Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| technical:pp-openwrt [2025/07/04 06:30] – system | technical:pp-openwrt [2025/07/06 19:58] (current) – [Technical detail] system | ||
|---|---|---|---|
| Line 7: | Line 7: | ||
| ====== WAN through Hotspot 2.0/ | ====== WAN through Hotspot 2.0/ | ||
| ===== Introduction ===== | ===== Introduction ===== | ||
| - | * Not all WiFi devices support WPA2 Enterprise security, which uses a username and password or certificates. | + |  | 
| - | * To address this potential issue, we developed a solution. | + |  | 
| + | * WPA2 Enterprise security typically involves | ||
| + | * Most printers, gaming consoles or IoT equipment only support WPA Personal. | ||
| + | * Should the need arise for them to also join an enterprise network | ||
| * This page provides a more detailed explanation of our solution. | * This page provides a more detailed explanation of our solution. | ||
| {{ : | {{ : | ||
| ===== The Eduroam Travel Router ===== | ===== The Eduroam Travel Router ===== | ||
| - | Consider the following practical example. | + | {{: | 
| + | **<color #00a2e8>Consider the following practical example.</ | ||
| * Meet Tim. | * Meet Tim. | ||
| * Tim is the network administrator of a big university somewhere in Europe. | * Tim is the network administrator of a big university somewhere in Europe. | ||
| Line 24: | Line 28: | ||
| {{ : | {{ : | ||
| + | |||
| + | <WRAP center round tip 100%> | ||
| + | * Many travel routers allow you to have a WPA2 Enterprise uplink. | ||
| + | * We don't know of any centrally managed travel routers that <color # | ||
| + | </ | ||
| + | |||
| ===== Acknowledgement ===== | ===== Acknowledgement ===== | ||
| Line 29: | Line 39: | ||
| * https:// | * https:// | ||
| * https:// | * https:// | ||
| + | |||
| + | ------------ | ||
| + | |||
| + | ===== WPA-ENTERPRISE/ | ||
| + | * RADIUSdesk now have a WPA-ENTERPRISE/ | ||
| + | ==== WPA-Enterprise Uplink ==== | ||
| + | {{: | ||
| + | |||
| + | ------ | ||
| + | |||
| + | ==== Passpoint / Hotspot 2.0 Uplink ==== | ||
| + | {{: | ||
| + | |||
| + | ------ | ||
| + | |||
| + | ==== Assigning the Uplink ==== | ||
| + | {{: | ||
| + | |||
| + | ----- | ||
| + | |||
| + | ==== Connected ==== | ||
| + | {{: | ||
| + | |||
| + | ----- | ||
| + | ===== Technical detail ===== | ||
| + | * When you select a specific uplink, the detail for that uplink will be assigned to the AP or mesh node when it fetched its settings. | ||
| + | * The MESHdesk firmware contains a modified **/ | ||
| + | * One very important item to remember if you are security conscious it the **Domain Suffix Match**. This protects you against **Evil Twin** attacks. | ||
| + | * Lets look at some sample configs and feedback from the logread command. | ||
| + | |||
| + | -------- | ||
| + | |||
| + | ==== Building the firmware ==== | ||
| + | * You can follow the firmware building instructions as stipulated for the normal MESHdesk firmware on OpenWrt. | ||
| + | * There are just two deviations: | ||
| + | * Use the **wpad-ssl (full)** package instead of **wpad (full)** package under **Network -> WirelessAPD**. | ||
| + | * Under the openwrt/ | ||
| + | * Copy the / | ||
| + | ==== Passpoint / Hotspot 2.0 ==== | ||
| + | * The / | ||
| + | <code bash> | ||
| + | config wifi-iface ' | ||
| + | option ifname ' | ||
| + | option disabled ' | ||
| + | option encryption ' | ||
| + | option identity ' | ||
| + | option mode ' | ||
| + | option ca_cert_usesystem ' | ||
| + | option ieee80211w ' | ||
| + | option ssid ' | ||
| + | option iw_rcois ' | ||
| + | option device ' | ||
| + | option anonymous_identity ' | ||
| + | option password ' | ||
| + | option eap_type ' | ||
| + | option iw_enabled ' | ||
| + | option network ' | ||
| + | option auth ' | ||
| + | </ | ||
| + | * hostapd.sh then generates **/ | ||
| + | <code bash> | ||
| + | |||
| + | country=ZA | ||
| + | interworking=1 | ||
| + | hs20=1 | ||
| + | auto_interworking=1 | ||
