Introduction

Recently as part of my new carrier wifi project work when I started reading about
802.11 wlan technology, I have encountered many features, but one which
surprised and forced me to write an article on it is HOTSPOT 2.0.
Of course one reason to write is not getting a complete article from google :-).

Even though 80% of the world data traffic going via wifi and widely used but research
and new feature addition is quite slow compared to 3gpp based tech.

Let's start a discussion on this popular topic called HOTSPOT 2.0 in Wifi. It is one of
the feature which has made possible for Wifi to converge with one of most popular
2G/3G/4G technologies which typically used by Wireless Operators in the world.

HISTORY BEHIND HOTSPOT:

Normally when we think about

HOTSPOT it is always about our smartphone HS and sharing our mobile data
connection with our friends and family. But here we are discussing about Mobile
Carrier HOTSPOT which is quite different. First it was started by T-Mobile primarily
as a public access WLAN technology and coined the term HOTSPOT as part of their
commercial branding to make it more popular in North American market.
Limitation of HOTSPOT:

When it will connect to one SSID , it will with same SSID till we disconnect it manually
or it will disconnect when we go out of range. No automatic Network Selection or
Roaming facilities between visited network HOTSPOT or in-between 2 neighbor HS
enabled APs or any devices. Like a mobile network connection wherever you go your
device will latch on home or roam network automatically without manually doing
anything, yes automatic network selection should be enabled. One more limitation
is authentication.
This two primary reason forced wifi researcher to think and find a way similar like
mobile network selection and roaming agreement. When device switched on, it will
connect to any network in the world without any manual intervention. So HOTSPOT
2.0 is moving in that direction to get similar taste and feel of mobile network
connection features like network selection, roaming, service differentiation based
on operator policy, pre-paid billing mediation and security (Eg: EPS-AKA) and hope
many more feature yet to come in future releases.
HOTSPOT 2.0:
It is a blessings in disguise for Wifi to survive in 21st century and to finally converge
with mobile network technology. To make it possible many popular carrier wifi
solution with HOTSPOT 2.0 provided by many well know vendors like cisco, aruba,
ruckus, aerohive, cambium networks and recently Nokia also jumped into this race
to provide low cost solution to mobile operators and enterprise customers. So due
to vast no of feature in HOTSPOT 2.0 , Wifi alliance a specification and certification
body divided HS 2.0 into 2 releases.

Here I would like to clear one more doubt about passpoint also, it is nothing but a
certification given to all the HOTSPOT 2.0 enabled devices by wifi alliance based on
some certain condition laid by it, similar to AP certification by Wifi alliance and
mobile certifications like GCF/PTCRB etc to avoid any Interoperability issue between
different network and OEM vendors. HOTSPOT 2.0 is a feature specification guide
and 802.11u is for radio Physical and Mac layer specification by IEEE.

courtesy Nokia.com

HS 2.0 is divided into 2 releases,

HS Release-1 covers Network Selection/Discovery and Security/Authentication.

HS Release-2 covers Operator policy and Online Signup

Network Selection/Discovery:

This is one of the vital feature to inter-work with mobile technologies and to provide
enhanced network selection and roaming service for HS 2.0 enabled client/UEs.
Like in LTE networks UEs get the network resources via RACH procedure and
network supported information via system information blocks or during RRC
procedures. But Wifi is quite straight forward, here clients/STAs get network
information(or HS capabilities) by doing passive scanning know as Beacon or it can
send probe request, AP will respond to STA with probe response with HS capabilities.

HS 2.0 capabilities:

Before discussing Network selection/discovery we will see here, what new IEs
supported in message frames to enable HS 2.0 Capabilities in AP and STAs, which is
included in Beacon and Probe Response as per the Wifi Alliance technical
specifications for HS 2.0.

AP side supported IEs:

Hotspot 2.0 Indication element:

When an AP supports Hotspot 2.0 capability and the hotspot security is WPA2-
Enterprise, the hotspots APs shall include a Hotspot 2.0 Indication element in
beacon and probe response frames. The hotspots AP shall not include the Hotspot
2.0 Indication element if the security is not WPA2-Enterprise.

HS configuration element will have DGAF.

DGAF (Downstream Group-Addressed Forwarding)
This bit is always disabled if no multicast/broadcast service in use. This will cause
Hole 196 security attack due to a common GTK used by all the STAs for
encryptions. I will discuss in details in a separate article.
Hotspot 2.0 ANQP Elements

ANQP- Access Network Query Protocol

It is a query protocol to find information about network and its capabilities which
are not broadcasted or advertised by Beacons. It is an advertisement protocol based
on 802.11u and used by client to get the network supported capabilities.

