Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
technical:pp-openwrt [2025/07/04 13:58] systemtechnical:pp-openwrt [2025/07/06 19:58] (current) – [Technical detail] system
Line 7: Line 7:
 ====== WAN through Hotspot 2.0/Passpoint ====== ====== WAN through Hotspot 2.0/Passpoint ======
 ===== Introduction ===== ===== Introduction =====
 +  * Hotspot 2.0/Passpoint uses WPA2/3 Enterprise security to authenticate users.
   * Not all WiFi devices support WPA2 Enterprise security.   * Not all WiFi devices support WPA2 Enterprise security.
-  * WPA2 Enterprise security involves a username and password or certificates.+  * WPA2 Enterprise security typically involves a username and password or certificates.
   * Most printers, gaming consoles or IoT equipment only support WPA Personal.   * Most printers, gaming consoles or IoT equipment only support WPA Personal.
   * Should the need arise for them to also join an enterprise network we developed a central managed solution that can act as a bridge.   * Should the need arise for them to also join an enterprise network we developed a central managed solution that can act as a bridge.
Line 15: Line 16:
  
 ===== The Eduroam Travel Router ===== ===== The Eduroam Travel Router =====
-Consider the following practical example.+{{:technical:pp_profiles:tr-1200.png|}} 
 +**<color #00a2e8>Consider the following practical example.</color>**
   * Meet Tim.   * Meet Tim.
   * Tim is the network administrator of a big university somewhere in Europe.   * Tim is the network administrator of a big university somewhere in Europe.
Line 26: Line 28:
  
 {{ :technical:pp_profiles:eduroam_travel_router_-_visual_selection.svg |}} {{ :technical:pp_profiles:eduroam_travel_router_-_visual_selection.svg |}}
 +
 +<WRAP center round tip 100%>
 +  * Many travel routers allow you to have a WPA2 Enterprise uplink.
 +  * We don't know of any centrally managed travel routers that <color #ff7f27>supports Hotspot 2.0 uplinks</color> besides the ones managed by APdesk and MESHdesk.
 +</WRAP>
 +
  