| + | |||
| + | cred={ | ||
| + | roaming_consortiums=" | ||
| + | ca_cert="/ | ||
| + | username=" | ||
| + | password=" | ||
| + | phase2=" | ||
| + | eap=TTLS | ||
| + | } | ||
| + | |||
| + | network={ | ||
| + | scan_ssid=1 | ||
| + | ssid=" | ||
| + | key_mgmt=WPA-EAP WPA-EAP-SHA256 | ||
| + | ca_cert="/ | ||
| + | identity=" | ||
| + | anonymous_identity=" | ||
| + | password=" | ||
| + | phase2=" | ||
| + | eap=TTLS | ||
| + | proto=RSN | ||
| + | ieee80211w=1 | ||
| + | beacon_int=100 | ||
| + | } | ||
| + | </ | ||
| + | * And here is the output of **logread** | ||
| + | <code bash> | ||
| + | Fri Jul  4 06:56:22 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 06:56:23 2025 kern.info kernel: [  211.702035] wbw: authenticate with 80: | ||
| + | Fri Jul  4 06:56:23 2025 kern.info kernel: [  211.710213] wbw: send auth to 80: | ||
| + | Fri Jul 4 06:56:23 2025 kern.info kernel: [ 211.721862] wbw: authenticated | ||
| + | Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 06:56:23 2025 kern.info kernel: [  211.749689] wbw: associate with 80: | ||
| + | Fri Jul  4 06:56:23 2025 kern.info kernel: [  211.779748] wbw: RX AssocResp from 80: | ||
| + | Fri Jul 4 06:56:23 2025 kern.info kernel: [ 211.787772] wbw: associated | ||
| + | Fri Jul  4 06:56:23 2025 daemon.notice netifd: Network device ' | ||
| + | Fri Jul  4 06:56:23 2025 daemon.notice netifd: Interface ' | ||
| + | Fri Jul  4 06:56:23 2025 daemon.notice netifd: Interface ' | ||
| + | Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | </ | ||
| + | * As you can see the AP does a GAS query to locate the SSID it needs to connect to. | ||
| + | |||
| + | ------ | ||
| + | |||
| + | ==== WPA2 Enterprise ==== | ||
| + | * The / | ||
| + | |||
| + | <code bash> | ||
| + | |||
| + | config wifi-iface ' | ||
| + | option ifname ' | ||
| + | option disabled ' | ||
| + | option encryption ' | ||
| + | option identity ' | ||
| + | option mode ' | ||
| + | option ca_cert_usesystem ' | ||
| + | option ssid ' | ||
| + | option device ' | ||
| + | option anonymous_identity ' | ||
| + | option password ' | ||
| + | option eap_type ' | ||
| + | option network ' | ||
| + | option auth ' | ||
| + | </ | ||
| + | |||
| + | * hostapd.sh then generates **/ | ||
| + | |||
| + | <code bash> | ||
| + | |||
| + | country=ZA | ||
| + | network={ | ||
| + | scan_ssid=1 | ||
| + | ssid=" | ||
| + | key_mgmt=WPA-EAP | ||
| + | ca_cert="/ | ||
| + | identity=" | ||
| + | anonymous_identity=" | ||
| + | password=" | ||
| + | phase2=" | ||
| + | eap=TTLS | ||
| + | proto=RSN | ||
| + | beacon_int=100 | ||
| + | } | ||
| + | |||
| + | </ | ||
| + | * And here is the output of **logread** | ||
| + | <code bash> | ||
| + | Fri Jul  4 07:05:56 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 07:05:57 2025 kern.info kernel: [  216.891059] wbw: authenticate with 80: | ||
| + | Fri Jul  4 07:05:57 2025 kern.info kernel: [  216.899143] wbw: send auth to 80: | ||
| + | Fri Jul 4 07:05:57 2025 kern.info kernel: [ 216.909477] wbw: authenticated | ||
| + | Fri Jul  4 07:05:57 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 07:05:57 2025 kern.info kernel: [  216.940594] wbw: associate with 80: | ||
| + | Fri Jul  4 07:05:57 2025 kern.info kernel: [  216.952689] wbw: RX AssocResp from 80: | ||
| + | Fri Jul 4 07:05:57 2025 kern.info kernel: [ 216.960814] wbw: associated | ||
| + | Fri Jul  4 07:05:57 2025 daemon.notice netifd: Network device ' | ||
| + | Fri Jul  4 07:05:57 2025 daemon.notice netifd: Interface ' | ||
| + | Fri Jul  4 07:05:57 2025 daemon.notice netifd: Interface ' | ||
| + | Fri Jul  4 07:05:57 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 07:05:57 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 07:05:57 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 07:05:57 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | Fri Jul  4 07:05:57 2025 daemon.notice wpa_supplicant[2163]: | ||
| + | </ | ||
| + | |||
| + | ------- | ||
| + | |||
| + | |||