Prior to 802.11u, there was no option to request network to get the network
capabilities. All the network discovery and selection based on basic info in beacon
and probe response. When interworking with external network clause introduced in
802.11u. ANQP started using GAS frame to query network to get the additional
supported capabilities from network which are not advertised by beacon or probe
response.

GAS frame or Generic Access Service

802.11 has specific frame to access network when device is un-authenticated or un-
associated to invoke a specific action. This frame is known as Public Access Frame
and GAS frames are subtype of public access frame, which enable STAs to do query
network and this query will go beyond APs in wired network and fetch the advanced
network discovery capabilities from the wifi/3gpp core network, which helps in
providing roaming specific or many other services to STAs/UEs.

The Hotspot (HS) 2.0 ANQP elements provide additional functionality to 802.11u
ANQP elements supporting HS 2.0 features. These elements are formatted as
defined by the ANQP vendor-specific list element,

The Info ID field is a 2-octet field whose value is the value for the ANQP vendor-
specific list i.e 56797.
The Length field is a 2-octet field whose value is set to 6 plus the length of the
Payload field.
The OI is a 3-octet field. The OI field is set to the value used by the WFA. Each OI
identifies a roaming consortium (group of SSPs with inter-SSP roaming agreement)
or a single SSP.
The Type field is a 1-octet field allocated from the WFA TIA number space to indicate
a HS 2.0 ANQP element type (value 0x11)
The Subtype field is a 1-octet field whose value identifies the HS 2.0 ANQP element.
Values for the Subtype field are defined in below table.
The Reserved field is a 1-octet field to ensure that the header of the ANQP element
is word aligned.

Sub-Type Field IEs:

HS Query List:
The HS Query list provides a list of identifiers of HS 2.0 ANQP elements for which the
requesting mobile device is querying in a HS ANQP Query. The HS Query list element
is included in a GAS Query Request. The HS Query List must be used in a GAS Query
Request to request HS2.0 Wi-Fi
ANQP elements. Both the ANQP Query List and the HS2.0 Query List can be included
in single GAS Query Request.
HS Capability list
The HS Capability list provides a list of information/capabilities that has been
configured on an AP. Support for this HS ANQP element is mandatory, but its use is
optional.

Operator Friendly Name element

The Operator Friendly Name element provides zero or more operator names
operating in the IEEE 802.11 AN.

WAN Metrics element

The WAN Metrics element provides information about the WAN link connecting an
IEEE 802.11 AN and the Internet. Transmission characteristics such as the speed of
the WAN connection to the Internet are included.

Connection Capability element

The Connection Capability element provides information on the connection status
within the hotspot of the most commonly used communications protocols and
ports. For example, a firewall upstream to the access network may allow
communication on certain IP protocols and ports, while blocking communication on
others.
NAI Home Realm Query
The NAI Home Realm Query is used by a requesting mobile device to determine if
the network access identifier (NAI) realms for which it has security credentials are
realms corresponding to SPs or other entities whose networks or services are
accessible via this BSS. The requesting mobile device includes in an NAI Home Realm
Query only the NAI Home Realm Name(s) for which it has credentials.
In response to the NAI Home Realm Query, a responding AP returns a NAI Realm The
NAI Realm List includes only realms exactly matching realms contained in the NAI
Home Realm Query.
Operating Class Indication element
The Operating Class Indication element provides information on the groups of
channels in the frequency band(s) the Wi-Fi access network is using. This element
reports the operating classes of APs in the same ESS as the AP transmitting this
element. A mobile device supporting more than one frequency band (e.g. 2.4GHz
and 5GHz) may use this element for BSS selection purposes.
Required Capabilities for Access Point to
Support HS 2.0
WPA2-Enterprise; when an AP indicates
support for Hotspot 2.0, TKIP and WEP shall
not be used.
All the EAP methods like TLS, SIM,AKA and
TTLS with MSCHAPv2
The Interworking information element
including Venue Info and HESSID, support for
this element mandates support for GAS.
The Roaming Consortium information
element.
Setting the Interworking bit in the Extended
Capabilities information element.
The BSS Load element.
Note: this element contains information on
the current mobile device population and
channel utilization in the BSS.
The following ANQP elements supported.
o Venue Name information
o Network Authentication Type information
o Roaming Consortium list
o IP Address Type Availability Information
o NAI Realm list
o 3GPP Cellular Network information
o Domain Name list
o HS Query list
o HS Capability list
o Operator Friendly Name
o WAN Metrics
o Connection Capability
o NAI Home Realm Query
o Operating Class Indication
Required Capabilities for Mobile Devices to
support HS 2.0
WPA2-Enterprise; when an AP indicates support
for Hotspot 2.0, TKIP and WEP shall not be used.
All the EAP methods like TLS, SIM,AKA and TTLS
with MSCHAPv2
The Interworking information element including
Venue Info and HESSID.
The Roaming Consortium information element.
Setting the Interworking bit in the Extended
Capabilities information element.
The BSS Load element.
Note: this element contains information on the
current mobile device population and channel
utilization in the BSS.
The following ANQP elements supported.
o Network Authentication Type information
o Roaming Consortium list
o NAI Realm list
o 3GPP Cellular Network information (only
required for mobile devices having SIM
credentials)
o Domain Name list
o HS Query list
o HS Capability list
o Operator Friendly Name
o WAN Metrics
o Connection Capability
o Venue Name information
o IP Address Type Availability Information
o NAI Home Realm Query
o Operating Class Indication
Log Snippet:

