]>
Commit | Line | Data |
---|---|---|
a8a3868d JM |
1 | wpa_supplicant and Hotspot 2.0 |
2 | ============================== | |
3 | ||
4 | This document describe how the IEEE 802.11u Interworking and Wi-Fi | |
5 | Hotspot 2.0 (Release 1) implementation in wpa_supplicant can be | |
6 | configured and how an external component on the client e.g., management | |
7 | GUI or Wi-Fi framework) is used to manage this functionality. | |
8 | ||
9 | ||
10 | Introduction to Wi-Fi Hotspot 2.0 | |
11 | --------------------------------- | |
12 | ||
13 | Hotspot 2.0 is the name of the Wi-Fi Alliance specification that is used | |
14 | in the Wi-Fi CERTIFIED Passpoint<TM> program. More information about | |
15 | this is available in this white paper: | |
16 | ||
17 | http://www.wi-fi.org/knowledge-center/white-papers/wi-fi-certified-passpoint%E2%84%A2-new-program-wi-fi-alliance%C2%AE-enable-seamless | |
18 | ||
19 | The Hotspot 2.0 specification is also available from WFA: | |
20 | https://www.wi-fi.org/knowledge-center/published-specifications | |
21 | ||
22 | The core Interworking functionality (network selection, GAS/ANQP) were | |
23 | standardized in IEEE Std 802.11u-2011 which is now part of the IEEE Std | |
24 | 802.11-2012. | |
25 | ||
26 | ||
4d5bda5f JM |
27 | wpa_supplicant network selection |
28 | -------------------------------- | |
29 | ||
30 | Interworking support added option for configuring credentials that can | |
31 | work with multiple networks as an alternative to configuration of | |
32 | network blocks (e.g., per-SSID parameters). When requested to perform | |
33 | network selection, wpa_supplicant picks the highest priority enabled | |
34 | network block or credential. If a credential is picked (based on ANQP | |
35 | information from APs), a temporary network block is created | |
36 | automatically for the matching network. This temporary network block is | |
37 | used similarly to the network blocks that can be configured by the user, | |
38 | but it is not stored into the configuration file and is meant to be used | |
39 | only for temporary period of time since a new one can be created | |
40 | whenever needed based on ANQP information and the credential. | |
41 | ||
42 | By default, wpa_supplicant is not using automatic network selection | |
43 | unless requested explicitly with the interworking_select command. This | |
44 | can be changed with the auto_interworking=1 parameter to perform network | |
45 | selection automatically whenever trying to find a network for connection | |
46 | and none of the enabled network blocks match with the scan results. This | |
47 | case works similarly to "interworking_select auto", i.e., wpa_supplicant | |
48 | will internally determine which network or credential is going to be | |
49 | used based on configured priorities, scan results, and ANQP information. | |
50 | ||
51 | ||
a8a3868d JM |
52 | wpa_supplicant configuration |
53 | ---------------------------- | |
54 | ||
55 | Interworking and Hotspot 2.0 functionality are optional components that | |
56 | need to be enabled in the wpa_supplicant build configuration | |
57 | (.config). This is done by adding following parameters into that file: | |
58 | ||
59 | CONFIG_INTERWORKING=y | |
60 | CONFIG_HS20=y | |
61 | ||
62 | It should be noted that this functionality requires a driver that | |
63 | supports GAS/ANQP operations. This uses the same design as P2P, i.e., | |
64 | Action frame processing and building in user space within | |
65 | wpa_supplicant. The Linux nl80211 driver interface provides the needed | |
66 | functionality for this. | |
67 | ||
68 | ||
69 | There are number of run-time configuration parameters (e.g., in | |
70 | wpa_supplicant.conf when using the configuration file) that can be used | |
71 | to control Hotspot 2.0 operations. | |
72 | ||
73 | # Enable Interworking | |
74 | interworking=1 | |
75 | ||
76 | # Enable Hotspot 2.0 | |
77 | hs20=1 | |
78 | ||
79 | # Parameters for controlling scanning | |
80 | ||
81 | # Homogenous ESS identifier | |
82 | # If this is set, scans will be used to request response only from BSSes | |
