1 wpa_supplicant and Hotspot 2.0 2 ============================== 3 4 This document describe how the IEEE 802.11u Interworking and Wi-Fi 5 Hotspot 2.0 (Release 1) implementation in wpa_supplicant can be 6 configured and how an external component on the client e.g., management 7 GUI or Wi-Fi framework) is used to manage this functionality. 8 9 10 Introduction to Wi-Fi Hotspot 2.0 11 --------------------------------- 12 13 Hotspot 2.0 is the name of the Wi-Fi Alliance specification that is used 14 in the Wi-Fi CERTIFIED Passpoint<TM> program. More information about 15 this is available in this white paper: 16 17 http://www.wi-fi.org/knowledge-center/white-papers/wi-fi-certified-passpoint%E2%84%A2-new-program-wi-fi-alliance%C2%AE-enable-seamless 18 19 The Hotspot 2.0 specification is also available from WFA: 20 https://www.wi-fi.org/knowledge-center/published-specifications 21 22 The core Interworking functionality (network selection, GAS/ANQP) were 23 standardized in IEEE Std 802.11u-2011 which is now part of the IEEE Std 24 802.11-2012. 25 26 27 wpa_supplicant network selection 28 -------------------------------- 29 30 Interworking support added option for configuring credentials that can 31 work with multiple networks as an alternative to configuration of 32 network blocks (e.g., per-SSID parameters). When requested to perform 33 network selection, wpa_supplicant picks the highest priority enabled 34 network block or credential. If a credential is picked (based on ANQP 35 information from APs), a temporary network block is created 36 automatically for the matching network. This temporary network block is 37 used similarly to the network blocks that can be configured by the user, 38 but it is not stored into the configuration file and is meant to be used 39 only for temporary period of time since a new one can be created 40 whenever needed based on ANQP information and the credential. 41 42 By default, wpa_supplicant is not using automatic network selection 43 unless requested explicitly with the interworking_select command. This 44 can be changed with the auto_interworking=1 parameter to perform network 45 selection automatically whenever trying to find a network for connection 46 and none of the enabled network blocks match with the scan results. This 47 case works similarly to "interworking_select auto", i.e., wpa_supplicant 48 will internally determine which network or credential is going to be 49 used based on configured priorities, scan results, and ANQP information. 50 51 52 wpa_supplicant configuration 53 ---------------------------- 54 55 Interworking and Hotspot 2.0 functionality are optional components that 56 need to be enabled in the wpa_supplicant build configuration 57 (.config). This is done by adding following parameters into that file: 58 59 CONFIG_INTERWORKING=y 60 CONFIG_HS20=y 61 62 It should be noted that this functionality requires a driver that 63 supports GAS/ANQP operations. This uses the same design as P2P, i.e., 64 Action frame processing and building in user space within 65 wpa_supplicant. The Linux nl80211 driver interface provides the needed 66 functionality for this. 67 68 69 There are number of run-time configuration parameters (e.g., in 70 wpa_supplicant.conf when using the configuration file) that can be used 71 to control Hotspot 2.0 operations. 72 73 # Enable Interworking 74 interworking=1 75 76 # Enable Hotspot 2.0 77 hs20=1 78 79 # Parameters for controlling scanning 80 81 # Homogeneous ESS identifier 82 # If this is set, scans will be used to request response only from BSSes 83 # belonging to the specified Homogeneous ESS. This is used only if interworking 84 # is enabled. 85 #hessid=00:11:22:33:44:55 86 87 # Access Network Type 88 # When Interworking is enabled, scans can be limited to APs that advertise the 89 # specified Access Network Type (0..15; with 15 indicating wildcard match). 90 # This value controls the Access Network Type value in Probe Request frames. 