Differences

This shows you the differences between two versions of the page.

--- technical:pp-android [2025/07/07 19:21] – [HomeSP] system
+++ technical:pp-android [2025/07/07 20:17] (current) – [HomeSP] system
@@ Line 250: / Line 250: @@
   * The one part is the **HomeSP**.
   * The other part is the **Credential**.
+  * There is also an optional third part called **Extension** which we also cover later.
   * The **HomeSP** part is used by the Android to discover Hotspot 2.0 / Passpoint WiFi Access Points to connect to.
   * When such an Access Point is found, the **Credential** part is used to try and authenticate the user.
   * The **HomeSP** for all practical intend replaces the step where you would typically select or specify an SSID to connect to.
-  * There is one item however that "bleeds" from the **HomeSP** section to the **Credential** section and it can cause the authentication to fail. We will also cover this in detail on this page.
+  * There is one item however that "bleeds" from the **HomeSP** section to the **Credential** section and it can cause the authentication to fail. We will also cover this in detail on this page and what to do to fix things.
 ------------
@@ Line 266: / Line 267: @@
 -------------
-==== Credential ====
+=== Credential ===
   * The credential section are mostly straight forward.
   * There are however some items to highlight.
 === Realm ===
-  * The realm has nothing to do with the NAI Realm (or Domain) in Hotspot 2.0.
+  * This Realm is used in EAP authentication and is RADIUS related.
+  * This realm has nothing to do with the NAI Realm (or Domain) in Hotspot 2.0. (HomeSP Section)
   * It might be the same value of the NAI Realm but it is not a requirement.
-  * This has to do with Authentication security, protecting you from an Evil Twin setup.
+  * When the authentication request to RADIUS starts, an anonymous identity is used.
-  * The value for realm **has to match the domain** of the CA on the RADIUS/EAP setup.
+  * This is also referred to as the **Outer Identity**.
-  * If this does not match, the user will not be able to connect successfully.
+  * The convention Android uses is to formulate a username anonymouns@<value of realm>.
+  * In this case it will be anonymous@mesh-manager.com.
+  * The EAP protocol uses this recommended convention in order to determine the destination of RADIUS proxy requests.
 === Password ===
@@ Line 305: / Line 309: @@
   * **SIM Authentication**. This will typically require collaboration with a mobile company to validate the incoming RADIUS request against their database for authentication.
   * **DigitalCertificate Authentication**. This require PKI infrastructure and the management of the client certificates.
 -------------
+===== Extension - Certificate FQDN Check (Domain Suffix Match) =====
+  * In WPA Supplicant we have the following option: domain_suffix_match
+  * If this is specified then wpa_supplicant will make sure that when the client authenticates to RADIUS that the domain name of the certificate used with EAP matches one of the specified values.
+  * If not it will reject the authentication.
+  * This is to protect against an Evil Twin scenario.
+  * With the Android Hotspot 2.0 setup it will take the value of FQDN under the HomeSP section as the value value for domain_suffix_match.
+  * This is not always the case in real life. Sometimes the certificate RADIUS used has another domain/FQDN.
+  * If you want to specify a different domain there is an **Extension** section.
+<code xml>
+<Node>
+    <NodeName>Extension</NodeName>
+    <Node>
+        <NodeName>Android</NodeName>
+        <Node>
+            <NodeName>AAAServerTrustedNames</NodeName>
+            <Node>
+                <NodeName>FQDN</NodeName>
+                <Value>radiusdesk.com;openwrt.org</Value>
+            </Node>
+        </Node>
+    </Node>
+</Node>
+</code>
+  * This section has to be on the same level as **HomeSP** and **Credential**.