 ===== Acknowledgement ===== ===== Acknowledgement =====
Line 31: Line 39:
   * https://github.com/hgot07/openwrt-passpoint   * https://github.com/hgot07/openwrt-passpoint
   * https://simeononsecurity.com/guides/unlock-seamless-connectivity-hotspot-2.0-openwrt/   * https://simeononsecurity.com/guides/unlock-seamless-connectivity-hotspot-2.0-openwrt/
 +
 +------------
 +
 +===== WPA-ENTERPRISE/HS2.0 UPLINKS =====
 +  * RADIUSdesk now have a WPA-ENTERPRISE/HS2.0 UPLINKS applet that makes the management of WPA-Enterprise and Hotspot 2.0 uplinks a breeze.
 +==== WPA-Enterprise Uplink ====
 +{{:technical:pp_profiles:wpa-enterprise-uplink.png|}}
 +
 +------
 +
 +==== Passpoint / Hotspot 2.0 Uplink ====
 +{{:technical:pp_profiles:passpoint-uplink.png|}}
 +
 +------
 +
 +==== Assigning the Uplink ====
 +{{:technical:pp_profiles:assing-uplink.png|}}
 +
 +-----
 +
 +==== Connected ====
 +{{:technical:pp_profiles:tr-passpoint.png|}}
 +
 +-----
 +===== Technical detail =====
 +  * When you select a specific uplink, the detail for that uplink will be assigned to the AP or mesh node when it fetched its settings.
 +  * The MESHdesk firmware contains a modified **/lib/netifd/hostapd.sh** file that allows the AP to be able to connect to Hotspot 2.0 networks.
 +  * One very important item to remember if you are security conscious it the **Domain Suffix Match**. This protects you against **Evil Twin** attacks.
 +  * Lets look at some sample configs and feedback from the logread command.
 +
 +--------
 +
 +==== Building the firmware ====
 +  * You can follow the firmware building instructions as stipulated for the normal MESHdesk firmware on OpenWrt.
 +  * There are just two deviations:
 +    * Use the **wpad-ssl (full)** package instead of **wpad (full)** package under **Network -> WirelessAPD**.
 +    * Under the openwrt/files folder, create the **/lib/netifd/** directory.
 +    * Copy the /openwrt-meshdesk/passpoint_client/24.10/hostapd.sh file in there as a drop in replacement. This is so that the access point can run a Hotspot 2.0 / Passpoint uplink. 
 +==== Passpoint / Hotspot 2.0 ====
 +  * The /etc/config/wireless part
 +<code bash>
 +config wifi-iface 'web_by_w'
 + option ifname 'wbw'
 + option disabled '0'
 + option encryption 'wpa2'
 + option identity 'koos@hotspottwo'
 + option mode 'sta'
 + option ca_cert_usesystem '1'
 + option ieee80211w '1'
 + option ssid '_Passpoint'
 + option iw_rcois 'ABCD1234'
 + option device 'radio0'
 + option anonymous_identity 'anonymous@uam.mesh-manager.com'
 + option password 'testing123'
 + option eap_type 'ttls'
 + option iw_enabled '1'
 + option network 'web_by_w'
 + option auth 'PAP'
 +</code>
 +  * hostapd.sh then generates **/tmp/run/wpa_supplicant-wbw.conf**
 +<code bash>
 +
 +country=ZA
 +interworking=1
 +hs20=1
 +auto_interworking=1
 +
 +cred={
 +    roaming_consortiums="ABCD1234"
 + ca_cert="/etc/ssl/certs/ca-certificates.crt"
 + username="koos@hotspottwo"
 + password="testing123"
 + phase2="auth=PAP"
 + eap=TTLS
 +}
 +
 +network={
 + scan_ssid=1
 + ssid="_Passpoint"
 + key_mgmt=WPA-EAP WPA-EAP-SHA256
 + ca_cert="/etc/ssl/certs/ca-certificates.crt"
 + identity="koos@hotspottwo"
 + anonymous_identity="anonymous@uam.mesh-manager.com"
 + password="testing123"
 + phase2="auth=PAP"
 + eap=TTLS
 + proto=RSN
 + ieee80211w=1
 + beacon_int=100
 +}
 +</code>
 +  * And here is the output of **logread**
 +<code bash>
 +Fri Jul  4 06:56:22 2025 daemon.notice wpa_supplicant[2163]: wbw: Starting ANQP fetch for 80:af:ca:18:22:48 (HESSID 00:00:00:01:02:03)
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: GAS-QUERY-START addr=80:af:ca:18:22:48 dialog_token=100 freq=2462
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: GAS-QUERY-DONE addr=80:af:ca:18:22:48 dialog_token=100 freq=2462 status_code=0 result=SUCCESS
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: RX-ANQP 80:af:ca:18:22:48 ANQP Capability list
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: RX-HS20-ANQP 80:af:ca:18:22:48 HS Capability List
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: ANQP-QUERY-DONE addr=80:af:ca:18:22:48 result=SUCCESS
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: ANQP fetch completed
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: INTERWORKING-AP 80:af:ca:18:22:48 type=unknown id=1 priority=0 sp_priority=0
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: INTERWORKING-SELECTED 80:af:ca:18:22:48