91 #access_network_type=15 92 93 # Automatic network selection behavior 94 # 0 = do not automatically go through Interworking network selection 95 # (i.e., require explicit interworking_select command for this; default) 96 # 1 = perform Interworking network selection if one or more 97 # credentials have been configured and scan did not find a 98 # matching network block 99 #auto_interworking=0 100 101 102 Credentials can be pre-configured for automatic network selection: 103 104 # credential block 105 # 106 # Each credential used for automatic network selection is configured as a set 107 # of parameters that are compared to the information advertised by the APs when 108 # interworking_select and interworking_connect commands are used. 109 # 110 # credential fields: 111 # 112 # temporary: Whether this credential is temporary and not to be saved 113 # 114 # priority: Priority group 115 # By default, all networks and credentials get the same priority group 116 # (0). This field can be used to give higher priority for credentials 117 # (and similarly in struct wpa_ssid for network blocks) to change the 118 # Interworking automatic networking selection behavior. The matching 119 # network (based on either an enabled network block or a credential) 120 # with the highest priority value will be selected. 121 # 122 # pcsc: Use PC/SC and SIM/USIM card 123 # 124 # realm: Home Realm for Interworking 125 # 126 # username: Username for Interworking network selection 127 # 128 # password: Password for Interworking network selection 129 # 130 # ca_cert: CA certificate for Interworking network selection 131 # 132 # client_cert: File path to client certificate file (PEM/DER) 133 # This field is used with Interworking networking selection for a case 134 # where client certificate/private key is used for authentication 135 # (EAP-TLS). Full path to the file should be used since working 136 # directory may change when wpa_supplicant is run in the background. 137 # 138 # Alternatively, a named configuration blob can be used by setting 139 # this to blob://blob_name. 140 # 141 # private_key: File path to client private key file (PEM/DER/PFX) 142 # When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 143 # commented out. Both the private key and certificate will be read 144 # from the PKCS#12 file in this case. Full path to the file should be 145 # used since working directory may change when wpa_supplicant is run 146 # in the background. 147 # 148 # Windows certificate store can be used by leaving client_cert out and 149 # configuring private_key in one of the following formats: 150 # 151 # cert://substring_to_match 152 # 153 # hash://certificate_thumbprint_in_hex 154 # 155 # For example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 156 # 157 # Note that when running wpa_supplicant as an application, the user 158 # certificate store (My user account) is used, whereas computer store 159 # (Computer account) is used when running wpasvc as a service. 160 # 161 # Alternatively, a named configuration blob can be used by setting 162 # this to blob://blob_name. 163 # 164 # private_key_passwd: Password for private key file 165 # 166 # imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format 167 # 168 # milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN> 169 # format 170 # 171 # imsi_privacy_cert: IMSI privacy certificate (PEM encoded X.509v3 certificate) 172 # This field is used with EAP-SIM/AKA/AKA' to encrypt the permanent 173 # identity (IMSI) to improve privacy. The X.509v3 certificate needs to 174 # include a 2048-bit RSA public key and this is from the operator who 175 # authenticates the SIM/USIM. 176 # imsi_privacy_attr: IMSI privacy attribute 177 # This field is used to help the EAP-SIM/AKA/AKA' server to identify 178 # the used certificate (and as such, the matching private key). This 179 # is set to an attribute in name=value format if the operator needs 180 # this information. 181 # 182 # domain_suffix_match: Constraint for server domain name 183 # If set, this FQDN is used as a suffix match requirement for the AAA 184 # server certificate in SubjectAltName dNSName element(s). If a 185 # matching dNSName is found, this constraint is met. If no dNSName 186 # values are present, this constraint is matched against SubjectName CN 187 # using same suffix match comparison. Suffix match here means that the 188 # host/domain name is compared one label at a time starting from the 189 # top-level domain and all the labels in @domain_suffix_match shall be 190 # included in the certificate. The certificate may include additional 191 # sub-level labels in addition to the required labels. 