83 | # belonging to the specified Homogeneous ESS. This is used only if interworking | |
84 | # is enabled. | |
85 | #hessid=00:11:22:33:44:55 | |
86 | ||
87 | # Access Network Type | |
88 | # When Interworking is enabled, scans can be limited to APs that advertise the | |
89 | # specified Access Network Type (0..15; with 15 indicating wildcard match). | |
90 | # This value controls the Access Network Type value in Probe Request frames. | |
91 | #access_network_type=15 | |
92 | ||
4d5bda5f JM |
93 | # Automatic network selection behavior |
94 | # 0 = do not automatically go through Interworking network selection | |
95 | # (i.e., require explicit interworking_select command for this; default) | |
96 | # 1 = perform Interworking network selection if one or more | |
97 | # credentials have been configured and scan did not find a | |
98 | # matching network block | |
99 | #auto_interworking=0 | |
100 | ||
a8a3868d JM |
101 | |
102 | Credentials can be pre-configured for automatic network selection: | |
103 | ||
104 | # credential block | |
105 | # | |
106 | # Each credential used for automatic network selection is configured as a set | |
107 | # of parameters that are compared to the information advertised by the APs when | |
108 | # interworking_select and interworking_connect commands are used. | |
109 | # | |
110 | # credential fields: | |
111 | # | |
03ed3324 JM |
112 | # temporary: Whether this credential is temporary and not to be saved |
113 | # | |
a8a3868d JM |
114 | # priority: Priority group |
115 | # By default, all networks and credentials get the same priority group | |
116 | # (0). This field can be used to give higher priority for credentials | |
117 | # (and similarly in struct wpa_ssid for network blocks) to change the | |
118 | # Interworking automatic networking selection behavior. The matching | |
119 | # network (based on either an enabled network block or a credential) | |
120 | # with the highest priority value will be selected. | |
121 | # | |
122 | # pcsc: Use PC/SC and SIM/USIM card | |
123 | # | |
124 | # realm: Home Realm for Interworking | |
125 | # | |
126 | # username: Username for Interworking network selection | |
127 | # | |
128 | # password: Password for Interworking network selection | |
129 | # | |
130 | # ca_cert: CA certificate for Interworking network selection | |
131 | # | |
132 | # client_cert: File path to client certificate file (PEM/DER) | |
133 | # This field is used with Interworking networking selection for a case | |
134 | # where client certificate/private key is used for authentication | |
135 | # (EAP-TLS). Full path to the file should be used since working | |
136 | # directory may change when wpa_supplicant is run in the background. | |
137 | # | |
138 | # Alternatively, a named configuration blob can be used by setting | |
139 | # this to blob://blob_name. | |
140 | # | |
141 | # private_key: File path to client private key file (PEM/DER/PFX) | |
142 | # When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be | |
143 | # commented out. Both the private key and certificate will be read | |
144 | # from the PKCS#12 file in this case. Full path to the file should be | |
145 | # used since working directory may change when wpa_supplicant is run | |
146 | # in the background. | |
147 | # | |
148 | # Windows certificate store can be used by leaving client_cert out and | |
149 | # configuring private_key in one of the following formats: | |
150 | # | |
151 | # cert://substring_to_match | |
152 | # | |
153 | # hash://certificate_thumbprint_in_hex | |
154 | # | |
155 | # For example: private_key="hash://63093aa9c47f56ae88334c7b65a4" | |
156 | # | |
157 | # Note that when running wpa_supplicant as an application, the user | |
158 | # certificate store (My user account) is used, whereas computer store | |
159 | # (Computer account) is used when running wpasvc as a service. | |
160 | # | |
161 | # Alternatively, a named configuration blob can be used by setting | |
162 | # this to blob://blob_name. | |
163 | # | |
164 | # private_key_passwd: Password for private key file | |
165 | # | |
166 | # imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format | |
