Public Guest WiFi
For decades, businesses have relied on Captive Portals to onboard and connect guests to public WiFi networks. These portals have been crucial in justifying investments in WiFi services by engaging customers, collecting first-party data, and promoting marketing programs.
However, Captive Portals have significant drawbacks, including low security and poor user experience. With the advent of MAC randomization, recognizing returning users and devices is inconsistent, leading to repetitive onboarding processes. This issue is only expected to worsen over time (see iOS 18 anticipations on this).
Moreover, as mobile networks offer better connectivity and more data allowances, fewer people are manually connecting to Captive Portal SSIDs, limiting the value of portal-based engagement to justify the WiFi service investment.
Over the years, business priorities have shifted toward delivering a great user experience, with many rolling back their guest WiFi to basic open networks to reduce customer friction in accessing WiFi. Many, however, are not ready to forgo the benefits of portals, and still seeking solutions that offer a combination of security, seamless experience, and user engagement.
Mobile Offload and OpenRoaming challenges
Mobile offload has been a staple for decades, allowing service providers to automatically connect subscribers to federated access networks using Passpoint and SIM-based identities. Carriers use this service to offload traffic to local enterprise or carrier-managed WiFi networks.
OpenRoaming further generalizes this technology by decoupling Identity Providers (IdPs) from Access Network Providers and creating a trusted framework for seamless connectivity to third-party networks.
Passpoint-based connectivity via mobile offload or OpenRoaming provides a smooth experience for users connecting to such networks. However, enabling this service means businesses lose visibility and engagement opportunities with their customer base. While more devices connect to the network, improving traffic analytics, businesses cannot collect first-party data, drive marketing initiatives, or convey promotional content. This lack of engagement opportunity is one of the main reasons many businesses hesitate to join OpenRoaming as an Access Network Provider or enable mobile offload.
Standard Engagement Frameworks
The need for engagement and business outcomes supporting WiFi services is well-documented. The WBA's white paper, "Venue Requirements for User Engagement," outlines scenarios where businesses need specific requirements to sustain WiFi investments and the challenges of driving such business outcomes when relying on Passpoint-based connectivity.
Over the past decade, several attempts have been made to standardize solutions for maintaining engagement benefits with Passpoint-based connectivity. Passpoint R3, for example, introduced the Venue URL element, aimed to convey an URL to the users connected via Passpoint. However, ecosystem support is fragmented, and the way operative systems promotes of the URL in the end user device is not standardized.
CAPPORT (RFC 8952), a new standard architecture for improving captive portal technology, offers a more standardized way to deliver portals to clients and includes a concept similar to the Venue URL (venue-info-url). Despite significant advancements in device and OS support, in some operative system the link to the URL is not easily accessible to the end user, therefore reducing its viability. Implementing CAPPORT may also requires additional functional nodes on the network, posing operational challenges.
E.g. Display Venue-Info-URL in iOS on the WiFi settings screen
The following table summarizes the support of Passpoint R3 Venue URL and CAPPORT across the major operative systems
Android | iOS | Chrome OS | MacOS | Windows | |
Passpoint Release Support | R1, R2, R3 | R1 | R1 | R1 | R1, R2 |
Passpoint Venue URL |
12+ | N/A | N/A | N/A | Windows 11, version 23H2 |
CAPPORT (RFC 8952) | 11+ | N/A | 15+ | 13+ | N/A |
Until the ecosystem matures sufficiently for widespread adoption of the standard engagement solution, a viable alternative is necessary.
A Viable Solution
To address the gap of standard solutions to accommodate business requirements while elevating user experience, Cloud4Wi offers a viable solution that tackles both challenges and contributes to the ecosystem’s transition to Passpoint adoption.
Cloud4Wi has partnered and established agreements with large communication service providers and carriers (IdPs) to enable their subscriber base—hundreds of millions of individuals—to connect seamlessly to third-party enterprise Wi-Fi networks enabled by Cloud4Wi, leveraging Passpoint.