192 # 193 # For example, domain_suffix_match=example.com would match 194 # test.example.com but would not match test-example.com. 195 # 196 # domain: Home service provider FQDN(s) 197 # This is used to compare against the Domain Name List to figure out 198 # whether the AP is operated by the Home SP. Multiple domain entries can 199 # be used to configure alternative FQDNs that will be considered home 200 # networks. 201 # 202 # home_ois: Home OI(s) 203 # This string field contains one or more comma delimited OIs (hexdump) 204 # identifying the access the access points that support authentication 205 # with this credential. There are an alternative to the use of the realm 206 # parameter. When using Home OIs to match the network, the EAP parameters 207 # need to be pre-configured with the credentials since the NAI Realm 208 # information may not be available or fetched. 209 # A successful authentication with the access point is possible as soon 210 # as at least one Home OI from the list matches an OI in the Roaming 211 # Consortium advertised by the access point. 212 # (Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/HomeOIList/<X+>/HomeOI) 213 # 214 # required_home_ois: Required Home OI(s) 215 # This string field contains the set of Home OI(s) (hexdump) that are 216 # required to be advertised by the AP for the credential to be considered 217 # matching. 218 # (Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/HomeOIList/<X+>/HomeOIRequired) 219 # 220 # roaming_consortium: Roaming Consortium OI 221 # Deprecated: use home_ois instead. 222 # If roaming_consortium_len is non-zero, this field contains the 223 # Roaming Consortium OI that can be used to determine which access 224 # points support authentication with this credential. This is an 225 # alternative to the use of the realm parameter. When using Roaming 226 # Consortium to match the network, the EAP parameters need to be 227 # pre-configured with the credential since the NAI Realm information 228 # may not be available or fetched. 229 # 230 # required_roaming_consortium: Required Roaming Consortium OI 231 # Deprecated: use required_home_ois instead. 232 # If required_roaming_consortium_len is non-zero, this field contains the 233 # Roaming Consortium OI that is required to be advertised by the AP for 234 # the credential to be considered matching. 235 # 236 # roaming_consortiums: Roaming Consortium OI(s) memberships 237 # This string field contains one or more comma delimited OIs (hexdump) 238 # identifying the roaming consortiums of which the provider is a member. 239 # The list is sorted from the most preferred one to the least preferred 240 # one. A match between the Roaming Consortium OIs advertised by an AP and 241 # the OIs in this list indicates that successful authentication is 242 # possible. 243 # (Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/RoamingConsortiumOI) 244 # 245 # eap: Pre-configured EAP method 246 # This optional field can be used to specify which EAP method will be 247 # used with this credential. If not set, the EAP method is selected 248 # automatically based on ANQP information (e.g., NAI Realm). 249 # 250 # phase1: Pre-configure Phase 1 (outer authentication) parameters 251 # This optional field is used with like the 'eap' parameter. 252 # 253 # phase2: Pre-configure Phase 2 (inner authentication) parameters 254 # This optional field is used with like the 'eap' parameter. 