Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE 17.1.x

Hotspot 2.0

Hotspot 2.0 is a network interworking feature that

enables IEEE 802.11 devices to interwork with external networks
provides network discovery and selection services, and
allows mobile devices to join Wi-Fi networks automatically, including during roaming.

Hotspot 2.0 components

The Hotspot 2.0 feature has four distinct parts:

Hotspot 2.0 Beacon Advertisement: Allows a mobile device to discover Hotspot 2.0-compatible and 802.11u-compatible WLANs.
Access Network Query Protocol (ANQP) Queries: Sends queries about the networks from IEEE 802.11 devices, such as network type (private or public); connectivity type (local network, internet connection, and so on), or the network providers supported by a given network.
Online Sign-up: Allows a mobile device to obtain credentials to authenticate itself with the Hotspot 2.0 or WLAN.
Authentication and Session Management: Provides authentication (802.1x) and management of the STA session (session expiration, extension, and so on).

Hotspot 2.0, also known as HS2 and Wi-Fi Certified Passpoint, is based on the IEEE 802.11u and Wi-Fi Alliance Hotspot 2.0 standards. It seeks to provide better bandwidth and services-on-demand to end users.

The interworking service aids network discovery and selection, enabling information transfer from external networks. It provides information to the stations about the networks before association.

Interworking not only helps users within the home, enterprise, and public access domains, but also assists manufacturers and operators to provide common components and services for IEEE 802.11 customers. These services are configured on a per-WLAN basis on the Cisco Wireless Controller (controller).

In order to mark a WLAN as Hotspot 2.0-compatible, the 802.11u-mandated information element and the Hotspot 2.0 information element is added to the basic service set (BSS) beacon advertised by the corresponding AP, and in WLAN probe responses.

Note

The Hotspot 2.0 feature supports only local mode or FlexConnect mode (central switching and central authentication).

FlexConnect local switching is only supported when the Open Roaming configuration template is set up using the wireless hotspot ANQP-server server-name type open-roaming command. If the configuration diverges from this template, FlexConnect local switching will not be supported.

This figure shows a standard deployment of the Hotspot 2.0 network architecture:

Figure 1. Hotspot 2.0 Deployment Topology

Configure Hotspot 2.0

Configure an access network query protocol server (CLI)

Set up an Access Network Query Protocol (ANQP) server to define and advertise services offered by an AP at Wi-Fi Hotspot 2.0 locations.

The Access Network Query Protocol Server (ANQP) is a query and response protocol that defines the services offered by an AP, usually at a Wi-Fi Hotspot 2.0.

Note

When configuring roaming-OI in the ANQP server, ensure that you set the beacon keyword for at least one roaming-OI, as mandated by the 802.11u standard.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a Hotspot 2.0 ANQP server.

Example:

Device(config)# wireless hotspot anqp-server server-name

Example:

Device(config)# wireless hotspot anqp-server my_server

Step 3

Add a description for the ANQP server.

Example:

Device(config-wireless-anqp-server)# description description

Example:

Device(config-wireless-anqp-server)# description "My Hotspot 2.0"

Step 4

Configure a 802.11u Third Generation Partnership Project (3GPP) cellular network.

Example:

Device(config-wireless-anqp-server)# 3gpp-info mobile-country-code mobile-network-code

Example:

Device(config-wireless-anqp-server)# 3gpp-info us mcc

The mobile-country-code should be a 3-digit decimal number. The mobile-network-code should be a 2-digit or 3-digit decimal number.

Step 5

Configure the ANQP reply fragmentation threshold, in bytes.

Example:

Device(config-wireless-anqp-server)# anqp fragmentation-threshold threshold-value

Example:

Device(config-wireless-anqp-server)# anqp fragmentation-threshold 100

The ANQP protocol can be customized by setting the fragmentation threshold, after which the ANQP reply is split into multiple messages.

Note

We recommend that you use the default values for the deployment.

Step 6

Configure the Hotspot 2.0 ANQP domain identifier.