Security aspect in HS 2.0 Rel 1:

This is one of the main reason due to which wifi is not much popular within carrier
network deployment. After a wide consultation with different stakeholders like
Mobile Operator, ISPs, device manufactures, Wifi alliance in HS Rel-1 has come up
with enhanced security procedure which almost similar to 3GPP AKA and AES or it
is a combination of security and authentication procedure based on WLAN and
3GPP.
Below we can see a basic list of requirement to enable HS support for AP and STAs.

Authentication:
Hotspot Rel-2 supports only WAP-2 enterprise grade security with a mutual
authentication technique which is based on 802.1X and which requires a radius
server to accomplish the authentication. In 802.1x mutual authentication, following
EAP(Extensible Authentication Protocol framework) methodizes are supported as
per the below table.

Please remember it is a similar type of mutual authentication which followed in LTE

and known as EPS AKA where both UE and MME/HSS authenticate each other by
using EPS-AKA. Here a four way handshake mechanism followed between STA and
AAA server to accomplish the authentication procedure.

Question:
How a client select out of all the SSIDs like BYOD, NOSI, GUEST ?
It is based on 802.1x association and depends on user credentials radius server sends
Access Accept packet as part of authentication. This is called User Based Policy
Assignment.

Eg: Common use cases would be to push guest users to a Guest VLAN and
employees to an Employee VLAN-BOYD.

Strong Encryption:
The Advanced Encryption Standard (AES) encryption is used over the wireless
interface between a mobile device and the Passpoint APS. AES is one of the most
advanced standards-based encryption algorithms available in the industry. The AES
encryption keys (the Pairwise Transient Key [PTK] and the Group Temporal Key
[GTK]) are derived from the unique Pairwise Master Keys (PMKs) generated as part
of the IEEE 802.1X authentication process. We will discuss in detail about encryption
key generation in a separate article.

The strong encryption used between a mobile device and the Passpoint AP makes it
extremely difficult for an attacker to compute the keys needed to eavesdrop on the
traffic exchanged between the devices. The integrity protection afforded by the AES
encryption mechanism makes it computationally impractical for an attacker to
perform a man-in-the-middle attack.

Passpoint APs and mobile devices that are certified for WPA2 with Protected
Management Frames (PMF) mitigate eavesdropping and DoS vulnerabilities. PMF
does not protect pre-association ANQP frames.

Hot Spot 2.0 deployement:

With convergence of different wireless and wired technology, multiple deployment
models are now adopted to implement Hot Spot in cellular and SP networks. For
simplicity below I have explained about only Home network deployment models,
similar way roaming can be implemented.

Hot Spot Deployment in cellular Network

Here cellular operator means Mobile operators who provides sim cards to access
the mobile or wifi networks like Airtel, Vodafone etc.

Network discovery and authentication includes the following steps.

1. Device detects Hotspot 2.0 indication in access point (AP) beacon frame
(Extended Capabilities-Interworking Supported).
2. Device will send GAS queries to ANQP server for 3GPP cellular network
information and roaming consortium organizational identifiers (OIs).
3. Device matches the information and OIs received against its list of credentials and
preferred networks.
4. Device automatically associates with Passpoint AP.
5. Device performs IEEE 802.1X authentication to the home AAA server using EAP-
SIM or EAP-AKA.
6. Home AAA server communicates with home location register (HLR) using the
Mobile Application Part (MAP) protocol.
MAP- It is an intelligent network protocol used as part of SS7 network.
Hot Spot Deployment in Service Provider Network
Here service provider means internet service provider who dont provide any sim
card to access the wifi network like Comcast, boingo wireless, ACT etc.

Network discovery and authentication includes the following sequence of steps.

1. Device detects Hotspot 2.0 indication in AP beacon frame.
2. Device queries ANQP server for network access identifier (NAI) realm list and
roaming consortium OIs.
3. Device matches the realms and OIs received against its list of credentials and
preferred networks.
4. Device automatically associates with Passpoint AP.
5. Device performs IEEE 802.1X authentication to the Home AAA server using EAP-
TLS or EAP-Tunneled TLS (EAP-TTLS) with MS-CHAPv2.