This document provides a brief explanation of configuring Hotspot 2.0 (Passpoint, more officially) on OpenWrt to make an Access Point providing Passpoint services. Tests have been done using some GL.iNet devices including Mango, Slate, and Beryl (both int./ext. PHYs).
If you are interested in OpenRoaming, please see also:
If nothing shows up, that wpad isn't capable of Hotspot 2.0.
The default package installed is normally wpad-basic (-wolfssl), which doesn't have Hotspot 2.0 support. You have to remove wpad-basic and install a full version of wpad, such as wpad-openssl.
In addition, the iw package also needs to be replaced with iw-full package. Please be careful not to have wireless drivers also removed. If they are deleted, you have to re-install them. [2024/3/22] Deleted. Warning: GL-MT3000 users should not try changing the iw package. Removing it would break Wi-Fi driver. If you cannot see the chip name in the LuCI's wireless menu, the system is broken and you need to burn the firmware again.
Unlike the hostapd configuration on a Linux box, hostapd.conf cannot be edited manually. UCI (Unified Configuration Interface) is used to auto-generate the hostapd.conf on OpenWrt.
More specifically, a shell script "/lib/netifd/hostapd.sh" will generate "/var/run/hostapd-phyX.conf" based on the wireless configuration file "/etc/config/wireless" in the UCI.
Hotspot 2.0 configuration
We assume that an SSID has already been configured with WPA2/3 Enterprise (802.1x). Please refer to other documents for this configuration.
Hotspot 2.0 can be enabled by adding some option and list lines to the "config wifi-iface 'wifinetX'" section. An example is shown below. Some lines need to be fixed according to your own service.
As you can easily guess, "option" is used to specify only one option, while "list" is used to list multiple options. In the example above, two NAI realms, example.com and example.org, are configured with EAP methods "EAP-TLS with certificate" and "EAP-TTLS/MSCHAPv2 with username/password."
The parameter names and their contents can be found in the template of the hostapd configuration file. Please look into the "/lib/netifd/hostapd.sh" script to see which options are actually available.
And, you should see "Hotspot 2.0" message or a description embedded in the Passpoint profile on a client device.
The following command shows you whether Passpoint is supported by the Wi-Fi device on Windows 10/11. If "ANQP Service Information Discovery" is "Supported," Passpoint is supposed to work.
> netsh wlan show wirelesscapabilities
Troubleshooting
If wpad won't come up and the SSID disappears after setting "option iw_enabled '1'", there may be some wrong or missing parameters in the configuration.
Support of Hotspot 2.0 seems still in flux as of writing. A known problem is that UCI leaves iw_venue_name and iw_venue_url to blank and wpad fails to start. Please check "/var/run/hostapd-phyX.conf" and see whether the parameters are passed correctly.
My 2.5 year-old UniFi Cloud Key Gen2 plus was found dead in the server rack.
No power at all from the PoE.
At a glance, the power seemed okay from the USB-C jack. But, the box was showing "BAD USB-C POWER". (Please also read the botton for a lucky solution.)
Be careful not to break the display when removing it.
Prepare for a burst. Go to a safe place or use a metal bucket when sliding the enclosure or removing the battery.
My Li-ion battery wasn't swollen, luckily. Graceful shutdown doesn't work now.
The components are all small. There was nothing I could do.
USB-C powering
Cloud Key Gen2 plus requires USB-C power source capable of Quick Charge 2.0 or higher. After buying a QC 3.0-capable adapter, my box has come back to normal operation.