Example:

Device(config-wireless-anqp-server)# anqp-domain-id domain-id

Example:

Device(config-wireless-anqp-server)# anqp-domain-id 100

Step 7

Configure the 802.11u network authentication type.

Example:

Device(config-wireless-anqp-server)# authentication-type {dns-redirect | http-https-redirect | online-enrollment | terms-and-conditions}

Example:

Device(config-wireless-anqp-server)# authentication-type online-enrollment

Depending on the authentication type, a URL is needed for HTTP and HTTPS.

Step 8

Configure the Hotspot 2.0 protocol and port capabilities.

Example:

Device(config-wireless-anqp-server)# connection-capability ip-protocol port-number {closed|open|unknown}

Example:

Device(config-wireless-anqp-server)# connection-capability 12 40 open

Note

Hotspot 2.0 specifications require that you predefine some open ports and protocols. Ensure that you meet these requirements in order to comply with the Hotspot 2.0 specifications. See the connection-capability command in the Cisco Catalyst 9800 Series Wireless Controller Command Reference document for a list of open ports and protocols.

Step 9

Configure an 802.11u domain name.

Example:

Device(config-wireless-anqp-server)# domain domain-name

Example:

Device(config-wireless-anqp-server)# domain my-domain

You can configure up to 32 domain names. The domain-name should not exceed 220 characters.

Step 10

Configure an 802.11u IPv4 address type in the Hotspot 2.0 network.

Example:

Device(config-wireless-anqp-server)# ipv4-address-type ipv4-address-type

Example:

Device(config-wireless-anqp-server)# ipv4-address-type public

Step 11

Configure an 802.11u IPv6 address type in the Hotspot 2.0 network.

Example:

Device(config-wireless-anqp-server)# ipv6-address-type ipv6-address-type

Example:

Device(config-wireless-anqp-server)# ipv6-address-type available

Step 12

Configure an 802.11u NAI realm profile that identifies the realm that is accessible using the AP.

Example:

Device(config-wireless-anqp-server)# nai-realm realm-name

Example:

Device(config-wireless-anqp-server)# nai cisco.com

Step 13

Configure a Hotspot 2.0-operating class identifier.

Example:

Device(config-wireless-anqp-server)# operating-class class-id

Example:

Device(config-wireless-anqp-server)# operating-class 25

Step 14

Configure a Hotspot 2.0 operator-friendly name in a given language.

Example:

Device(config-wireless-anqp-server)# operator operator-name language-code

Example:

Device(config-wireless-anqp-server)# operator XYZ-operator eng

Use only the first three letters of the language, in lower case, for the language code. For example, use eng for English.

To see the full list of language codes, go to: http://www.loc.gov/standards/iso639-2/php/code_list.php.

Note

You can configure only one operator per language.

Step 15

Configure the SSID that wireless clients will use for OSU.

Example:

Device(config-wireless-anqp-server)# osu-ssid SSID

Example:

Device(config-wireless-anqp-server)# osu-ssid test

The SSID length can be up to 32 characters.

Step 16

Configure the 802.11u roaming organization identifier.

Example:

Device(config-wireless-anqp-server)# roaming-oi OI-value [beacon]

Example:

Device(config-wireless-anqp-server)# roaming-oi 24 beacon

If the beacon keyword is specified, the roaming OUI is advertised in the AP WLAN beacon or probe response. Otherwise, it will only be returned while performing the roaming OUI ANQP query.

Note

The hex string of a roaming OUI should contain only lowercase letters.

Step 17

Configure the 802.11u venue information.

Example:

Device(config-wireless-anqp-server)# venue venue-name language-code

Example:

Device(config-wireless-anqp-server)# venue bank eng

The venue-name should not exceed 220 characters and the language-code should only be 2 or 3 lowercase letters (a-z) in length.

The ANQP server is configured and will advertise the specified network services and capabilities to wireless clients performing 802.11u queries at the Hotspot 2.0 location.

Configure WAN metrics

Set up Wide Area Network (WAN) parameters such as uplink and downlink speed, link status, and load for Hotspot 2.0 ANQP server configuration.

