Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
technical:pp-openwrt [2025/07/04 15:09] systemtechnical:pp-openwrt [2025/07/06 19:58] (current) – [Technical detail] system
Line 7: Line 7:
 ====== WAN through Hotspot 2.0/Passpoint ====== ====== WAN through Hotspot 2.0/Passpoint ======
 ===== Introduction ===== ===== Introduction =====
 +  * Hotspot 2.0/Passpoint uses WPA2/3 Enterprise security to authenticate users.
   * Not all WiFi devices support WPA2 Enterprise security.   * Not all WiFi devices support WPA2 Enterprise security.
-  * WPA2 Enterprise security involves a username and password or certificates.+  * WPA2 Enterprise security typically involves a username and password or certificates.
   * Most printers, gaming consoles or IoT equipment only support WPA Personal.   * Most printers, gaming consoles or IoT equipment only support WPA Personal.
   * Should the need arise for them to also join an enterprise network we developed a central managed solution that can act as a bridge.   * Should the need arise for them to also join an enterprise network we developed a central managed solution that can act as a bridge.
Line 66: Line 67:
   * The MESHdesk firmware contains a modified **/lib/netifd/hostapd.sh** file that allows the AP to be able to connect to Hotspot 2.0 networks.   * The MESHdesk firmware contains a modified **/lib/netifd/hostapd.sh** file that allows the AP to be able to connect to Hotspot 2.0 networks.
   * One very important item to remember if you are security conscious it the **Domain Suffix Match**. This protects you against **Evil Twin** attacks.   * One very important item to remember if you are security conscious it the **Domain Suffix Match**. This protects you against **Evil Twin** attacks.
-  * Lets look at some sample configs ant feedback form the logread command.+  * Lets look at some sample configs and feedback from the logread command.
  
 -------- --------
 +
 +==== Building the firmware ====
 +  * You can follow the firmware building instructions as stipulated for the normal MESHdesk firmware on OpenWrt.
 +  * There are just two deviations:
 +    * Use the **wpad-ssl (full)** package instead of **wpad (full)** package under **Network -> WirelessAPD**.
 +    * Under the openwrt/files folder, create the **/lib/netifd/** directory.
 +    * Copy the /openwrt-meshdesk/passpoint_client/24.10/hostapd.sh file in there as a drop in replacement. This is so that the access point can run a Hotspot 2.0 / Passpoint uplink. 
 ==== Passpoint / Hotspot 2.0 ==== ==== Passpoint / Hotspot 2.0 ====
 +  * The /etc/config/wireless part
 +<code bash>
 +config wifi-iface 'web_by_w'
 + option ifname 'wbw'
 + option disabled '0'
 + option encryption 'wpa2'
 + option identity 'koos@hotspottwo'
 + option mode 'sta'
 + option ca_cert_usesystem '1'
 + option ieee80211w '1'
 + option ssid '_Passpoint'
 + option iw_rcois 'ABCD1234'
 + option device 'radio0'
 + option anonymous_identity 'anonymous@uam.mesh-manager.com'
 + option password 'testing123'
 + option eap_type 'ttls'
 + option iw_enabled '1'
 + option network 'web_by_w'
 + option auth 'PAP'
 +</code>
 +  * hostapd.sh then generates **/tmp/run/wpa_supplicant-wbw.conf**
 +<code bash>
  
 +country=ZA
 +interworking=1
 +hs20=1
 +auto_interworking=1
 +
 +cred={
 +    roaming_consortiums="ABCD1234"
 + ca_cert="/etc/ssl/certs/ca-certificates.crt"
 + username="koos@hotspottwo"
 + password="testing123"
 + phase2="auth=PAP"
 + eap=TTLS
 +}
 +
 +network={
 + scan_ssid=1
 + ssid="_Passpoint"
 + key_mgmt=WPA-EAP WPA-EAP-SHA256
 + ca_cert="/etc/ssl/certs/ca-certificates.crt"
 + identity="koos@hotspottwo"
 + anonymous_identity="anonymous@uam.mesh-manager.com"
 + password="testing123"
 + phase2="auth=PAP"
 + eap=TTLS
 + proto=RSN
 + ieee80211w=1
 + beacon_int=100
 +}
 +</code>
 +  * And here is the output of **logread**
 +<code bash>
 +Fri Jul  4 06:56:22 2025 daemon.notice wpa_supplicant[2163]: wbw: Starting ANQP fetch for 80:af:ca:18:22:48 (HESSID 00:00:00:01:02:03)
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: GAS-QUERY-START addr=80:af:ca:18:22:48 dialog_token=100 freq=2462
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: GAS-QUERY-DONE addr=80:af:ca:18:22:48 dialog_token=100 freq=2462 status_code=0 result=SUCCESS
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: RX-ANQP 80:af:ca:18:22:48 ANQP Capability list
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: RX-HS20-ANQP 80:af:ca:18:22:48 HS Capability List
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: ANQP-QUERY-DONE addr=80:af:ca:18:22:48 result=SUCCESS
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: ANQP fetch completed
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: INTERWORKING-AP 80:af:ca:18:22:48 type=unknown id=1 priority=0 sp_priority=0
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: INTERWORKING-SELECTED 80:af:ca:18:22:48
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: SME: Trying to authenticate with 80:af:ca:18:22:48 (SSID='Passpoint' freq=2462 MHz)
 +Fri Jul  4 06:56:23 2025 kern.info kernel: [  211.702035] wbw: authenticate with 80:af:ca:18:22:48 (local address=82:af:ca:6d:64:d0)
 +Fri Jul  4 06:56:23 2025 kern.info kernel: [  211.710213] wbw: send auth to 80:af:ca:18:22:48 (try 1/3)
 +Fri Jul  4 06:56:23 2025 kern.info kernel: [  211.721862] wbw: authenticated
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: Trying to associate with 80:af:ca:18:22:48 (SSID='Passpoint' freq=2462 MHz)
 +Fri Jul  4 06:56:23 2025 kern.info kernel: [  211.749689] wbw: associate with 80:af:ca:18:22:48 (try 1/3)
 +Fri Jul  4 06:56:23 2025 kern.info kernel: [  211.779748] wbw: RX AssocResp from 80:af:ca:18:22:48 (capab=0x1431 status=0 aid=1)
 +Fri Jul  4 06:56:23 2025 kern.info kernel: [  211.787772] wbw: associated
 +Fri Jul  4 06:56:23 2025 daemon.notice netifd: Network device 'wbw' link is up
 +Fri Jul  4 06:56:23 2025 daemon.notice netifd: Interface 'web_by_w' has link connectivity
 +Fri Jul  4 06:56:23 2025 daemon.notice netifd: Interface 'web_by_w' is setting up now
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: Associated with 80:af:ca:18:22:48
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: CTRL-EVENT-EAP-STARTED EAP authentication started
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
 +Fri Jul  4 06:56:23 2025 daemon.notice wpa_supplicant[2163]: wbw: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
 +</code>
 +  * As you can see the AP does a GAS query to locate the SSID it needs to connect to.
  
