Hotspot 2.0 Settings

Hotspot 2.0, also known as Wi-Fi Certified Passpoint, is a standard for public-access Wi-Fi that enables seamless roaming among Wi-Fi networks and between Wi-Fi and cellular networks. It is based on the IEEE 802.11u standard for interworking with external networks. With the advent of smart phones and tablets, the data consumption and strain on cellular networks has increased significantly. Hotspot 2.0 enables cellular network-like roaming that requires little or no manual intervention allowing users to automatically switch to a Wi-Fi network, whenever it is available, and free up the cellular network.

Passpoint-certified mobile devices can seamlessly connect to an AP if the Wi-Fi profile applied on the AP has  Hotspot 2.0 enabled and the corresponding settings configured. When a  Wi-Fi profile with Hotspot 2.0 settings is applied on the AP that is deployed at the operator location, the AP can advertise available network services enabling Passpoint-certified mobile devices to automatically discover and select a Wi-Fi network.

A mobile device can request a Hotspot 2.0 AP for information related to the capabilities and services provided by the AP without associating with the AP. Based on the information received from the AP, it can decide whether it wants to connect to the AP or not. This communication between the AP and the mobile devices takes place using the Access Network Query Protocol (ANQP).

Hotspot 2.0 works only with WPA2 802.1x enterprise security. If you want to configure Hotspot 2.0 functionality, you must first set the value in the security mode field (in Security Settings in the Wi-Fi profile as WPA2 and make sure that the 802.1x option is selected.

Network Discovery and Selection

One of the major functions addressed in the IEEE 802.11u standard is the automatic network discovery and selection. This feature uses generic advertisement service (GAS) as a platform to allow communication between non-AP devices and an external network without associating with an AP.

To advertise support for Hotspot 2.0, the Interworking bit in the Extended Capabilities information element needs to be set in the Beacon and Probe Response frames. The non-AP devices include the Interworking element in Probe Request frames.

Providing information to non-AP devices in the pre-association stage has these advantages:

  • Non-AP devices can make informed decisions about joining a BSS based on the services advertised.
  • Multiple wireless networks can be queried in parallel that reduces the time required to associate to a network that fits the requirements of non-AP devices

Fields Added in Beacon & Probe Response

To provide information regarding the service provided, these additional fields have been added in the beacon frame:

  • Interworking
  • Advertisement Protocol
  • Roaming Consortium
  • Emergency Alert Identifier

In addition to these fields, a non-AP device can request for additional information by using ANQP that uses Public action frames to share information at Layer-2 without requiring the non-AP device to associate to the BSS. After the non-AP device has gathered all the information, it will connect to a hotspot where it can successfully authenticate based on the profile that is configured on the device.

ANQP Elements

The ANQP elements defined to provide additional information are listed in this table.

ANQP Element


Venue Name Information

The details of the venue where the AP is deployed. This specifies the group and type of venue, such as hospital, factory, or university, and the name of the venue where the AP is deployed.

Emergency Call Number Information

List of emergency phone numbers to an emergency responder, as directed by a public safety answering point (PSAP), which is used in a specific geographical area.

Network Authentication Type Information

List of authentication types and corresponding additional information.

Roaming Consortium List

List of organization identifiers, which are unique hexadecimal strings, identifying the service providers supported by the network and the roaming consortia that the network is a member of.

IP Address Type Availability Information

Information about the availability of IP address version and type that could be allocated to the device after successful association.

NAI Realm List

List of NAI realms corresponding to service providers or other entities whose networks or services are accessible through the AP. Optionally, for each NAI realm, a list of one or more EAP Method sub fields that the NAI realm uses for authentication might be included.

3GPP Cellular Network Information

Cellular information, such as network advertisement information (for example, network codes and country codes), to assist a 3GPP non-AP device in selecting an AP to access 3GPP networks.

AP Geospatial Location

Provides the location of the AP in LCI format.

AP Civic Location

Provides the location of the AP in Civic format.

AP Location Public Information URI

Provides an indirect reference to where the location information for the AP can be retrieved.

Domain Name List

The list of Hotspot 2.0 operator domain names.

Emergency Alert Identifier URI

URI for EAS message retrieval.

Emergency NAI

An emergency string that can be used by a device as its identity to indicate an emergency access request.