This procedure shows you how to configure the Wide Area Network (WAN) parameters such as uplink and downlink speed, link status, load, and so on.

Procedure

Step 1	Enter global configuration mode. Example: `Device# configure terminal`
Step 2	Configure a Hotspot 2.0 ANQP server. Example: `Device(config)# wireless hotspot anqp-server server-name` Example: `Device(config)# wireless hotspot anqp-server my_server`
Step 3	Configure the WAN downlink load. Example: `Device(config-wireless-anqp-server)# wan-metrics downlink-load load-value` Example: `Device(config-wireless-anqp-server)# wan-metrics downlink-load 100`
Step 4	Configure the WAN downlink speed, in kbps. Example: `Device(config-wireless-anqp-server)# wan-metrics downlink-speed speed` Example: `Device(config-wireless-anqp-server)# wan-metrics downlink-speed 1000`
Step 5	Configure the WAN link to operate at its maximum capacity. Example: `Device(config-wireless-anqp-server)# wan-metrics full-capacity-link`
Step 6	Set the WAN link status. Example: `Device(config-wireless-anqp-server)# wan-metrics link-status {down\|not-configured\|test-state\|up}` Example: `Device(config-wireless-anqp-server)# wan-metrics link-status down`
Step 7	Configure the uplink or downlink load measurement duration. Example: `Device(config-wireless-anqp-server)# wan-metrics load-measurement-duration duration` Example: `Device(config-wireless-anqp-server)# wan-metrics load-measurement-duration 100`
Step 8	Configure the WAN uplink load. Example: `Device(config-wireless-anqp-server)# wan-metrics uplink-load load-value` Example: `Device(config-wireless-anqp-server)# wan-metrics uplink-load 100`
Step 9	Configure the WAN uplink speed, in kbps. Example: `Device(config-wireless-anqp-server)# wan-metrics uplink-speed speed` Example: `Device(config-wireless-anqp-server)# wan-metrics uplink-speed 1000`

The WAN metrics are now configured for the Hotspot 2.0 ANQP server with the specified parameters for network performance monitoring and reporting.

Configure OSU provider (CLI)

Configure an OSU (Online Sign-Up) provider to enable wireless clients to connect and provision network access through the Hotspot/OpenRoaming service.

Use this procedure to set up an OSU provider with the necessary configuration parameters including provider name, NAI realm, authentication methods, server URI, icon configuration, and friendly names for different languages.

Before you begin

Follow these steps to configure OSU provider using CLI:

Procedure

Step 1	Enter global configuration mode. Example: `Device# configure terminal`
Step 2	Configure an icon for Hotspot 2.0 and its parameters, such as media type, language code, icon width, and icon height. Example: `Device(config)# wireless hotspot icon bootflash:system-file-name media-type language-code icon-width icon-height` `Device(config)# wireless hotspot bootflash:logo1 image eng 100 200`
Step 3	Configure a Hotspot 2.0 ANQP server. Example: `Device(config)# wireless hotspot anqp-server server-name` `Device(config)# wireless hotspot anqp-server my_server`
Step 4	Configure a Hotspot 2.0 OSU provider name. Example: `Device(config-wireless-anqp-server)# osu-provider osu-provider-name` `Device(config-wireless-anqp-server)# osu-provider my-osu`
Step 5	Configure the name of the OSU operator in a given language. Example: `Device(config-anqp-osu-provider)# name osu-operator-name lang-code description` `Device(config-anqp-osu-provider)# name xyz-oper eng xyz-operator` The OSU operator name and description should not exceed 220 characters. The language code should be 2 or 3 lower-case letters (a-z).
Step 6	Configure the server Uniform Resource Identifier (URI) of the OSU operator. Example: `Device(config-anqp-osu-provider)# server-uri server-uri` `Device(config-anqp-osu-provider)# server-uri cisco.com`
Step 7	Configure the primary supported OSU method of the OSU operator. Example: `Device(config-anqp-osu-provider)# method {oma-dm \| soap-xml-spp}` `Device(config-anqp-osu-provider)# method oma-dm`
Step 8	Configures the Network Access Identifier (NAI) realm of the OSU operator. Example: `Device(config-anqp-osu-provider)# nai-realm nai-realm` `Device(config-anqp-osu-provider)# nai-realm cisco.com` The nai-realm should not exceed 220 characters.
Step 9	Configure the icon for the OSU provider. Example: `Device(config-anqp-osu-provider)# icon file-name` `Device(config-anqp-osu-provider)# icon xyz.jpeg` The file-name should not exceed 100 characters.

