Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
technical:pp-android [2025/07/06 06:34] – [MgmtTree XML] systemtechnical:pp-android [2025/07/07 20:17] (current) – [HomeSP] system
Line 9: Line 9:
 ===== Introduction ===== ===== Introduction =====
   * This page will discuss the provisioning of Passpoint credentials to Android devices.   * This page will discuss the provisioning of Passpoint credentials to Android devices.
-  * The information on this page https://source.android.com/docs/core/connect/wifi-passpoint was used as a reference.+  * Information from the following URL was used as a reference: https://source.android.com/docs/core/connect/wifi-passpoint 
   * Our approach, however will be a bit more hands on by looking at a PHP script that is used to provision a Passpoint profile.    * Our approach, however will be a bit more hands on by looking at a PHP script that is used to provision a Passpoint profile. 
  
Line 95: Line 95:
         <Node>         <Node>
           <NodeName>FriendlyName</NodeName>           <NodeName>FriendlyName</NodeName>
-          <Value>WiFi-K9.5Jun24</Value>+          <Value>RADIUSdesk-HS2.0 07-Jul-25</Value>
         </Node>         </Node>
         <Node>         <Node>
Line 183: Line 183:
  
 </code> </code>
-  * It will be also base64 encrypted before it is combined with the other elements+  * It will be also base64 encoded before it is combined with the other elements
 <code php> <code php>
 $ca_64 = base64_encode($this->ca); $ca_64 = base64_encode($this->ca);
Line 201: Line 201:
 EOD;   EOD;  
 </code> </code>
-  * It will be also base64 encrypted before it is combined with the other elements+  * It will be also base64 encoded before it is combined with the other elements
 <code php> <code php>
 $home_sp_64 = base64_encode($home_sp);  $home_sp_64 = base64_encode($home_sp); 
Line 207: Line 207:
  
 === Combining and sending === === Combining and sending ===
-  * These two base64 encrypted strings is then in turn combined and base64 encrypted one last time before it is served by the web server.+  * These two base64 encoded strings is then in turn combined and base64 eencoded one last time before it is served by the web server.
   * Here we combine it:   * Here we combine it:
 <code php> <code php>
Line 250: Line 250:
   * The one part is the **HomeSP**.   * The one part is the **HomeSP**.
   * The other part is the **Credential**.   * The other part is the **Credential**.
 +  * There is also an optional third part called **Extension** which we also cover later.
   * The **HomeSP** part is used by the Android to discover Hotspot 2.0 / Passpoint WiFi Access Points to connect to.   * The **HomeSP** part is used by the Android to discover Hotspot 2.0 / Passpoint WiFi Access Points to connect to.
   * When such an Access Point is found, the **Credential** part is used to try and authenticate the user.   * When such an Access Point is found, the **Credential** part is used to try and authenticate the user.
   * The **HomeSP** for all practical intend replaces the step where you would typically select or specify an SSID to connect to.   * The **HomeSP** for all practical intend replaces the step where you would typically select or specify an SSID to connect to.
 +  * There is one item however that "bleeds" from the **HomeSP** section to the **Credential** section and it can cause the authentication to fail. We will also cover this in detail on this page and what to do to fix things.
 +
 +------------
  
 ==== HomeSP ==== ==== HomeSP ====
 +  * HomeSP **have to contain** the following nodes:
 +    * **FriendlyName** Displayed by the Android installer and also when connected to the Hotspot 2.0 / Passpoint Access Point.
 +    * **FQDN** This translates to the value of Domain and or NAI Realm in Hostapd / OpenWrt. <color #ff7f27>(This is the part that you have to be careful with)</color>
 +  * HomeSP **can contain** the following node:
 +    * **RoamingConsortiumOI** This is the RCOI and one can specify multiple values separated by commas.
  
-==== Credential ====+------------- 
 + 
 +=== Credential === 
 +  * The credential section are mostly straight forward. 
 +  * There are however some items to highlight. 
 +=== Realm === 
 + 
 +  * This Realm is used in EAP authentication and is RADIUS related. 
 +  * This realm has nothing to do with the NAI Realm (or Domain) in Hotspot 2.0. (HomeSP Section) 
 +  * It might be the same value of the NAI Realm but it is not a requirement. 
 +  * When the authentication request to RADIUS starts, an anonymous identity is used. 
 +  * This is also referred to as the **Outer Identity**. 
 +  * The convention Android uses is to formulate a username anonymouns@<value of realm>
 +  * In this case it will be anonymous@mesh-manager.com. 
 +  * The EAP protocol uses this recommended convention in order to determine the destination of RADIUS proxy requests. 
 + 
 +=== Password === 
 + 
 +  * The value of the password is also base64 encoded. 
 +  * <color #00a2e8>Remember that encoded does not equal to encrypted.</color> 
 +  * It is thus very easy to get the cleartext value of the password: 
 +<code bash> 
 + echo "dGVzdGluZzEyMw==" | base64 -d 
 +</code> 
 +  * The get the base64 value of the password in turn you can use echo **with the -n switch**. 
 +<code bash> 
 +echo -n "testing123" | base64 
 +</code> 
 + 
 +=== EAPType === 
 +  * EAPType will in most cases be 21. 
 +  * This is the number that is assigned for EAP/TTLS and part of the **UsernamePassword** detail. 
 +  * With this you also have to specify the **InnerMethod** to use when you are authenticating and can be one of the following. 
 +     * PAP 
 +     * CHAP 
 +     * MS-CHAP 
 +     * or MS-CHAP-V2 
 +   * The popular ones are MS-CHAP-V2 and PAP. 
 +   * When the RADIUS server uses Active Directory, it is the best to choose MS-CHAP-V2 in order to avoid compatibility issues. 
 + 
 +=== Other Credential Options === 
 +  * There are other credential options which is good to take note of although they beyond the scope of this discussion. 
 +  * **SIM Authentication**. This will typically require collaboration with a mobile company to validate the incoming RADIUS request against their database for authentication. 
 +  * **DigitalCertificate Authentication**. This require PKI infrastructure and the management of the client certificates. 
 + 
 +------------- 
 + 
 + 
 +===== Extension - Certificate FQDN Check (Domain Suffix Match) ===== 
 +  * In WPA Supplicant we have the following option: domain_suffix_match 
 +  * If this is specified then wpa_supplicant will make sure that when the client authenticates to RADIUS that the domain name of the certificate used with EAP matches one of the specified values. 
 +  * If not it will reject the authentication. 
 +  * This is to protect against an Evil Twin scenario. 
 +  * With the Android Hotspot 2.0 setup it will take the value of FQDN under the HomeSP section as the value value for domain_suffix_match. 
 +  * This is not always the case in real life. Sometimes the certificate RADIUS used has another domain/FQDN. 
 +  * If you want to specify a different domain there is an **Extension** section. 
 + 
 +<code xml> 
 +<Node> 
 +    <NodeName>Extension</NodeName> 
 +    <Node> 
 +        <NodeName>Android</NodeName> 
 +        <Node> 
 +            <NodeName>AAAServerTrustedNames</NodeName> 
 +            <Node> 
 +                <NodeName>FQDN</NodeName> 
 +                <Value>radiusdesk.com;openwrt.org</Value> 
 +            </Node> 
 +        </Node> 
 +    </Node> 
 +</Node> 
 +</code> 
 +  * This section has to be on the same level as **HomeSP** and **Credential**.
  
  
  • technical/pp-android.1751776468.txt.gz
  • Last modified: 2025/07/06 06:34
  • by system