Businesses that want to participate in the program simply need to deploy a dedicated Passpoint SSID linked to Cloud4Wi AAA, alongside their existing SSIDs. Cloud4Wi’s platform identifies first-time visitors, intercepting them on a portal that businesses can freely customize for first-party data collection, consent gathering, marketing subscriptions, or content promotion.
Returning visitors connect automatically, securely, and without any portal interruption, providing a smooth experience while allowing businesses to track real-time onsite interactions of those individuals who provided proper consent. This enables businesses to drive personalized experiences and gather behavioral insights.
By joining the Cloud4Wi program, businesses manage their own first-party data and consent collection channels, becoming data controllers for their own customers’ data. Additionally, they do not have to enter into agreements individually with each third-party IdP, as Cloud4Wi acts as a broker and guarantor, enforcing the agreed service scenarios (for example, ensuring users are intercepted only according to predefined rules) and ensuring personal data protection and privacy.
How It Works
Businesses need to activate a new Passpoint SSID linked to Cloud4Wi RadSec servers. Devices with valid Passpoint identities will automatically discover, associate, and authenticate on the WiFi network upon arrival. Cloud4Wi proxies authentication requests to the appropriate IdP, and relies on a permanent anonymous ID (CUI) to distinguish first-time visitors from returning ones.
First-time visitors are intercepted on a portal for optional data collection and consent. If they provide data and consent, they are registered as Profiles in Cloud4Wi with a correlated CUI and granular consent for their data processing.
Once authorized, Cloud4Wi updates the network policy dynamically, granting internet access.
First-time visitors workflow - an Engagement Rules engine determines that visitor (CUI) should be prompted to the Portal. The visitors engages with the Portal and optionally provides personal data and consent, resulting in a Profile. Visitors is then authorized on the network
Returning visitors connect seamlessly without interception, ensuring smooth, automatic connectivity. Based on specific agreements between IdP and ANPs, visitors may be prompted to the Portal more than once.
Visitors who provided data and proper legal consent to the ANP, are matched against the Profile database and Cloud4Wi location engine classify and process in real time their on-site events. Events can be streamed out to the ANP systems, logged for batch processing and analyzed in dedicated reports.
Returning visitors workflow - visitors are recognized by CUI, matched against the internal Profile DB (if consent has been provided) and their interactions are classified and processes
Below a demonstration of delivering a Portal after an automatic Passpoint-based association and authentication leveraging a third party IdP (Samsung in this example)
Outputs
Businesses collect customer profiles with fully customizable portals designed to collect customer profile data, opt-ins and consents. Profiles are stored securely in Cloud4Wi and can be integrated in real-time with external systems (CRMs, CDPs, Marketing Automation, etc..).
Cloud4Wi dashboard - Profiles
For those visitors that provide specific consent, Cloud4Wi classify in real-time their on-site interactions (e.g. arrival, dwelling, leave), that can be:
- streamed in real-time toward external systems via webhooks
- classified into Visits (place, start, stop) that can be exported via APIs
- analyzed in dashboard reports to measure performances and distributions
Cloud4Wi dashboard - Events report
Outcomes
By adopting the program, businesses maximize benefits by:
- Reaching more customers. Traditionally, users need to manually connect to WiFi on their first visit to a hotspot. However, with this new framework, a significant portion of visitors are automatically connected to the WiFi and directed to the portal. This increases the number of engaged visitors, resulting in a higher volume of collected profiles and subscriptions, as well as more impressions on promotions and other content.
- Boosting real-time data intelligence. The increased number of collected visitors profiles, combined with their deterministic automatic connectivity enabled by Passpoint, enhances the accuracy and the volume of real-time on-site events collected. This results in the ability to deliver more impactful context-aware experiences and gather valuable behavioral insights.
- Enhancing user experience. Returning visitors reconnect automatically and deterministically without any portal interception, bypassing MAC-randomization challenges and offering users seamless, automatic connectivity.
- Securing access. Passpoint-based connectivity provides secure access, addressing the security gaps of open hotspot networks and reducing the risk of security incidents that could harm brand reputation.