 ------ ------
  
 ==== WPA2 Enterprise ==== ==== WPA2 Enterprise ====
 +  * The /etc/config/wireless part
 +
 +<code bash>
 +
 +config wifi-iface 'web_by_w'
 + option ifname 'wbw'
 + option disabled '0'
 + option encryption 'wpa2'
 + option identity 'frikkie@hotspottwo'
 + option mode 'sta'
 + option ca_cert_usesystem '1'
 + option ssid 'Passpoint'
 + option device 'radio0'
 + option anonymous_identity 'anonymous@uam.mesh-manager.com'
 + option password 'testing123'
 + option eap_type 'ttls'
 + option network 'web_by_w'
 + option auth 'PAP'
 +</code>
 +
 +    * hostapd.sh then generates **/tmp/run/wpa_supplicant-wbw.conf**
 +
 +<code bash>
 +
 +country=ZA
 +network={
 + scan_ssid=1
 + ssid="Passpoint"
 + key_mgmt=WPA-EAP
 + ca_cert="/etc/ssl/certs/ca-certificates.crt"
 + identity="frikkie@hotspottwo"
 + anonymous_identity="anonymous@uam.mesh-manager.com"
 + password="testing123"
 + phase2="auth=PAP"
 + eap=TTLS
 + proto=RSN
 + beacon_int=100
 +}
 +
 +</code>
 +  * And here is the output of **logread**
 +<code bash>
 +Fri Jul  4 07:05:56 2025 daemon.notice wpa_supplicant[2163]: wbw: SME: Trying to authenticate with 80:af:ca:18:22:48 (SSID='Passpoint' freq=2462 MHz)
 +Fri Jul  4 07:05:57 2025 kern.info kernel: [  216.891059] wbw: authenticate with 80:af:ca:18:22:48 (local address=82:af:ca:6d:64:d0)
 +Fri Jul  4 07:05:57 2025 kern.info kernel: [  216.899143] wbw: send auth to 80:af:ca:18:22:48 (try 1/3)
 +Fri Jul  4 07:05:57 2025 kern.info kernel: [  216.909477] wbw: authenticated
 +Fri Jul  4 07:05:57 2025 daemon.notice wpa_supplicant[2163]: wbw: Trying to associate with 80:af:ca:18:22:48 (SSID='Passpoint' freq=2462 MHz)
 +Fri Jul  4 07:05:57 2025 kern.info kernel: [  216.940594] wbw: associate with 80:af:ca:18:22:48 (try 1/3)
 +Fri Jul  4 07:05:57 2025 kern.info kernel: [  216.952689] wbw: RX AssocResp from 80:af:ca:18:22:48 (capab=0x1431 status=0 aid=1)
 +Fri Jul  4 07:05:57 2025 kern.info kernel: [  216.960814] wbw: associated
 +Fri Jul  4 07:05:57 2025 daemon.notice netifd: Network device 'wbw' link is up
 +Fri Jul  4 07:05:57 2025 daemon.notice netifd: Interface 'web_by_w' has link connectivity
 +Fri Jul  4 07:05:57 2025 daemon.notice netifd: Interface 'web_by_w' is setting up now
 +Fri Jul  4 07:05:57 2025 daemon.notice wpa_supplicant[2163]: wbw: Associated with 80:af:ca:18:22:48
 +Fri Jul  4 07:05:57 2025 daemon.notice wpa_supplicant[2163]: wbw: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
 +Fri Jul  4 07:05:57 2025 daemon.notice wpa_supplicant[2163]: wbw: CTRL-EVENT-EAP-STARTED EAP authentication started
 +Fri Jul  4 07:05:57 2025 daemon.notice wpa_supplicant[2163]: wbw: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
 +Fri Jul  4 07:05:57 2025 daemon.notice wpa_supplicant[2163]: wbw: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
 +</code>
  
 ------- -------
  • technical/pp-openwrt.1751634549.txt.gz
  • Last modified: 2025/07/04 15:09
  • by system