The OSU provider is configured and applied to the device, enabling wireless clients to use the Online Sign-Up service for network provisioning.

Configure Hotspot 2.0 WLAN

Set up a Hotspot 2.0 enabled WLAN to provide standardized Wi-Fi access for mobile devices.

Hotspot 2.0 WLANs enable automatic network discovery and connection for compatible devices, providing a seamless wireless experience in public and enterprise environments.

Procedure

Step 1	Enter global configuration mode. Example: `Device# configure terminal`
Step 2	Configure a WLAN and enter WLAN configuration mode. Example: `Device(config)# wlan wlan-name wlan-id ssid` Example: `Device(config)# wlan hs2 1 hs2`
Step 3	Configure random GTK for hole 196 mitigation. Example: `Device(config-wlan)# security wpa wpa2 gtk-randomize` Hole 196 is the name of WPA2 vulnerability.
Step 4	Enable the WLAN. Example: `Device(config-wlan)# no shutdown`

The Hotspot 2.0 WLAN is configured and enabled, allowing compatible devices to automatically discover and connect to the network.

Configure an online subscription with encryption WLAN (CLI)

Enable secure onboarding for Hotspot 2.0 networks by configuring an OSEN WLAN to obtain necessary credentials.

Online subscription with Encryption (OSEN) WLAN is used to onboard a Hotspot 2.0 network (to get the necessary credentials) in a secure manner.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a WLAN and enter WLAN configuration mode.

Example:

Device(config)# wlan wlan-name wlan-id ssid

Example:

Device(config)# wlan hs2 1 hs2

Step 3

Enable WPA OSEN security support.

Example:

Device(config-wlan)# security wpa osen

Note

OSEN and robust security network (RSN) are mutually exclusive. If RSN is enabled on a WLAN, OSEN cannot be enabled on the same WLAN.

Step 4

Enable the WLAN.

Example:

Device(config-wlan)# no shutdown

The OSEN WLAN is configured and enabled, allowing secure onboarding for Hotspot 2.0 network credentials. Note that you cannot apply a policy profile to the OSEN WLAN if a Hotspot 2.0 server is enabled on the WLAN.

Attach an ANQP server to a policy profile (CLI)

Enable Hotspot 2.0 functionality by attaching an ANQP server to a wireless policy profile.

ANQP (Access Network Query Protocol) servers provide network information to Hotspot 2.0 clients during the discovery and authentication process. This configuration is required for implementing Hotspot 2.0 services.

Procedure

Step 1	Enter global configuration mode. Example: `Device# configure terminal`
Step 2	Configure a policy profile. Example: `Device(config)# wireless profile policy policy-profile-name` Example: `Device(config)# wireless profile policy policy-hotspot`
Step 3	Disable the policy profile. Example: `Device(config-wireless-policy)# shutdown`
Step 4	Attach the Hotspot 2.0 ANQP server to the policy profile. Example: `Device(config-wireless-policy)# hotspot anqp-server server-name` Example: `Device(config-wireless-policy)# hotspot anqp-server my-server`
Step 5	Enable the policy profile. Example: `Device(config-wireless-policy)# no shutdown`

The ANQP server is successfully attached to the policy profile. You must then attach the policy profile to the WLAN to make the WLAN Hotspot 2.0 enabled.

What to do next

Attach the policy profile to the WLAN to make the WLAN Hotspot 2.0 enabled.

Configure interworking for Hotspot 2.0

Enable Hotspot 2.0 interworking capabilities to provide seamless wireless network access for mobile devices.