Hotspot 2.0 can be used only with WPA2-Enterprise security setting and it supports these EAP methods:

Credentials EAP Method
Certificate EAP-TLS

Username / Password
(with server-side certificate)


This diagram shows the frame exchanges between a device, the AP, and an authentication server.

Diagram of Frame Exchange steps in Hotspot 2.0

Hotspot 2.0 Configuration

Configure the Hotspot 2.0 on an AP by defining an SSID profile (Wi-Fi profile) with the Hotspot 2.0 settings and then add this SSID profile on the radio for a supported device in the device template. The device template must then be applied on your APs.

To add and configure an SSID:

  1. Log in to WatchGuard Wi-Fi Cloud.
  2. Open Manage.
  3. Select Configuration > Device Configuration > SSID Profiles.
  4. Select an existing SSID profile or create a new SSID profile.
  5. Type the Profile Name and SSID.
  6. Expand the Security section, and select WPA2 as the Security Mode.
  7. Select 802.1X and configure the corresponding settings.
  8. Configure the Network, Captive Portal, Firewall, and Traffic Shaping & QoS settings for the SSID Profile as required.

Screenshot of SSID Profile page with Hotspot 2.0 settings

To configure Hotspot 2.0:

  1. In the Wi-Fi Profile, click the Hotspot 2.0 tab.
  2. Select Hotspot 2.0 Release 1 or Release 2.
  3. Configure the settings as detailed in the following sections, then click Save.

Hotspot 2.0 configuration in an SSID profile

General Settings

The General Settings refer to the network configuration. These settings include the network access type, network authentication type  element, and IP address type.

Screenshot of Hotspot 2.0 General settings

  • The Network Type is a predefined list and can have one of these values.
  • Private network — Unauthorized users are not permitted on this network. Examples of this access network type are home networks and enterprise networks that may employ user accounts.
  • Private network with guest access —  The network is a private network offering guest access. An example of this access network type is an enterprise network with guest access.
  • Chargeable public network —  A public network that is available to everyone for a charge. An example of this access network type is a hotel offering  in-room Internet access service for a fee.
  • Free public network — A public network that is available to everyone for free. An example of this access network type is an airport hotspot.
  • Personal device network —  A network of personal devices such as a camera connecting to a printer thereby forming a network to print pictures.
  • Emergency services only network — The network is dedicated and limited to accessing emergency services only.
  • Test or experimental — The network is a test or experimental network only.
  • Wildcard —  Wildcard access network type. Select this option if you want the AP to reply to the client (mobile device) regardless of the access network type requested in the client query.
  • Select the Internet Access check box if  the network provides Internet access to the client through the AP
  • The Homogenous ESSID (HESSID) is an optional MAC address field that is the same for all APs belonging to the same network. APs with the same HESSID have the same Hotspot 2.0 configuration.
  • The GAS Fragmentation Limit is the maximum allowed size, in bytes, for the GAS response frame above which frame fragmentation needs to be performed. The default value is 1400 bytes.
  • The GAS Comeback Delay is the delay, in milliseconds, between the initial GAS response and the first comeback request. A non-zero value implies a 4 frame GAS exchange. The default value is 0.

Network Authentication Type

The network authentication element refers to the list of authentication types. This element is related to captive portal-based authentication systems. A redirect URL can be specified in the General Settings to redirect the mobile user to the appropriate URL on connecting to the AP.

The network authentication element is a predefined list and can have one of these values:

  • Acceptance of terms and conditions — Select this option if the network requires the user to accept a set of terms and conditions. You can provide a URL that points to the terms and conditions page in the Redirect URL field.
  • Online enrollment — Select this option if online enrollment is supported by the network (Hotspot 2.0 release 2).
  • HTTP/HTTPS redirection — Select this option if the network infrastructure performs HTTP/HTTPS redirection. You can optionally provide a redirect URL for HTTP/HTTPS redirection.
  • DNS redirection — Select this option if the network supports DNS redirection.
  • Not configured — Select this option if you do not want to provide specific information when the client queries about network authorization type.

Hotspot 2.0 Release 2

When you select online enrollment as the network authentication type for Hotspot 2.0 Release 2, you must also specify the Online Sign Up (OSU) SSID and OSU Provider details. The OSU provider details can have URLs for various online sign-up provider servers, and each online sign-up provider can have one or more service descriptions in different languages. Additionally, the online sign-up provider can have one or more operator-friendly names and icons in different languages. You can define QoS Map settings in the QoS Mapping section.

