FortiWLC – Hotspot 2.0

Hotspot 2.0

Hotspot 2.0 is a specification by the Wi-Fi Alliance that specifies a framework for seamless roaming between WiFi networks and Cellular networks. The specification is based on the IEEE802.11u standard; a Generic Advertisement Service (GAS) that provides over-the-air

Hotspot 2.0

transportation for frames of higher layer advertisements between stations APs and external information servers. This feature will allow users to configure hotspot profiles that can (optionally) be connected to existing ESS Profiles as desired. An ESS-profile connected to a hotspot profile will advertise 802.11u capabilities in its beacons.

FAP-U42x and FAP-U32x are Passpoint R2 certified.

Adding a Hotspot 2.0 Profile

The Hotspot Profiles can be created from the Configuration > Wireles > Hotspot 2.0 page. By default, the page shows the following details about a Hotspot profile.

  • Hotspot Profile Name – Displays the name of the Hotspot Profile.
  • Description – Displays the Description provided for the Hotspot profile.
  • Venue Type – Displays the Venue Type.
  • Access Network Type – Select the Access Network Type from the list. The default selection is displayed as Private Network. The types are as follows:
  • Private Network
  • Private Network with Guest Access
  • Chargeable Public Network
  • Free Public Network
  • Personal Device Network
  • Emergency Services Only Network
  • Test or Experimental Network
  • Wildcard Network
  • IPv6 Availability – Select the IPv6 Availability from the list. The default selection is displayed as Address type not available. The types are as follows:
  • Address type available
  • Address type not available
  • Availability of the Address type not known
  • IPv4 Availability – Select the IPv4 Availability from the list. The default selection is displayed as Address type not available. The types are as follows:
  • Address type available
  • Address type not available
  • Availability of the Address type not known
  • Port-restricted IPv4 address available
  • Single NATed private IPv4 address available
  • Double NATed private IPv4 address available

Hotspot 2.0

 

Port-restricted IPv4 address and single NATed IPv4 address available

  • Port-restricted IPv4 address and double NATed IPv4 address available
  • Roaming Consortium – Enter the roaming ORG ID for the Hotspot profile. The valid range is 0-10 characters.
  • Operators – Enter multiple network operators. Select a language and enter a name. The valid range is 0 – 256 characters.
  • Venue – Enter multiple hotspot venues. Select a language and enter a name. The valid range is 0 – 512 characters.
  • 3GPP Cell Network – Provide the following details:
  • Country code of the operator.
  • Provide the 3GPP Cell Network MCC. The default value is displayed is 0. The Valid range is [0-999]. Provide the 3GPP Cell Network MNC. The default value is displayed is 0. The Valid range is [0-999].
  • Domain Name – Provide the Domain Name. The valid range is [0-128] chars.
  • NAI Realm from 1-10 – Provide the NAI Realm [1-10] from the list. The valid range is [0-50] chars.
  • NAI Realm Auth Method from 1-10 – Select the NAI Realm Auth Method [1-10] from the list. The valid range is [0-50] chars. The types are as follows:
  • EAP TLS Certificate
  • EAP TTLS MSCHAPv2 Username/Password
  • EAP SIM
  • EAP AKA
  • EAP AKA`
  • Advanced Settings – Provide the following configuration details for advanced settings: HESSID – A globally unique identifier, used to give a single identifier for a group of APs connected to the same SP or other destination network(s).
  • GTK Per Station – Enables the Group Temporal Key (GTK) to be assigned per station.
  • Gas Come Back Flag – Enables the Generic Advertisement Service (GAS) comeback request/response option.
  • Gas Come back Delay (millisecs) – At the end of the GAS comeback delay interval, the client can attempt to retrieve the query response using the comeback request action frame.
  • ASRA Flag – Enable the Additional Step Required for Access (ASRA) to indicate that the network requires one more step for access. Authentication type – Configure the network authentication type required as per ASRA. Supported values are, Acceptance of terms and conditions, On line enrolment supported, http/https redirection, and DNS redirection.

Hotspot 2.0

Redirect URL – Specify the Redirect URL in case of http/https redirection and DNS Redirection.

  • WAN Metrics – Provide the following configuration details for WAN metrics:
  • Link Status State – Select the status of the WAN link.
  • Symmetric Link – Enable symmetric bandwidth. At Capacity – Select whether the WAN link is at capacity and no additional mobile devices will be allowed to associate with the AP.
  • Down Link speed/Up Link speed – The WAN Backhaul link for current downlink/uplink speed in KBPS.
  • Down Link load/Up Link load – The current percentage load of the downlink/uplink connection, measured over an interval the duration of which is reported by the Load Measurement Duration.
  • Load Measurement Duration – The duration over which the downlink/uplink load is measured in KBPS.
  • Connection CapabilityThe Connection Capability enables filtering of protocols, allowing or restricting traffic on some protocols and ports. A set of system defined protocols as listed. Additionally, you can also create rules for custom protocols.
  • QoS Map – Create a Quality of Service (QoS) policy by configuring the following DSCP ranges and DSCP exceptions.
  • DSCP Ranges – For a given DSCP range, specify the User Priority (valid range: 0 -7), DSCP High Priority (valid range: 0 – 255), and DSCP Low Priority (valid range: 0-255). DSCP Exceptions – For a given DSCP exception, specify the User Priority (valid range: 0 -7) and the DSCP Value (valid range: 0 – 255).
  • OSU Settings – The Online Sign Up (OSU) Service settings configures one or more Hotspot providers offering OSU service.
  • Online Sign Up Support – Select to enable OSU.
  • OSEN Enable – Enable OSU Server-only authenticated layer-2 Encryption Network (OSEN) to indicate that the hotspot uses a OSEN network type. This network provisions clients using the OSU functionality.
  • OSU/OSEN ESSID – Specify the OSU ESSID.

OSU Server URL – Specify the URL of the OSU server.

  • OSU NAI – Specify the OSU NAI for authentication.

Click Settings to configure the OSU provider settings.

  • OSU Provider Friendly Names
  • OSU Provoder Icons
  • OSU Provider Method – Select one of the OSU provider provisioning methods, OMADM or SOAP-XML.

Hotspot 2.0

OSU Provider Description – The description of the OSU Provider.

Select OK. The Hotspot Profile is added and displayed on the Hotspot Profile screen.

The following operations can be performed on the Hotspot 2.0 profile.

  • Delete – Select a Hotspot Profile and click Delete. The selected Hotspot Profile gets deleted from the Hotspot Profile screen.
  • Edit – Select a Hotspot Profile and click Edit.
  • View – Allows to view the details of the Hotspot Profile. Select a Hotspot Profile and click View.
This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.