Todo: Simply configure an 802.1X wireless network with a dummy SSID, and insert some lines like the following just before the network section in wpa_supplicant.conf file.

The device will automatically join the Passpoint network.

interworking=1
hs20=1
auto_interworking=1

cred={
        username="userID@example.com"
        password="userpass"
        ca_cert="/etc/ssl/certs/ca-certificates.crt"
        domain_suffix_match="idp.example.com"
        roaming_consortiums="5A03BA0000"
        eap=TTLS
        phase2="auth=MSCHAPV2"
}

 

Prerequisites

OpenWrt 21.x or newer is required.

A full-featured wpa-supplicant package, e.g. wpa-supplicant-openssl, is needed. If basic one is installed, it needs to be replaced with a full version. If you cannot find wpa-supplicant package, wpad package probably contains the wpa_supplicant system.

If the installed wpa_supplicant supports Passpoint (aka Hotspot 2.0), the following commands will show some symbols.

    # strings /usr/sbin/wpa_supplicant | grep hs20

An 802.1X wireless network with a dummy SSID is configured and enabled. The SSID should be anything less popular.

 

Where is the wpa_supplicant.conf, anyway?

On OpenWrt, UCI (Unified Configuration Interface) system reads /etc/config/wireless file and auto-generates /var/run/wpa_supplicant-wlan0.conf file.

You cannot modify this temporary file manually as the UCI overwrites it.

A shell script /lib/netifd/hostapd.sh is in charge of the wireless system configuration. However, the script doesn't support Passpoint as of this writing.

Near the end of the file, you can see lines like:

        if [ "$key_mgmt" = "WPS" ]; then
                echo "wps_cred_processing=1" >> "$_config"
        else
                cat >> "$_config" <<EOF

 

###

network={
        $scan_ssid
        ssid="$ssid"
        key_mgmt=$key_mgmt
        $network_data
}
EOF
        fi
        return 0
}

Just before the network section (marked as ###) is the very place to insert the above-mentioned Passpoint configuration lines.

[Added 2024/1/20] Here's an alternative code to add to hostapd.sh.
[Added 2024/1/27] "option domain_suffix_match ..." is required in /etc/config/wireless.
[Added 2024/1/30] You can now grab a better configuration script here.

interworking=1
hs20=1
auto_interworking=1

cred={
        username="$identity"
        password="$password"
        ca_cert="/etc/ssl/certs/ca-certificates.crt"
        domain_suffix_match="$domain_suffix_match"
        roaming_consortiums="5A03BA0000"
        eap=$(echo $eap_type | tr 'a-z' 'A-Z')
        phase2="auth=$auth"
}

Parameters

The credential (cred) section has some parameters.

roaming_consortiums is a comma-separated list of RCOIs (Roaming Consortium Organization Identifiers). The RCOI is used for the box to choose the right network to join.

ca_cert points to the CA certificates store for server authentication. The system default store is appropriate when the AAA server is using a server certificate from a public CA.

domain_suffix_match is an FQDN used as a suffix match requirement for the AAA server certificate in SubjectAltName dNSName element(s). Note that "domain" parameter is for home network identification and NOT for the server authentication.

The server authentication is quite important for protecting the password from evil-twin (malicious) access points. The domain name matching should not be omitted.

Please see README-HS20 file for more parameters and details.

 

Enabling and disabling the Wi-Fi connection

After modifying the hostapd.sh script, a command

    # wifi

will restart the Wi-Fi feature of the box.

If you turn off the SSID in the LuCI interface, the Passpoint feature will cease working.

Fin.