Hotspot 2.0 interworking allows mobile devices to automatically discover and connect to Wi-Fi networks that provide internet access. This configuration sets up the ANQP (Access Network Query Protocol) server and defines network characteristics for Hotspot 2.0 compliance.

Procedure

Step 1	Enter global configuration mode. Example: `Device# configure terminal`
Step 2	Configure a Hotspot 2.0 ANQP server. Example: `Device(config)# wireless hotspot anqp-server server-name` Example: `Device(config)# wireless hotspot anqp-server my_server`
Step 3	Configure a 802.11u network type. Example: `Device(config-wireless-anqp-server)# network-type network-type internet-access access-level` Example: `Device(config-wireless-anqp-server)# network-type guest-private internet-access allowed` The access-level can be allowed or forbidden.
Step 4	(Optional) Configure a homogenous extended service set. Example: `Device(config-wireless-anqp-server)# hessid HESSID-value` Example: `Device(config-wireless-anqp-server)# hessid 12.13.14`
Step 5	Select a group type and venue type from the list of available options. Example: `Device(config-wireless-anqp-server)# group venue-group venue-type` Example: `Device(config-wireless-anqp-server)# group business bank`

Hotspot 2.0 interworking is now configured with the specified ANQP server, network type, and venue information, enabling automatic network discovery and connection for compatible mobile devices.

Configure the Generic Advertisement Service rate limit (CLI)

Control the rate of Generic Advertisement Services (GAS) request action frames to prevent network congestion and optimize performance.

GAS rate limiting helps manage the volume of hotspot service requests processed by the controller and APs, ensuring stable network performance in high-density environments.

Procedure

Step 1	Enter global configuration mode. Example: `Device# configure terminal`
Step 2	Configure an AP profile and enter AP profile configuration mode. Example: `Device(config)# ap profile profile-name` Example: `Device(config)# ap profile hs2-profile`
Step 3	Configure the number of Generic Advertisement Services (GAS) request action frames sent to the controller by an AP in a given interval. Example: `Device(config-ap-profile)# gas-ap-rate-limit request-number interval` Example: `Device(config-ap-profile)# gas-ap-rate-limit 20 120`
Step 4	Return to global configuration mode. Example: `Device(config-ap-profile)# exit`
Step 5	Configure the number of GAS request action frames to be processed by the controller. Example: `Device(config)# wireless hotspot gas-rate-limit gas-requests-to-process` Example: `Device(config)# wireless hotspot gas-rate-limit 100`

The GAS rate limiting is configured to control the processing of hotspot service requests at both the AP and controller levels.

Verify Hotspot 2.0 configuration

Use these show commands to verify the quality of service (QoS) and AP GAS rate limit.

To view whether a QoS map ID is user configured or the default one, use this command:

Device# show ap profile <profile name> detailed

QoS Map                       : user-configured

To view the QoS map values used and their source, use this command:

Device# show ap profile <profile name> qos-map  

QoS Map                       : default
DSCP ranges to User Priorities
 User Priority   DSCP low   DSCP high   Upstream UP to DSCP
-----------------------------------------------------------
             0          0           7                     0
             2         16          23                    10
             3         24          31                    18
             4         32          39                    26
             5         40          47                    34
             6         48          55                    46
             7         56          63                    48

DSCP to UP mapping exceptions
 DSCP   User Priority
---------------------
    0               0
    2               1
    4               1
    6               1
   10               2
   12               2
   14               2
   18               3
   20               3
   22               3

To view the AP rate limiter configuration, use this command:

Device# show ap name AP0462.73e8.f2c0 config general | i GAS

GAS rate limit Admin status                     : Enabled
Number of GAS request per interval              : 30
GAS rate limit interval (msec)                  : 100

Bias-Free Language

Results

Chapter: Hotspot 2.0

Hotspot 2.0

Hotspot 2.0

Hotspot 2.0 components

Configure Hotspot 2.0

Configure an access network query protocol server (CLI)

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Configure WAN metrics

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Configure OSU provider (CLI)

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Configure Hotspot 2.0 WLAN

Procedure

Example:

Example:

Example:

Example:

Example: