Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
technical:pp-android [2025/07/07 18:55] – [MgmtTree XML] systemtechnical:pp-android [2025/07/07 20:17] (current) – [HomeSP] system
Line 9: Line 9:
 ===== Introduction ===== ===== Introduction =====
   * This page will discuss the provisioning of Passpoint credentials to Android devices.   * This page will discuss the provisioning of Passpoint credentials to Android devices.
-  * The information on this page https://source.android.com/docs/core/connect/wifi-passpoint was used as a reference.+  * Information from the following URL was used as a reference: https://source.android.com/docs/core/connect/wifi-passpoint 
   * Our approach, however will be a bit more hands on by looking at a PHP script that is used to provision a Passpoint profile.    * Our approach, however will be a bit more hands on by looking at a PHP script that is used to provision a Passpoint profile. 
  
Line 95: Line 95:
         <Node>         <Node>
           <NodeName>FriendlyName</NodeName>           <NodeName>FriendlyName</NodeName>
-          <Value>WiFi-K9.5Jun24</Value>+          <Value>RADIUSdesk-HS2.0 07-Jul-25</Value>
         </Node>         </Node>
         <Node>         <Node>
Line 250: Line 250:
   * The one part is the **HomeSP**.   * The one part is the **HomeSP**.
   * The other part is the **Credential**.   * The other part is the **Credential**.
 +  * There is also an optional third part called **Extension** which we also cover later.
   * The **HomeSP** part is used by the Android to discover Hotspot 2.0 / Passpoint WiFi Access Points to connect to.   * The **HomeSP** part is used by the Android to discover Hotspot 2.0 / Passpoint WiFi Access Points to connect to.
   * When such an Access Point is found, the **Credential** part is used to try and authenticate the user.   * When such an Access Point is found, the **Credential** part is used to try and authenticate the user.
   * The **HomeSP** for all practical intend replaces the step where you would typically select or specify an SSID to connect to.   * The **HomeSP** for all practical intend replaces the step where you would typically select or specify an SSID to connect to.
-  * There is one item however that "bleeds" from the **HomeSP** section to the **Credential** section and it can cause the authentication to fail. We will also cover this in detail on this page.+  * There is one item however that "bleeds" from the **HomeSP** section to the **Credential** section and it can cause the authentication to fail. We will also cover this in detail on this page and what to do to fix things.
  
 ------------ ------------
Line 260: Line 261:
   * HomeSP **have to contain** the following nodes:   * HomeSP **have to contain** the following nodes:
     * **FriendlyName** Displayed by the Android installer and also when connected to the Hotspot 2.0 / Passpoint Access Point.     * **FriendlyName** Displayed by the Android installer and also when connected to the Hotspot 2.0 / Passpoint Access Point.
-    * **FQDN** This translates to the value of Domain and or NAI Realm in Hostapd / OpenWrt.+    * **FQDN** This translates to the value of Domain and or NAI Realm in Hostapd / OpenWrt. <color #ff7f27>(This is the part that you have to be careful with)</color>
   * HomeSP **can contain** the following node:   * HomeSP **can contain** the following node:
     * **RoamingConsortiumOI** This is the RCOI and one can specify multiple values separated by commas.     * **RoamingConsortiumOI** This is the RCOI and one can specify multiple values separated by commas.
Line 266: Line 267:
 ------------- -------------
  
-==== Credential ====+=== Credential ===
   * The credential section are mostly straight forward.   * The credential section are mostly straight forward.
   * There are however some items to highlight.   * There are however some items to highlight.
 === Realm === === Realm ===
  
-  * The realm has nothing to do with the NAI Realm (or Domain) in Hotspot 2.0.+  * This Realm is used in EAP authentication and is RADIUS related. 
 +  * This realm has nothing to do with the NAI Realm (or Domain) in Hotspot 2.0. (HomeSP Section)
   * It might be the same value of the NAI Realm but it is not a requirement.   * It might be the same value of the NAI Realm but it is not a requirement.
-  * This has to do with Authentication securityprotecting you from an Evil Twin setup+  * When the authentication request to RADIUS starts, an anonymous identity is used
-  * The value for realm **has to match the domain** of the CA on the RADIUS/EAP setup+  * This is also referred to as the **Outer Identity**. 
-  * If this does not match, the user will not be able to connect successfully.+  * The convention Android uses is to formulate a username anonymouns@<value of realm>
 +  * In this case it will be anonymous@mesh-manager.com. 
 +  * The EAP protocol uses this recommended convention in order to determine the destination of RADIUS proxy requests.
  
 === Password === === Password ===
Line 305: Line 309:
   * **SIM Authentication**. This will typically require collaboration with a mobile company to validate the incoming RADIUS request against their database for authentication.   * **SIM Authentication**. This will typically require collaboration with a mobile company to validate the incoming RADIUS request against their database for authentication.
   * **DigitalCertificate Authentication**. This require PKI infrastructure and the management of the client certificates.   * **DigitalCertificate Authentication**. This require PKI infrastructure and the management of the client certificates.
- 
  
 ------------- -------------
 +
 +
 +===== Extension - Certificate FQDN Check (Domain Suffix Match) =====
 +  * In WPA Supplicant we have the following option: domain_suffix_match
 +  * If this is specified then wpa_supplicant will make sure that when the client authenticates to RADIUS that the domain name of the certificate used with EAP matches one of the specified values.
 +  * If not it will reject the authentication.
 +  * This is to protect against an Evil Twin scenario.
 +  * With the Android Hotspot 2.0 setup it will take the value of FQDN under the HomeSP section as the value value for domain_suffix_match.
 +  * This is not always the case in real life. Sometimes the certificate RADIUS used has another domain/FQDN.
 +  * If you want to specify a different domain there is an **Extension** section.
 +
 +<code xml>
 +<Node>
 +    <NodeName>Extension</NodeName>
 +    <Node>
 +        <NodeName>Android</NodeName>
 +        <Node>
 +            <NodeName>AAAServerTrustedNames</NodeName>
 +            <Node>
 +                <NodeName>FQDN</NodeName>
 +                <Value>radiusdesk.com;openwrt.org</Value>
 +            </Node>
 +        </Node>
 +    </Node>
 +</Node>
 +</code>
 +  * This section has to be on the same level as **HomeSP** and **Credential**.
  
  
  • technical/pp-android.1751907333.txt.gz
  • Last modified: 2025/07/07 18:55
  • by system