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: SME: Trying to authenticate with 80:af:ca:18:22:48 (SSID='Passpoint' freq=2462 MHz)
 +Fri Jul  4 06:56:23 2025 kern.info kernel: [  211.702035] wbw: authenticate with 80:af:ca:18:22:48 (local address=82:af:ca:6d:64:d0)
 +Fri Jul  4 06:56:23 2025 kern.info kernel: [  211.710213] wbw: send auth to 80:af:ca:18:22:48 (try 1/3)
 +Fri Jul  4 06:56:23 2025 kern.info kernel: [  211.721862] wbw: authenticated
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: Trying to associate with 80:af:ca:18:22:48 (SSID='Passpoint' freq=2462 MHz)
 +Fri Jul  4 06:56:23 2025 kern.info kernel: [  211.749689] wbw: associate with 80:af:ca:18:22:48 (try 1/3)
 +Fri Jul  4 06:56:23 2025 kern.info kernel: [  211.779748] wbw: RX AssocResp from 80:af:ca:18:22:48 (capab=0x1431 status=0 aid=1)
 +Fri Jul  4 06:56:23 2025 kern.info kernel: [  211.787772] wbw: associated
 +Fri Jul  4 06:56:23 2025 daemon.notice netifd: Network device 'wbw' link is up
 +Fri Jul  4 06:56:23 2025 daemon.notice netifd: Interface 'web_by_w' has link connectivity
 +Fri Jul  4 06:56:23 2025 daemon.notice netifd: Interface 'web_by_w' is setting up now
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: Associated with 80:af:ca:18:22:48
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: CTRL-EVENT-EAP-STARTED EAP authentication started
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
 +</code>
 +  * As you can see the AP does a GAS query to locate the SSID it needs to connect to.
 +
 +------
 +
 +==== WPA2 Enterprise ====
 +  * The /etc/config/wireless part
 +
 +<code bash>
 +
 +config wifi-iface 'web_by_w'
 + option ifname 'wbw'
 + option disabled '0'
 + option encryption 'wpa2'
 + option identity 'frikkie@hotspottwo'
 + option mode 'sta'
 + option ca_cert_usesystem '1'
 + option ssid 'Passpoint'
 + option device 'radio0'
 + option anonymous_identity 'anonymous@uam.mesh-manager.com'
 + option password 'testing123'
 + option eap_type 'ttls'
 + option network 'web_by_w'
 + option auth 'PAP'
 +</code>
 +
 +    * hostapd.sh then generates **/tmp/run/wpa_supplicant-wbw.conf**
 +
 +<code bash>
 +
 +country=ZA
 +network={
 + scan_ssid=1
 + ssid="Passpoint"
 + key_mgmt=WPA-EAP
 + ca_cert="/etc/ssl/certs/ca-certificates.crt"
 + identity="frikkie@hotspottwo"
 + anonymous_identity="anonymous@uam.mesh-manager.com"
 + password="testing123"
 + phase2="auth=PAP"
 + eap=TTLS
 + proto=RSN
 + beacon_int=100
 +}
 +
 +</code>
 +  * And here is the output of **logread**
 +<code bash>
 +Fri Jul  4 07:05:56 2025 daemon.notice wpa_supplicant[2163]: wbw: SME: Trying to authenticate with 80:af:ca:18:22:48 (SSID='Passpoint' freq=2462 MHz)
 +Fri Jul  4 07:05:57 2025 kern.info kernel: [  216.891059] wbw: authenticate with 80:af:ca:18:22:48 (local address=82:af:ca:6d:64:d0)
 +Fri Jul  4 07:05:57 2025 kern.info kernel: [  216.899143] wbw: send auth to 80:af:ca:18:22:48 (try 1/3)
 +Fri Jul  4 07:05:57 2025 kern.info kernel: [  216.909477] wbw: authenticated
 +Fri Jul  4 07:05:57 2025 daemon.notice wpa_supplicant[2163]: wbw: Trying to associate with 80:af:ca:18:22:48 (SSID='Passpoint' freq=2462 MHz)
 +Fri Jul  4 07:05:57 2025 kern.info kernel: [  216.940594] wbw: associate with 80:af:ca:18:22:48 (try 1/3)
 +Fri Jul  4 07:05:57 2025 kern.info kernel: [  216.952689] wbw: RX AssocResp from 80:af:ca:18:22:48 (capab=0x1431 status=0 aid=1)
 +Fri Jul  4 07:05:57 2025 kern.info kernel: [  216.960814] wbw: associated
 +Fri Jul  4 07:05:57 2025 daemon.notice netifd: Network device 'wbw' link is up
 +Fri Jul  4 07:05:57 2025 daemon.notice netifd: Interface 'web_by_w' has link connectivity
 +Fri Jul  4 07:05:57 2025 daemon.notice netifd: Interface 'web_by_w' is setting up now
 +Fri Jul  4 07:05:57 2025 daemon.notice wpa_supplicant[2163]: wbw: Associated with 80:af:ca:18:22:48
 +Fri Jul  4 07:05:57 2025 daemon.notice wpa_supplicant[2163]: wbw: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
 +Fri Jul  4 07:05:57 2025 daemon.notice wpa_supplicant[2163]: wbw: CTRL-EVENT-EAP-STARTED EAP authentication started
 +Fri Jul  4 07:05:57 2025 daemon.notice wpa_supplicant[2163]: wbw: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
 +Fri Jul  4 07:05:57 2025 daemon.notice wpa_supplicant[2163]: wbw: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
 +</code>
 +
 +-------
 +
 +
  
    
  
  
  • technical/pp-openwrt.1751630314.txt.gz
  • Last modified: 2025/07/04 13:58
  • by system