2 (R2)
This version, released in 2014, included the important Online Sign-Up (OSU) server allowing new users to create an account and, in a user-friendly way, provision Passpoint credentials at the point of access. This enables easy ad-hoc sign-up of new users, where they can select the service provider of choice if several options exist. The client validates the OSU server certificate to ensure that the server is trusted. SOAP-XML or OMA-DM messages over HTTPS are then used for secure communications between the client and the provisioning servers.

Passpoint R2 requires a separate SSID for Online Sign-Up, either an open SSID or a so-called OSEN (OSU Server-only Authenticated L2 Encryption Network). This version also includes enhanced policy control for service providers. Device support is still limited.

Release 3 (R3)
R3 was released in 2019, but has not yet been certified by any major handset manufacturers (as of September  2022). This version includes several new ANQP protocol elements and improvements in the interaction between operators and end-users. While previous versions have focused entirely on automatic connection and onboarding of the users, Passpoint R3 aims to enhance captive portal functions by leveraging ANQP messaging.

For the first time, Passpoint allows operators to offer B2B customers a tool to engage with visitors. They can do this through a Venue URL, which displays information about the Wi-Fi service and, at the same time, provides offers and local promotions. The R3 version also includes features for end-users to approve terms and conditions and charges for the Wi-Fi service.

We think Passpoint R3 may have attempted to push the user engagement features too far. Deploying these features through ANQP locally in the access points will make it harder to maintain central control, especially in a multi-vendor deployment scenario. Because of the challenges in management and lack of device support, there is a risk that R3 will never be implemented in carrier Wi-Fi networks.

Passpoint R3 also makes roaming much quicker and easier as the client can indicate its membership of a roaming consortium to a Wi-Fi access point.

Security is further improved in R3 with support up WPA3-Enterprise, whereas R2 and R1 only support up to WPA2-Enterprise. It is also possible to use the same SSID for both the actual Wi-Fi service (WPA2/WPA3) and the online sign-up (OSEN) functionality.


The Passpoint certification is a moving target, and things may have changed by the time you read this. But, as of September 2022, only niche handset brands has been certified for the latest Passpoint release (R3). Some Android-based phones are R2 certified, but many are old and not in the market anymore. In addition, smartphone vendors usually customize the Android platform to match their product requirements. So, just because it works with one vendor doesn’t mean it works with another.

The Passpoint certification from Wi-Fi Alliance only certifies the radio protocols. In practice, new releases from R2 and above, which include more complex service-related features, cannot be guaranteed to work end-to-end in a Wi-Fi service. We have experienced this through the testing conducted by the Wireless Broadband Alliance (WBA).

Conversely, it is probably true that devices with R2 support that has not been Passpoint certified also exist, just as R1 is supported in iPhones without official certification.

But as a service provider, you cannot rely on so many unknown parameters.

On a more positive note, it is generally true that most smartphones, tablets, and laptops now support at least Passpoint R1. Therefore, operators should create and deploy Wi-Fi services based on R1, possibly with an extension for selective use of R2.

One thing is certain: Operators who wait for new standards to be fully deployed and for mobile device manufacturers to adopt them risk waiting for a very long time. It is not only the complexity of the technology that decides whether a handset manufacturer develops support for standards like Passpoint R2/R3 or not. Thus, the wait could go on forever. Fortunately, there is no reason to delay the introduction of carrier-grade Wi-Fi services.

In our upcoming blog post, A Pragmatic Approach to Passpoint, we will discuss how Passpoint R1, together with the new Captive Portal API, may well be the interim solution that, in the end, becomes the permanent pragmatic solution for Passpoint-enabled networks.

STOCKHOLM – July 1,  2020 – Swedavia, the state-owned Swedish Airport developer and operator, has further enhanced their Wi-Fi service and moved to the cloud with Aptilo Networks.

The ten largest airports in Sweden, with 42 million passengers yearly, are owned and operated by Swedavia. Since 2005, Swedavia has put their trust in Aptilo’s experts managing the Wi-Fi service from servers in Swedavia’s data center.

Now Swedavia has renewed the contract for another three years and is moving from in-house operations to the Aptilo private cloud offering on Amazon Web Services (AWS).

Swedavia can now use the latest Aptilo features for Wi-Fi marketing, analytics, and Internet of Things (IoT). This includes the new Wi-Fi access method using an icon-based survey. It provides enhanced insights about the user with the smallest user effort. The login page (Wi-Fi Captive Portal) is split into several screens. The user provides data by clicking on icons, rushing on to the next page. One of Aptilo’s other airport customers gained 15% more Wi-Fi users overnight by using this approach instead of a traditional login.

“We are proud to have earned Swedavia’s trust for another three years,” said Paul Mikkelsen, CEO, Aptilo Networks. “We will continue to help them deliver state-of-the-art connectivity services at their airports. It is also wonderful that Swedavia has joined our cloud-first strategy. Our new IoT offerings, Aptilo Wi-Fi Zero-touch and Aptilo IoT CCS, are both by default delivered as services on AWS.”

About Aptilo Networks

Aptilo Networks is a leading provider of carrier-class systems to manage data services with advanced functions for authentication, policy control and charging. Aptilo Service Management Platform™ (SMP) has become synonymous with Wi-Fi service management and Wi-Fi offload in large-scale deployments with 100+ operators in more than 75 countries, and is a critical component of Wi-Fi calling and IoT.

# # #