The Beacon

Wi-Fi CERTIFIED Vantage™ - Foundational Wi-Fi Alliance® technologies and future enhancements

Thomas Derham

Wi-Fi CERTIFIED Vantage™ is the new certification designation from Wi-Fi Alliance® for mobile devices and Access Points (APs) that support features needed to ensure an excellent user experience in managed Wi-Fi® networks. Last week, we explored the advantages of Wi-Fi Vantage™ in service provider networks, as well as its role in enabling Neutral Host Wi-Fi. In Part II, we’ll explore the foundational Wi-Fi Alliance technologies that are currently required for Wi-Fi Vantage certification, and future enhancements expected over the next several months.

Wi-Fi CERTIFIED Passpoint®

The Wi-Fi Vantage designation includes support for Wi-Fi CERTIFIED Passpoint (both Release 1 and Release 2). Passpoint™ is vital to the “Neutral Host” concept since it enables an end-user to discover each of the service providers by its “friendly name”, even though they are all in fact “hiding” behind the single SSID of the physical Wi-Fi deployment.

Provisioning of network access credentials

Passpoint allows each service provider a range of options as to how they provision a customer’s device (i.e. provide it the credentials that allow it to connect to the network), as follows:

  • Passpoint supports Online Signup (OSU) which allows the user’s device to be provisioned over-the-air from the Wi-Fi network itself, without requiring any other network connectivity such as cellular. The user selects the desired network, and the device securely auto-connects over Wi-Fi to a special server, providing a user interface for signup which is defined by the service provider. For example, a new user of a paid network may need to register and complete payment steps, while a new user of a free network may simply need to agree Terms & Conditions, while a subscriber to a paid video streaming service may be able to obtain free access to a paid network by logging in to their existing account. Once the signup procedure is complete, the device is provisioned with credentials in the form of a unique cryptographic certificate.
  • In other cases, provisioning of Passpoint credentials may be performed out-of-band. For example, an enterprise IT department may pre-provision devices with a profile (containing the necessary credentials) using a mobile device management tool, while an end-user may manually provision their own device with a unique username/password obtained from the service provider’s website.
  • In the case of cellular service providers, provisioning takes place when the SIM card is installed into the device (usually when the user first subscribes to the cellular service). The SIM card contains the necessary credentials, so the device is ready to use the Wi-Fi network without any further setup.

Provisioning can also include policy information which the device uses to decide which service provider to connect to (e.g. if the user has credentials to use more than one), and which Wi-Fi network to connect to if several are available. It can also specify whether or not the device should auto-connect to a service provider – if so, it enables a seamless roaming service as the user becomes automatically connected wherever their service provider offers coverage.


Once the user’s device has been provisioned (usually a one-time only procedure), it uses the credentials it possesses to connect to the Wi-Fi network and authenticate itself (i.e. prove it possesses the credentials).

The Passpoint network architecture allows the Neutral Host Wi-Fi network operator to support multiple service providers that use different provisioning and authentication methods. The operator’s network directs authentication requests to the corresponding service provider’s own AAA (Authentication, Authorization and Accounting) server, which is linked to its user database. For service providers that provide Online Signup capability, the operator also provides access to their OSU Servers. There are several excellent online resources which explain the Passpoint technical architecture in more detail.

Network security

Passpoint provides carrier-grade network security to ensure users are fully protected when using Wi-Fi Vantage networks. There are several aspects to this security as follows:

  • If the device performs online signup and connects to an OSU server, it verifies that the OSU server possesses a certificate signed by a well-known Certificate Authority (somewhat similar to a secure HTTPS website). This ensures that self-registration, which may involve payment, is always performed with their genuine service provider.
  • The Passpoint authentication process includes cryptographic verification of the network by the mobile device. The provisioned credentials provide a means for the device to check the network is genuine before it connects to it, to ensure the user never unwittingly connects to an imposter or “evil twin” network.
  • Once connected to the network, WPA2™-Enterprise link encryption is used to ensure eavesdropping cannot occur as data is sent over the air

The Passpoint network architecture ensures that, even when multiple service providers are sharing the same physical Neutral Host infrastructure, the network fully isolates all users from one another – so that it is impossible for one user to “hack” another user’s device over-the-air.

Passpoint provides the mechanisms to ensure that a given user can only access its own service provider’s services. The Neutral Host Wi-Fi operator can configure its firewall and routing functions to restrict certain services, such as exclusive digital contents and online portals, to just the customers of the corresponding service provider, which may be based on the user profile obtained from the AAA server during authentication.