167 | # | |
168 | # milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN> | |
169 | # format | |
170 | # | |
ac1bc549 JM |
171 | # domain_suffix_match: Constraint for server domain name |
172 | # If set, this FQDN is used as a suffix match requirement for the AAA | |
173 | # server certificate in SubjectAltName dNSName element(s). If a | |
174 | # matching dNSName is found, this constraint is met. If no dNSName | |
e24aef10 | 175 | # values are present, this constraint is matched against SubjectName CN |
ac1bc549 JM |
176 | # using same suffix match comparison. Suffix match here means that the |
177 | # host/domain name is compared one label at a time starting from the | |
178 | # top-level domain and all the labels in @domain_suffix_match shall be | |
179 | # included in the certificate. The certificate may include additional | |
180 | # sub-level labels in addition to the required labels. | |
181 | # | |
182 | # For example, domain_suffix_match=example.com would match | |
183 | # test.example.com but would not match test-example.com. | |
184 | # | |
463c8ffb | 185 | # domain: Home service provider FQDN(s) |
a8a3868d | 186 | # This is used to compare against the Domain Name List to figure out |
463c8ffb JM |
187 | # whether the AP is operated by the Home SP. Multiple domain entries can |
188 | # be used to configure alternative FQDNs that will be considered home | |
189 | # networks. | |
a8a3868d JM |
190 | # |
191 | # roaming_consortium: Roaming Consortium OI | |
192 | # If roaming_consortium_len is non-zero, this field contains the | |
193 | # Roaming Consortium OI that can be used to determine which access | |
194 | # points support authentication with this credential. This is an | |
195 | # alternative to the use of the realm parameter. When using Roaming | |
196 | # Consortium to match the network, the EAP parameters need to be | |
197 | # pre-configured with the credential since the NAI Realm information | |
198 | # may not be available or fetched. | |
199 | # | |
9b6f93e4 JM |
200 | # required_roaming_consortium: Required Roaming Consortium OI |
201 | # If required_roaming_consortium_len is non-zero, this field contains the | |
202 | # Roaming Consortium OI that is required to be advertised by the AP for | |
203 | # the credential to be considered matching. | |
204 | # | |
909a948b JM |
205 | # roaming_consortiums: Roaming Consortium OI(s) memberships |
206 | # This string field contains one or more comma delimited OIs (hexdump) | |
207 | # identifying the roaming consortiums of which the provider is a member. | |
208 | # The list is sorted from the most preferred one to the least preferred | |
209 | # one. A match between the Roaming Consortium OIs advertised by an AP and | |
210 | # the OIs in this list indicates that successful authentication is | |
211 | # possible. | |
212 | # (Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/RoamingConsortiumOI) | |
213 | # | |
a8a3868d JM |
214 | # eap: Pre-configured EAP method |
215 | # This optional field can be used to specify which EAP method will be | |
216 | # used with this credential. If not set, the EAP method is selected | |
217 | # automatically based on ANQP information (e.g., NAI Realm). | |
218 | # | |
219 | # phase1: Pre-configure Phase 1 (outer authentication) parameters | |
220 | # This optional field is used with like the 'eap' parameter. | |
221 | # | |
222 | # phase2: Pre-configure Phase 2 (inner authentication) parameters | |
223 | # This optional field is used with like the 'eap' parameter. | |
224 | # | |
dbea8ac7 JM |
225 | # excluded_ssid: Excluded SSID |
226 | # This optional field can be used to excluded specific SSID(s) from | |
227 | # matching with the network. Multiple entries can be used to specify more | |
228 | # than one SSID. | |
229 | # | |
bc00053c JM |
230 | # roaming_partner: Roaming partner information |
231 | # This optional field can be used to configure preferences between roaming | |
232 | # partners. The field is a string in following format: | |
233 | # <FQDN>,<0/1 exact match>,<priority>,<* or country code> | |
