hgot07 Hotspot Blog

主に無線LANや認証連携などの技術についてまとめるブログです。ネコは見る専。

Configuring Hotspot 2.0 (Passpoint) on OpenWrt

This document provides a brief explanation of configuring Hotspot 2.0 (Passpoint, more officially) on OpenWrt to make an Access Point providing Passpoint services. Tests have been done using some GL.iNet devices including Mango, Slate, and Beryl (both int./ext. PHYs).

If you are interested in OpenRoaming, please see also:

hgot07.hatenablog.com

 

GL.iNet Beryl + NETGEAR A6210 under Hotspot 2.0 testing

GL.iNet Beryl + NETGEAR A6210 under Hotspot 2.0 testing

 

Requirements

  • OpenWrt compatible device with Passpoint-capable wireless device (PHY).
  • OpenWrt 21.02, or newer, including wpad (hostapd) built with hs20 option.
  • Full version of iw package in OpenWrt.
  • 802.1x infrastructure (RADIUS server).

 

Overview

wpad, a hostapd variant, needs to be built with hs20 option. To check whether the program is capable of Hotspot 2.0, please try:

  # strings /usr/sbin/wpad | grep hs20

If nothing shows up, that wpad isn't capable of Hotspot 2.0.

The default package installed is normally wpad-basic (-wolfssl), which doesn't have Hotspot 2.0 support. You have to remove wpad-basic and install a full version of wpad, such as wpad-openssl.

In addition, the iw package also needs to be replaced with iw-full package. Please be careful not to have wireless drivers also removed. If they are deleted, you have to re-install them.

Unlike the hostapd configuration on a Linux box, hostapd.conf cannot be edited manually. UCI (Unified Configuration Interface) is used to auto-generate the hostapd.conf on OpenWrt.

More specifically, a shell script "/lib/netifd/hostapd.sh" will generate "/var/run/hostapd-phyX.conf" based on the wireless configuration file "/etc/config/wireless" in the UCI.

 

Hotspot 2.0 configuration

We assume that an SSID has already been configured with WPA2/3 Enterprise (802.1x). Please refer to other documents for this configuration.

Hotspot 2.0 can be enabled by adding some option and list lines to the "config wifi-iface 'wifinetX'" section. An example is shown below. Some lines need to be fixed according to your own service.

Example:

        option iw_enabled '1'
        option iw_interworking '1'
        option iw_access_network_type '3'
        option iw_internet '1'
        option iw_disable_dgaf '1'
        option iw_asra '0'
        option iw_esr '0'
        option iw_uesa '0'
        option iw_venue_group '2'
        option iw_venue_type '8'
        option iw_hessid '00:00:00:01:02:03'
        list iw_roaming_consortium 'xxyyzz0000'
        list iw_nai_realm '0,example.com,13[5:6],21[2:4][5:7]'
        list iw_nai_realm '0,example.org,13[5:6],21[2:4][5:7]'
        list iw_venue_name 'eng:somePublicSpace'
        list iw_venue_url '1:https://www.example.com/info-eng'
        option iw_network_auth_type '00'
        option iw_ipaddr_type_availability '0c'
        list iw_domain_name 'example.com'
        option hs20 '1'
        option hs20_oper_friendly_name 'eng:YourFriendPasspoint'
        option hs20_operating_class '517C'

 

As you can easily guess, "option" is used to specify only one option, while "list" is used to list multiple options. In the example above, two NAI realms, example.com and example.org, are configured with EAP methods "EAP-TLS with certificate" and "EAP-TTLS/MSCHAPv2 with username/password."

The parameter names and their contents can be found in the template of the hostapd configuration file. Please look into the "/lib/netifd/hostapd.sh" script to see which options are actually available.

 

Testing the Hotspot 2.0 functionality

To make the configuration effective,

  # wifi

To see whether the SSID becomes available,

  # iwinfo

And, you should see "Hotspot 2.0" message or a description embedded in the Passpoint profile on a client device.

The following command shows you whether Passpoint is supported by the Wi-Fi device on Windows 10/11. If "ANQP Service Information Discovery" is "Supported," Passpoint is supposed to work.

  > netsh wlan show wirelesscapabilities

 

Troubleshooting

If wpad won't come up and the SSID disappears after setting "option iw_enabled '1'", there may be some wrong or missing parameters in the configuration.

Support of Hotspot 2.0 seems still in flux as of writing. A known problem is that UCI leaves iw_venue_name and iw_venue_url to blank and wpad fails to start. Please check "/var/run/hostapd-phyX.conf" and see whether the parameters are passed correctly.