255 # 256 # excluded_ssid: Excluded SSID 257 # This optional field can be used to excluded specific SSID(s) from 258 # matching with the network. Multiple entries can be used to specify more 259 # than one SSID. 260 # 261 # roaming_partner: Roaming partner information 262 # This optional field can be used to configure preferences between roaming 263 # partners. The field is a string in following format: 264 # <FQDN>,<0/1 exact match>,<priority>,<* or country code> 265 # (non-exact match means any subdomain matches the entry; priority is in 266 # 0..255 range with 0 being the highest priority) 267 # 268 # update_identifier: PPS MO ID 269 # (Hotspot 2.0 PerProviderSubscription/UpdateIdentifier) 270 # 271 # provisioning_sp: FQDN of the SP that provisioned the credential 272 # This optional field can be used to keep track of the SP that provisioned 273 # the credential to find the PPS MO (./Wi-Fi/<provisioning_sp>). 274 # 275 # sp_priority: Credential priority within a provisioning SP 276 # This is the priority of the credential among all credentials 277 # provisioned by the same SP (i.e., for entries that have identical 278 # provisioning_sp value). The range of this priority is 0-255 with 0 279 # being the highest and 255 the lower priority. 280 # 281 # Minimum backhaul threshold (PPS/<X+>/Policy/MinBackhauldThreshold/*) 282 # These fields can be used to specify minimum download/upload backhaul 283 # bandwidth that is preferred for the credential. This constraint is 284 # ignored if the AP does not advertise WAN Metrics information or if the 285 # limit would prevent any connection. Values are in kilobits per second. 286 # min_dl_bandwidth_home 287 # min_ul_bandwidth_home 288 # min_dl_bandwidth_roaming 289 # min_ul_bandwidth_roaming 290 # 291 # max_bss_load: Maximum BSS Load Channel Utilization (1..255) 292 # (PPS/<X+>/Policy/MaximumBSSLoadValue) 293 # This value is used as the maximum channel utilization for network 294 # selection purposes for home networks. If the AP does not advertise 295 # BSS Load or if the limit would prevent any connection, this constraint 296 # will be ignored. 297 # 298 # req_conn_capab: Required connection capability 299 # (PPS/<X+>/Policy/RequiredProtoPortTuple) 300 # This value is used to configure set of required protocol/port pairs that 301 # a roaming network shall support (include explicitly in Connection 302 # Capability ANQP element). This constraint is ignored if the AP does not 303 # advertise Connection Capability or if this constraint would prevent any 304 # network connection. This policy is not used in home networks. 305 # Format: <protocol>[:<comma-separated list of ports] 306 # Multiple entries can be used to list multiple requirements. 307 # For example, number of common TCP protocols: 308 # req_conn_capab=6:22,80,443 309 # For example, IPSec/IKE: 310 # req_conn_capab=17:500 311 # req_conn_capab=50 312 # 313 # ocsp: Whether to use/require OCSP to check server certificate 314 # 0 = do not use OCSP stapling (TLS certificate status extension) 315 # 1 = try to use OCSP stapling, but not require response 316 # 2 = require valid OCSP stapling response 317 # 318 # sim_num: Identifier for which SIM to use in multi-SIM devices 319 # 320 # engine: Whether to use an engine for private key operations (0/1) 321 # engine_id: String identifying the engine to use 322 # ca_cert_id: The CA certificate identifier when using an engine 323 # cert_id: The certificate identifier when using an engine 324 # key_id: The private key identifier when using an engine 325 # 326 # for example: 327 # 328 #cred={ 329 # realm="example.com" 330 # username="user (a] example.com" 331 # password="password" 332 # ca_cert="/etc/wpa_supplicant/ca.pem" 333 # domain="example.com" 334 # domain_suffix_match="example.com" 335 #} 336 # 337 #cred={ 338 # imsi="310026-000000000" 339 # milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82" 340 #} 341 # 342 #cred={ 343 # realm="example.com" 344 # username="user" 345 # password="password" 346 # ca_cert="/etc/wpa_supplicant/ca.pem" 347 # domain="example.com" 348 # home_ois="223344" 349 # roaming_consortiums="112233,4455667788,aabbcc" 350 # eap=TTLS 351 # phase2="auth=MSCHAPV2" 352 #} 353 354 355 Control interface 356 ----------------- 357 358 wpa_supplicant provides a control interface that can be used from 359 external programs to manage various operations. The included command 360 line tool, wpa_cli, can be used for manual testing with this interface. 