234 | # (non-exact match means any subdomain matches the entry; priority is in | |
235 | # 0..255 range with 0 being the highest priority) | |
236 | # | |
f9cd147d JM |
237 | # update_identifier: PPS MO ID |
238 | # (Hotspot 2.0 PerProviderSubscription/UpdateIdentifier) | |
239 | # | |
aa26ba68 JM |
240 | # provisioning_sp: FQDN of the SP that provisioned the credential |
241 | # This optional field can be used to keep track of the SP that provisioned | |
242 | # the credential to find the PPS MO (./Wi-Fi/<provisioning_sp>). | |
243 | # | |
74794891 JM |
244 | # sp_priority: Credential priority within a provisioning SP |
245 | # This is the priority of the credential among all credentials | |
5d7b1a3c | 246 | # provisioned by the same SP (i.e., for entries that have identical |
74794891 JM |
247 | # provisioning_sp value). The range of this priority is 0-255 with 0 |
248 | # being the highest and 255 the lower priority. | |
249 | # | |
4cad9df1 JM |
250 | # Minimum backhaul threshold (PPS/<X+>/Policy/MinBackhauldThreshold/*) |
251 | # These fields can be used to specify minimum download/upload backhaul | |
252 | # bandwidth that is preferred for the credential. This constraint is | |
253 | # ignored if the AP does not advertise WAN Metrics information or if the | |
254 | # limit would prevent any connection. Values are in kilobits per second. | |
255 | # min_dl_bandwidth_home | |
256 | # min_ul_bandwidth_home | |
257 | # min_dl_bandwidth_roaming | |
258 | # min_ul_bandwidth_roaming | |
259 | # | |
a45b2dc5 JM |
260 | # max_bss_load: Maximum BSS Load Channel Utilization (1..255) |
261 | # (PPS/<X+>/Policy/MaximumBSSLoadValue) | |
262 | # This value is used as the maximum channel utilization for network | |
263 | # selection purposes for home networks. If the AP does not advertise | |
264 | # BSS Load or if the limit would prevent any connection, this constraint | |
265 | # will be ignored. | |
266 | # | |
33fb8c52 JM |
267 | # req_conn_capab: Required connection capability |
268 | # (PPS/<X+>/Policy/RequiredProtoPortTuple) | |
269 | # This value is used to configure set of required protocol/port pairs that | |
270 | # a roaming network shall support (include explicitly in Connection | |
271 | # Capability ANQP element). This constraint is ignored if the AP does not | |
272 | # advertise Connection Capability or if this constraint would prevent any | |
273 | # network connection. This policy is not used in home networks. | |
274 | # Format: <protocol>[:<comma-separated list of ports] | |
275 | # Multiple entries can be used to list multiple requirements. | |
276 | # For example, number of common TCP protocols: | |
f54e9243 | 277 | # req_conn_capab=6:22,80,443 |
33fb8c52 JM |
278 | # For example, IPSec/IKE: |
279 | # req_conn_capab=17:500 | |
280 | # req_conn_capab=50 | |
281 | # | |
cf6d08a6 JM |
282 | # ocsp: Whether to use/require OCSP to check server certificate |
283 | # 0 = do not use OCSP stapling (TLS certificate status extension) | |
284 | # 1 = try to use OCSP stapling, but not require response | |
285 | # 2 = require valid OCSP stapling response | |
286 | # | |
13f6a07e NJ |
287 | # sim_num: Identifier for which SIM to use in multi-SIM devices |
288 | # | |
a8a3868d JM |
289 | # for example: |
290 | # | |
291 | #cred={ | |
292 | # realm="example.com" | |
293 | # username="user@example.com" | |
294 | # password="password" | |
295 | # ca_cert="/etc/wpa_supplicant/ca.pem" | |
296 | # domain="example.com" | |
ac1bc549 | 297 | # domain_suffix_match="example.com" |
a8a3868d JM |
298 | #} |
299 | # | |
300 | #cred={ | |
301 | # imsi="310026-000000000" | |
302 | # milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82" | |
303 | #} | |
304 | # | |
305 | #cred={ | |
306 | # realm="example.com" | |
307 | # username="user" | |
308 | # password="password" | |
309 | # ca_cert="/etc/wpa_supplicant/ca.pem" | |
310 | # domain="example.com" | |
311 | # roaming_consortium=223344 | |
909a948b | 312 | # roaming_consortiums="112233,4455667788,aabbcc" |
a8a3868d JM |
313 | # eap=TTLS |
314 | # phase2="auth=MSCHAPV2" | |
315 | #} | |
316 | ||
317 | ||
318 | Control interface | |
319 | ----------------- | |