Screenshot of Hotspot 2.0 Network Authentication settings

  • Network Auth Type — Select On-line enrollment as the network authentication type from the list of available options.
  • Redirect URL — Type the URL to which the mobile client must be redirected on connecting to the APs.
  • OSU SSID — The SSID configured for online sign up.
  • Deauth Request Time — The timeout, in seconds, for client deauthentication after sending the WNM notification frame with the deauth imminent sub-element.

To configure OSU provider details:

  1. Type the OSU provider URL, then select the appropriate method from the available list, type an optional NAI, then click Add.
  2. Select the configured URL and type one or more service descriptions with their language codes.
  3. Click Add to add the entry for service description. The method OMA-DM, SOAP-XML SPP indicates the priority-OMA-DM has a higher priority than SOAP-XML SPP. The same logic is applicable to the option SOAP-XML, OMA-DM.
  4. Select the configured URL and type one or more operator-friendly names along with their language codes.
  5. Click Add to add the entry for operator-friendly name.
  6. Select the configured URL and upload the icons one by one after specifying the icon name and language code for each icon. If there is no language related matter in the icon, enter zxx as the language code.

Do not modify the QoS settings in the Hotspot 2.0 Settings tab unless you are proficient in setting up networks. Erroneous configuration of the QoS settings can lead to degradation of wireless network performance. The QoS settings configured in the Hotspot 2.0 settings override the traffic shaping and QoS settings configured in the WLAN tab in a Wi-Fi profile.

Roaming Consortiums Element

The network could be a member of a roaming consortium or could support service providers. The element consists of one or more organization identifiers that are unique hexadecimal strings. If this element contains multiple organization identifiers, it means the network supports multiple service providers.

The first three roaming consortium from the list are advertised in the beacon. Up to 32 roaming consortiums can be added here. The length of the roaming consortium string must be 3 or 5 bytes which is 6 or 10 hex characters.

Screenshot of Hotspot 2.0 Roaming Consortium settings

Venue Settings

The Venue Settings specify the configuration of the venue details where the AP is to be deployed. The venue settings consist of venue groups and venue types. The venue group is selected from a predefined list of values.

Screenshot of Hotspot 2.0 Venue Settings

  • Venue Group — Select the appropriate venue group from the available options.
  • Venue Type — Select the type of venue at which the AP is installed. Different options are presented based on the venue group selected. For example, when you select the Educational venue group, the options available for venue type are: Unspecified Educational School, Primary, School, Secondary, and University or College.
  • Venue Name — Name of the venue. Maximum length is 252 bytes. You can add up to 32 venue names.
  • Language Code — The language code in which the service is to be provided. See the ISO 639.2 standard for the language codes.

The available venue groups are:

  • Assembly — An arena or an amusement park where a group of people assemble together.
  • Business — A business premises such as a bank or an office.
  • Educational —Educational institution such as a school or a university.
  • Factory and Industrial — Factory or industrial location.
  • Institutional — Hospital or a rehabilitation center.
  • Mercantile — Mercantile venue such as a gas station or a shopping mall.
  • Residential —Hotel or a private residence.
  • Storage —Storage facility.
  • Utility and Miscellaneous — Utility or miscellaneous location.
  • Vehicular —Vehicle such as a train or a boat.
  • Outdoor —Outdoor location such as a kiosk or a bus stop.

Domain Name List

The Domain Name List provides a list of the Hotspot 2.0 operator domain names. You can enter a maximum of 32 domains. The size of the domain name must not exceed 255 bytes.

Screenshot of Hotspot 2.0 Domain Name List settings

3GPP Cellular Network Info List

The list of mobile networks supported by the AP can be configured in the 3GPP Cellular Network Info List. Type the three-digit mobile country code, the two- or three-digit mobile network code, and click Add to add it to the list. You can add up to 32 entries.

Screenshot of Hotspot 2.0 3GPP Cellular settings

NAI Realm List

The network access identifier (NAI) Realm List corresponds to the NAI realm element. The NAI realm element provides a list of NAI realms corresponding to service providers or other entities whose networks or services are accessible through the AP. A list of one or more EAP Methods is optionally included for each NAI realm.