361 362 Following wpa_cli interactive mode commands show some examples of manual 363 operations related to Hotspot 2.0: 364 365 Remove configured networks and credentials: 366 367 > remove_network all 368 OK 369 > remove_cred all 370 OK 371 372 373 Add a username/password credential: 374 375 > add_cred 376 0 377 > set_cred 0 realm "mail.example.com" 378 OK 379 > set_cred 0 username "username" 380 OK 381 > set_cred 0 password "password" 382 OK 383 > set_cred 0 priority 1 384 OK 385 > set_cred 0 temporary 1 386 OK 387 388 Add a SIM credential using a simulated SIM/USIM card for testing: 389 390 > add_cred 391 1 392 > set_cred 1 imsi "23456-0000000000" 393 OK 394 > set_cred 1 milenage "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123" 395 OK 396 > set_cred 1 priority 1 397 OK 398 399 Note: the return value of add_cred is used as the first argument to 400 the following set_cred commands. 401 402 Add a SIM credential using a external SIM/USIM processing: 403 404 > set external_sim 1 405 OK 406 > add_cred 407 1 408 > set_cred 1 imsi "23456-0000000000" 409 OK 410 > set_cred 1 eap SIM 411 OK 412 413 414 Add a WPA2-Enterprise network: 415 416 > add_network 417 0 418 > set_network 0 key_mgmt WPA-EAP 419 OK 420 > set_network 0 ssid "enterprise" 421 OK 422 > set_network 0 eap TTLS 423 OK 424 > set_network 0 anonymous_identity "anonymous" 425 OK 426 > set_network 0 identity "user" 427 OK 428 > set_network 0 password "password" 429 OK 430 > set_network 0 priority 0 431 OK 432 > enable_network 0 no-connect 433 OK 434 435 436 Add an open network: 437 438 > add_network 439 3 440 > set_network 3 key_mgmt NONE 441 OK 442 > set_network 3 ssid "coffee-shop" 443 OK 444 > select_network 3 445 OK 446 447 Note: the return value of add_network is used as the first argument to 448 the following set_network commands. 449 450 The preferred credentials/networks can be indicated with the priority 451 parameter (1 is higher priority than 0). 452 453 454 Interworking network selection can be started with interworking_select 455 command. This instructs wpa_supplicant to run a network scan and iterate 456 through the discovered APs to request ANQP information from the APs that 457 advertise support for Interworking/Hotspot 2.0: 458 459 > interworking_select 460 OK 461 <3>Starting ANQP fetch for 02:00:00:00:01:00 462 <3>RX-ANQP 02:00:00:00:01:00 ANQP Capability list 463 <3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list 464 <3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List 465 <3>ANQP fetch completed 466 <3>INTERWORKING-AP 02:00:00:00:01:00 type=unknown 467 468 469 INTERWORKING-AP event messages indicate the APs that support network 470 selection and for which there is a matching 471 credential. interworking_connect command can be used to select a network 472 to connect with: 473 474 475 > interworking_connect 02:00:00:00:01:00 476 OK 477 <3>CTRL-EVENT-SCAN-RESULTS 478 <3>SME: Trying to authenticate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz) 479 <3>Trying to associate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz) 480 <3>Associated with 02:00:00:00:01:00 481 <3>CTRL-EVENT-EAP-STARTED EAP authentication started 482 <3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21 483 <3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected 484 <3>CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully 485 <3>WPA: Key negotiation completed with 02:00:00:00:01:00 [PTK=CCMP GTK=CCMP] 486 <3>CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:01:00 completed (auth) [id=0 id_str=] 487 488 489 wpa_supplicant creates a temporary network block for the selected 490 network based on the configured credential and ANQP information from the 491 AP: 492 493 > list_networks 494 network id / ssid / bssid / flags 495 0 Example Network any [CURRENT] 496 > get_network 0 key_mgmt 497 WPA-EAP 498 > get_network 0 eap 499 TTLS 500 501 502 Alternatively to using an external program to select the network, 503 "interworking_select auto" command can be used to request wpa_supplicant 504 to select which network to use based on configured priorities: 505 506 507 > remove_network all 508 OK 509 <3>CTRL-EVENT-DISCONNECTED bssid=02:00:00:00:01:00 reason=1 locally_generated=1 510 > interworking_select auto 511 OK 512 <3>Starting ANQP fetch for 02:00:00:00:01:00 513 <3>RX-ANQP 