320 | ||
321 | wpa_supplicant provides a control interface that can be used from | |
322 | external programs to manage various operations. The included command | |
323 | line tool, wpa_cli, can be used for manual testing with this interface. | |
324 | ||
325 | Following wpa_cli interactive mode commands show some examples of manual | |
326 | operations related to Hotspot 2.0: | |
327 | ||
328 | Remove configured networks and credentials: | |
329 | ||
330 | > remove_network all | |
331 | OK | |
332 | > remove_cred all | |
333 | OK | |
334 | ||
335 | ||
336 | Add a username/password credential: | |
337 | ||
338 | > add_cred | |
339 | 0 | |
340 | > set_cred 0 realm "mail.example.com" | |
341 | OK | |
342 | > set_cred 0 username "username" | |
343 | OK | |
344 | > set_cred 0 password "password" | |
345 | OK | |
346 | > set_cred 0 priority 1 | |
347 | OK | |
03ed3324 JM |
348 | > set_cred 0 temporary 1 |
349 | OK | |
a8a3868d JM |
350 | |
351 | Add a SIM credential using a simulated SIM/USIM card for testing: | |
352 | ||
353 | > add_cred | |
354 | 1 | |
355 | > set_cred 1 imsi "23456-0000000000" | |
356 | OK | |
357 | > set_cred 1 milenage "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123" | |
358 | OK | |
359 | > set_cred 1 priority 1 | |
360 | OK | |
361 | ||
362 | Note: the return value of add_cred is used as the first argument to | |
363 | the following set_cred commands. | |
364 | ||
a5d44ac0 JM |
365 | Add a SIM credential using a external SIM/USIM processing: |
366 | ||
367 | > set external_sim 1 | |
368 | OK | |
369 | > add_cred | |
370 | 1 | |
371 | > set_cred 1 imsi "23456-0000000000" | |
372 | OK | |
373 | > set_cred 1 eap SIM | |
374 | OK | |
375 | ||
a8a3868d JM |
376 | |
377 | Add a WPA2-Enterprise network: | |
378 | ||
379 | > add_network | |
380 | 0 | |
381 | > set_network 0 key_mgmt WPA-EAP | |
382 | OK | |
383 | > set_network 0 ssid "enterprise" | |
384 | OK | |
385 | > set_network 0 eap TTLS | |
386 | OK | |
387 | > set_network 0 anonymous_identity "anonymous" | |
388 | OK | |
389 | > set_network 0 identity "user" | |
390 | OK | |
391 | > set_network 0 password "password" | |
392 | OK | |
393 | > set_network 0 priority 0 | |
394 | OK | |
395 | > enable_network 0 no-connect | |
396 | OK | |
397 | ||
398 | ||
399 | Add an open network: | |
400 | ||
401 | > add_network | |
402 | 3 | |
403 | > set_network 3 key_mgmt NONE | |
404 | OK | |
405 | > set_network 3 ssid "coffee-shop" | |
406 | OK | |
407 | > select_network 3 | |
408 | OK | |
409 | ||
410 | Note: the return value of add_network is used as the first argument to | |
411 | the following set_network commands. | |
412 | ||
413 | The preferred credentials/networks can be indicated with the priority | |
414 | parameter (1 is higher priority than 0). | |
415 | ||
416 | ||
417 | Interworking network selection can be started with interworking_select | |
418 | command. This instructs wpa_supplicant to run a network scan and iterate | |
419 | through the discovered APs to request ANQP information from the APs that | |
420 | advertise support for Interworking/Hotspot 2.0: | |
421 | ||
422 | > interworking_select | |
423 | OK | |
424 | <3>Starting ANQP fetch for 02:00:00:00:01:00 | |
425 | <3>RX-ANQP 02:00:00:00:01:00 ANQP Capability list | |
426 | <3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list | |
427 | <3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List | |
428 | <3>ANQP fetch completed | |
429 | <3>INTERWORKING-AP 02:00:00:00:01:00 type=unknown | |
430 | ||
431 | ||
432 | INTERWORKING-AP event messages indicate the APs that support network | |
433 | selection and for which there is a matching | |
434 | credential. interworking_connect command can be used to select a network | |
435 | to connect with: | |
436 | ||
437 | ||
438 | > interworking_connect 02:00:00:00:01:00 | |
439 | OK | |
440 | <3>CTRL-EVENT-SCAN-RESULTS | |
441 | <3>SME: Trying to authenticate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz) | |
442 | <3>Trying to associate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz) | |
443 | <3>Associated with 02:00:00:00:01:00 | |