The same mechanisms can also be used as the basis for seamless integration between Wi-Fi and other networks. For example, Passpoint can be used to securely authenticate users for 3GPP LTE/Wi-Fi aggregation (e.g. 3GPP LWIP and LWA), and then protect the cellular network infrastructure by only allowing customers of that cellular operator to access it.


The Wi-Fi Vantage designation also includes support for Wi-Fi CERTIFIED ac – based on the IEEE 802.11ac technology. This enables Neutral Host Wi-Fi networks to provide high capacity to simultaneously handle many different services, with peak data rates up to 866 Mbps for typical mobile devices1.

The Wi-Fi Vantage designation adds mandatory support for two additional features which enhance signal quality and maximize the coverage area of these networks. Low Density Parity Check (LDPC) forward error correction is an advanced feature that makes the Wi-Fi links stronger and more robust, while Transmit Beamforming (TxBF) enables the Access Point’s multiple antennas to shape and direct the Wi-Fi signals in space to increase the signal strength at the mobile device.  TxBF technology also employs a “sounding procedure” whereby the mobile device reports measurements of the wireless channel back to the AP, which it uses to adapt and optimize the TxBF patterns.

Future enhancements to Wi-Fi Vantage

Wi-Fi Alliance is busy at work on the technologies that will be added in the next release of Wi-Fi Vantage. Broadcom sees some candidate programs for inclusion being Multiband Operations and Optimized Connectivity Experience and both are explained further here. Wi-Fi advancements that have potential to further optimize Neutral Host Wi-Fi networks include:

  • Optimized cellular-grade handover – ensuring that users quickly and seamlessly move from one Access Point to another to maintain the best connection in mobility
  • Fast network authentication and network switching - enabling tighter and more dynamic integration with other networks such as cellular
  • Load balancing – ensuring each user has the fastest connection by enabling the network to do load balancing between all the channels and bands available
  • Support for additional bands - including Wi-Fi CERTIFIED WiGig™ in 60 GHz, providing higher capacity to support more users and demanding services, super-fast multi-Gigabit links, and longer range operation to provide continuity of service over large coverage areas
  • High density network optimizations – making Wi-Fi more robust in scenarios where the density of users and devices is high

The next-generation IEEE 802.11ax technology is also expected to bring large improvements to the performance of Neutral Host Wi-Fi networks, especially in terms of network capacity, performance and Quality of Service in dense networks, as well as improved coverage.

Wi-Fi Vantage will also be ideally suited to support 5G use cases such as augmented reality, UHD video and instant downloads, many of which require very high capacity and/or very low latency. In addition, we expect Wi-Fi Vantage will be further optimized for these use cases in the future, including higher mobility, extended coverage at high speeds, extended millimeter wave band support, enhanced interference management and Quality of Service, seamless small cell coverage, and optimizations for managed Internet of Things  applications.

Wi-Fi Vantage meets connectivity needs in managed networks now, and in the future

The launch of the Wi-Fi Vantage provides assurance to service providers and consumers of the best performance, interoperability, and a great user experience in managed networks. Wi-Fi Vantage will enable further proliferation of Neutral Host Wi-Fi deployments that provide great flexibility and efficiencies to service providers of all kinds. Wi-Fi Vantage will continue to evolve with many exciting enhancements around the corner which will ensure Wi-Fi is ready to meet all wireless connectivity needs in the future.

1Assuming 802.11ac mobile device supporting 80 MHz channel bandwidth and 2x2 MIMO (Multiple-Input Multiple-Output)


The statements and opinions by each Wi-Fi Alliance member and those providing comments are theirs alone, and do not reflect the opinions or views of Wi-Fi Alliance or any other member. Wi-Fi Alliance is not responsible for the accuracy of any of the information provided by any member in posting to or commenting on this blog. Concerns should be directed to

Add new comment

Thomas Derham

Thomas is a Senior Principal Scientist in the Wi-Fi standards team at Broadcom. He has been working in the Wi-Fi industry for 10 years and holds several patents. He is an active contributor to several Wi-Fi Alliance specifications and programs including Wi-Fi 6 and 6E, WPA3 and EasyMesh, and holds multiple task group leadership positions including Chair of Optimized Connectivity marketing, Optimized Connectivity Technical Editor, Vice Chair of Passpoint marketing, Vice Chair of Multiband Operations technical, 6 GHz AFC Technical Editor, and Americas lead of Regulatory. He is also an active participant in IEEE 802.11, contributing in particular to the 802.11ax and 802.11be amendments.