Type the NAI Realm and click Add. You can add up to 32 such realms, each with a length up to 255 bytes.

Select the EAP method for that realm and click Add.

You can add up to four EAP methods for one realm. You can view the EAP methods specified for a particular realm when you click the EAP Settings link for that realm in the Realm box. The EAP methods must be added in the order of preference. The preferred EAP method must be added first, followed by the next preferred method.

Screenshot of Hotspot 2.0 NAI Realm settings

WAN Metrics

You can specify details of the WAN connection available through the wireless network. You can specify the link status and the uplink and downlink speeds.

  • Link Status — Select the appropriate option.
  • Link up — Select this option if the link is up.
  • Link down — Select this option if the link is down.
  • Link in test — Select this option if the link is under test.
  • Not Configured — Select this option when the link status is not configured.
  • Symmetric Link Status — Select the Same option if the uplink and downlink speeds are the same. Select the Different option if the uplink and the downlink speeds are different.
  • Downlink Speed — Downlink speed, in Kbps or Mbps. Select the unit of measurement after you type the value for the downlink speed.
  • Uplink Speed — Uplink speed, in Kbps or Mbps. Select the unit of measurement after you type the value for the uplink speed.

Operator Friendly Name List

In the operator-friendly name list, you can type a list of operator-friendly names along with the language code. You can have up to 32 entries in the list.

Screenshot of Hotspot 2.0 Operator Friendly Name settings

  • Name — The operator friendly name of the Hotspot 2.0 operator in different languages. The maximum length must not be more than 252 bytes.
  • Language Code — The language code in which the operator friendly name has been specified. Refer to the ISO 639.2 standard for the language codes.

Connection Capability

In the connection capability section, you can specify the protocols supported by the network connection and the corresponding port numbers and whether the port is open or closed. These settings signify the capabilities of the wired network that the AP is connected to. They provide information on the connection status of the most commonly used communication protocols and ports within the hotspot.

Based on the port configuration, make sure that you have configured an appropriate firewall rule in the firewall settings of the Wi-Fi profile. In the connection capability, the port is closed for ICMP requests. The complementary firewall rule prevents ICMP requests that might result in a denial-of-service attack. The protocol number 1 in the firewall rule refers to ICMP.

Screenshot of Hotspot 2.0 Connection Capability settings

QoS Mapping

Configure the QoS mapping, if required. The DSCP exception indicates that the priority to be assigned when the specified DSCP value is detected in data packets. The value 255 indicates that the row is ignored.

Enable Layer 2 inspection and Filtering

L2 inspection and filtering prevents frames exchanged between two mobile devices from being delivered by the Wi-Fi access network without first being inspected and filtered in either the hotspot operator network or the Service Provider core network. Such processing provides some protection for mobile devices against attack.

 If you want to inspect the packets exchanged between two clients in a Wi-Fi network on a wired side host:

  1. Select the Hotspot 2.0 Settings tab for a Wi-Fi profile,
  2. Select the Enable Layer 2 Traffic Inspection and Filtering (L2TIF) check box.
  3. Click Save.

You can use a packet capture tool to view the packets on the wired side.

Inspection of layer 2 packets by an AP is not supported.

Enable P2P Cross Connection

When a client  is connected to a Wi-Fi direct network and to an AP in an infrastructure network, you can bridge these two networks. When you enable the P2P cross connection, the Wi-Fi Direct network and the infrastructure network can be bridged by the client. Otherwise, the AP instructs the client not to cross-connect the infrastructure network to the Wi-Fi Direct network enhancing the security of the wireless network. The P2P cross connection is disabled by default.

To enable P2P cross connection:

  1. Select the Hotspot 2.0 Settings tab for a Wi-Fi profile,
  2. Select the Enable P2P Cross Connection check box.
  3. Click Save.

Enable BSS Load

The BSS Load element is included in the beacons and probe responses. The BSS Load element contains information on the number of currently associated stations and traffic levels in the BSS. The traffic level information is conveyed in the Channel Utilization and the Available Admission Capacity fields.

Roaming stations can select an AP that is likely to accept future admission requests when the BSS Load is enabled.

When more than one channel is in use for the BSS (40/80/160 MHz bandwidths), the Channel Utilization field value is calculated only for the primary channel.

To enable BSS Load:

  1. Select the Enable BSS Load check box.
  2. Click Save.