444 | <3>CTRL-EVENT-EAP-STARTED EAP authentication started | |
445 | <3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21 | |
446 | <3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected | |
447 | <3>CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully | |
448 | <3>WPA: Key negotiation completed with 02:00:00:00:01:00 [PTK=CCMP GTK=CCMP] | |
449 | <3>CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:01:00 completed (auth) [id=0 id_str=] | |
450 | ||
451 | ||
452 | wpa_supplicant creates a temporary network block for the selected | |
453 | network based on the configured credential and ANQP information from the | |
454 | AP: | |
455 | ||
456 | > list_networks | |
457 | network id / ssid / bssid / flags | |
458 | 0 Example Network any [CURRENT] | |
459 | > get_network 0 key_mgmt | |
460 | WPA-EAP | |
461 | > get_network 0 eap | |
462 | TTLS | |
463 | ||
464 | ||
465 | Alternatively to using an external program to select the network, | |
466 | "interworking_select auto" command can be used to request wpa_supplicant | |
467 | to select which network to use based on configured priorities: | |
468 | ||
469 | ||
470 | > remove_network all | |
471 | OK | |
472 | <3>CTRL-EVENT-DISCONNECTED bssid=02:00:00:00:01:00 reason=1 locally_generated=1 | |
473 | > interworking_select auto | |
474 | OK | |
475 | <3>Starting ANQP fetch for 02:00:00:00:01:00 | |
476 | <3>RX-ANQP 02:00:00:00:01:00 ANQP Capability list | |
477 | <3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list | |
478 | <3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List | |
479 | <3>ANQP fetch completed | |
480 | <3>INTERWORKING-AP 02:00:00:00:01:00 type=unknown | |
481 | <3>CTRL-EVENT-SCAN-RESULTS | |
482 | <3>SME: Trying to authenticate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz) | |
483 | <3>Trying to associate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz) | |
484 | <3>Associated with 02:00:00:00:01:00 | |
485 | <3>CTRL-EVENT-EAP-STARTED EAP authentication started | |
486 | <3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21 | |
487 | <3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected | |
488 | <3>CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully | |
489 | <3>WPA: Key negotiation completed with 02:00:00:00:01:00 [PTK=CCMP GTK=CCMP] | |
490 | <3>CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:01:00 completed (reauth) [id=0 id_str=] | |
491 | ||
492 | ||
493 | The connection status can be shown with the status command: | |
494 | ||
495 | > status | |
496 | bssid=02:00:00:00:01:00 | |
497 | ssid=Example Network | |
498 | id=0 | |
499 | mode=station | |
500 | pairwise_cipher=CCMP <--- link layer security indication | |
501 | group_cipher=CCMP | |
502 | key_mgmt=WPA2/IEEE 802.1X/EAP | |
503 | wpa_state=COMPLETED | |
504 | p2p_device_address=02:00:00:00:00:00 | |
505 | address=02:00:00:00:00:00 | |
506 | hs20=1 <--- HS 2.0 indication | |
507 | Supplicant PAE state=AUTHENTICATED | |
508 | suppPortStatus=Authorized | |
509 | EAP state=SUCCESS | |
510 | selectedMethod=21 (EAP-TTLS) | |
511 | EAP TLS cipher=AES-128-SHA | |
512 | EAP-TTLSv0 Phase2 method=PAP | |
513 | ||
514 | ||
515 | > status | |
516 | bssid=02:00:00:00:02:00 | |
517 | ssid=coffee-shop | |
518 | id=3 | |
519 | mode=station | |
520 | pairwise_cipher=NONE | |
521 | group_cipher=NONE | |
522 | key_mgmt=NONE | |
523 | wpa_state=COMPLETED | |
524 | p2p_device_address=02:00:00:00:00:00 | |
525 | address=02:00:00:00:00:00 | |
526 | ||
527 | ||
528 | Note: The Hotspot 2.0 indication is shown as "hs20=1" in the status | |
529 | command output. Link layer security is indicated with the | |
530 | pairwise_cipher (CCMP = secure, NONE = no encryption used). | |
531 | ||
532 | ||
533 | Also the scan results include the Hotspot 2.0 indication: | |
534 | ||
535 | > scan_results | |
536 | bssid / frequency / signal level / flags / ssid | |
537 | 02:00:00:00:01:00 2412 -30 [WPA2-EAP-CCMP][ESS][HS20] Example Network | |
538 | ||
539 | ||
540 | ANQP information for the BSS can be fetched using the BSS command: | |
541 | ||
542 | > bss 02:00:00:00:01:00 | |
543 | id=1 | |
544 | bssid=02:00:00:00:01:00 | |
545 | freq=2412 | |
546 | beacon_int=100 | |
547 | capabilities=0x0411 | |
548 | qual=0 | |
549 | noise=-92 | |
550 | level=-30 | |
551 | tsf=1345573286517276 | |
552 | age=105 | |
553 | ie=000f4578616d706c65204e6574776f726b010882848b960c1218240301012a010432043048606c30140100000fac040100000fac040100000fac0100007f04000000806b091e07010203040506076c027f006f1001531122331020304050010203040506dd05506f9a1000 | |
554 | flags=[WPA2-EAP-CCMP][ESS][HS20] | |
555 | ssid=Example Network | |
556 | anqp_roaming_consortium=031122330510203040500601020304050603fedcba | |
557 | ||
558 | ||
559 | ANQP queries can also be requested with the anqp_get and hs20_anqp_get | |
560 | commands: | |
561 | ||
562 | > anqp_get 02:00:00:00:01:00 261 | |
563 | OK | |
564 | <3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list | |
565 | > hs20_anqp_get 02:00:00:00:01:00 2 | |
566 | OK | |
567 | <3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List | |
568 | ||
569 | In addition, fetch_anqp command can be used to request similar set of | |
570 | ANQP queries to be done as is run as part of interworking_select: | |
571 | ||
572 | > scan | |
573 | OK | |
574 | <3>CTRL-EVENT-SCAN-RESULTS | |
575 | > fetch_anqp | |
576 | OK | |
577 | <3>Starting ANQP fetch for 02:00:00:00:01:00 | |
578 | <3>RX-ANQP 02:00:00:00:01:00 ANQP Capability list | |
579 | <3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list | |
580 | <3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List | |
581 | <3>ANQP fetch completed | |
aeb408ff JM |
582 | |
583 | ||
584 | Hotspot 2.0 Rel 2 online signup and OSEN | |
585 | ---------------------------------------- | |
586 | ||
587 | Following parameters can be used to create a network profile for | |
588 | link-layer protected Hotspot 2.0 online signup connection with | |
589 | OSEN. Note that ssid and identify (NAI) values need to be set based on | |
590 | the information for the selected provider in the OSU Providers list | |
591 | ANQP-element. | |
592 | ||
593 | network={ | |
594 | ssid="HS 2.0 OSU" | |
595 | proto=OSEN | |
596 | key_mgmt=OSEN | |
597 | pairwise=CCMP | |
598 | group=GTK_NOT_USED | |
599 | eap=WFA-UNAUTH-TLS | |
600 | identity="anonymous@example.com" | |
601 | ca_cert="osu-ca.pem" | |
602 | ocsp=2 | |
603 | } | |
604 | ||
605 | ||
606 | Hotspot 2.0 connection with external network selection | |
607 | ------------------------------------------------------ | |
608 | ||
6311547e | 609 | When a component controlling wpa_supplicant takes care of Interworking |
aeb408ff JM |
610 | network selection, following configuration and network profile |
611 | parameters can be used to configure a temporary network profile for a | |
612 | Hotspot 2.0 connection (e.g., with SET, ADD_NETWORK, SET_NETWORK, and | |
613 | SELECT_NETWORK control interface commands): | |
614 | ||
615 | interworking=1 | |
616 | hs20=1 | |
617 | auto_interworking=0 | |
618 | ||
619 | network={ | |
620 | ssid="test-hs20" | |
621 | proto=RSN | |
622 | key_mgmt=WPA-EAP | |
623 | pairwise=CCMP | |
624 | anonymous_identity="anonymous@example.com" | |
625 | identity="hs20-test@example.com" | |
626 | password="password" | |
627 | ca_cert="ca.pem" | |
628 | eap=TTLS | |
629 | phase2="auth=MSCHAPV2" | |
630 | update_identifier=54321 | |
6311547e | 631 | roaming_consortium_selection=112233 |
aeb408ff JM |
632 | #ocsp=2 |
633 | } | |
634 | ||
635 | ||
636 | These parameters are set based on the PPS MO credential and/or NAI Realm | |
637 | list ANQP-element: | |
638 | ||
639 | anonymous_identity: Credential/UsernamePassword/Username with username part | |
640 | replaced with "anonymous" | |
641 | identity: Credential/UsernamePassword/Username | |
642 | password: Credential/UsernamePassword/Password | |
643 | update_identifier: PPS/UpdateIdentifier | |
644 | ca_cert: from the downloaded trust root based on PPS information | |
645 | eap: Credential/UsernamePassword/EAPMethod or NAI Realm list | |
646 | phase2: Credential/UsernamePassword/EAPMethod or NAI Realm list | |
6311547e | 647 | roaming_consortium_selection: Matching OI from HomeSP/RoamingConsortiumOI |
aeb408ff | 648 | ocsp: Credential/CheckAAAServerCertStatus |