02:00:00:00:01:00 ANQP Capability list 514 <3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list 515 <3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List 516 <3>ANQP fetch completed 517 <3>INTERWORKING-AP 02:00:00:00:01:00 type=unknown 518 <3>CTRL-EVENT-SCAN-RESULTS 519 <3>SME: Trying to authenticate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz) 520 <3>Trying to associate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz) 521 <3>Associated with 02:00:00:00:01:00 522 <3>CTRL-EVENT-EAP-STARTED EAP authentication started 523 <3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21 524 <3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected 525 <3>CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully 526 <3>WPA: Key negotiation completed with 02:00:00:00:01:00 [PTK=CCMP GTK=CCMP] 527 <3>CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:01:00 completed (reauth) [id=0 id_str=] 528 529 530 The connection status can be shown with the status command: 531 532 > status 533 bssid=02:00:00:00:01:00 534 ssid=Example Network 535 id=0 536 mode=station 537 pairwise_cipher=CCMP <--- link layer security indication 538 group_cipher=CCMP 539 key_mgmt=WPA2/IEEE 802.1X/EAP 540 wpa_state=COMPLETED 541 p2p_device_address=02:00:00:00:00:00 542 address=02:00:00:00:00:00 543 hs20=1 <--- HS 2.0 indication 544 Supplicant PAE state=AUTHENTICATED 545 suppPortStatus=Authorized 546 EAP state=SUCCESS 547 selectedMethod=21 (EAP-TTLS) 548 EAP TLS cipher=AES-128-SHA 549 EAP-TTLSv0 Phase2 method=PAP 550 551 552 > status 553 bssid=02:00:00:00:02:00 554 ssid=coffee-shop 555 id=3 556 mode=station 557 pairwise_cipher=NONE 558 group_cipher=NONE 559 key_mgmt=NONE 560 wpa_state=COMPLETED 561 p2p_device_address=02:00:00:00:00:00 562 address=02:00:00:00:00:00 563 564 565 Note: The Hotspot 2.0 indication is shown as "hs20=1" in the status 566 command output. Link layer security is indicated with the 567 pairwise_cipher (CCMP = secure, NONE = no encryption used). 568 569 570 Also the scan results include the Hotspot 2.0 indication: 571 572 > scan_results 573 bssid / frequency / signal level / flags / ssid 574 02:00:00:00:01:00 2412 -30 [WPA2-EAP-CCMP][ESS][HS20] Example Network 575 576 577 ANQP information for the BSS can be fetched using the BSS command: 578 579 > bss 02:00:00:00:01:00 580 id=1 581 bssid=02:00:00:00:01:00 582 freq=2412 583 beacon_int=100 584 capabilities=0x0411 585 qual=0 586 noise=-92 587 level=-30 588 tsf=1345573286517276 589 age=105 590 ie=000f4578616d706c65204e6574776f726b010882848b960c1218240301012a010432043048606c30140100000fac040100000fac040100000fac0100007f04000000806b091e07010203040506076c027f006f1001531122331020304050010203040506dd05506f9a1000 591 flags=[WPA2-EAP-CCMP][ESS][HS20] 592 ssid=Example Network 593 anqp_roaming_consortium=031122330510203040500601020304050603fedcba 594 595 596 ANQP queries can also be requested with the anqp_get and hs20_anqp_get 597 commands: 598 599 > anqp_get 02:00:00:00:01:00 261 600 OK 601 <3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list 602 > hs20_anqp_get 02:00:00:00:01:00 2 603 OK 604 <3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List 605 606 In addition, fetch_anqp command can be used to request similar set of 607 ANQP queries to be done as is run as part of interworking_select: 608 609 > scan 610 OK 611 <3>CTRL-EVENT-SCAN-RESULTS 612 > fetch_anqp 613 OK 614 <3>Starting ANQP fetch for 02:00:00:00:01:00 615 <3>RX-ANQP 02:00:00:00:01:00 ANQP Capability list 616 <3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list 617 <3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List 618 <3>ANQP fetch completed 619 620 621 Hotspot 2.0 Rel 2 online signup and OSEN 622 ---------------------------------------- 623 624 Following parameters can be used to create a network profile for 625 link-layer protected Hotspot 2.0 online signup connection with 626 OSEN. Note that ssid and identify (NAI) values need to be set based on 627 the information for the selected provider in the OSU Providers list 628 ANQP-element. 629 630 network={ 631 ssid="HS 2.0 OSU" 632 proto=OSEN 633 key_mgmt=OSEN 634 pairwise=CCMP 635 group=GTK_NOT_USED 636 eap=WFA-UNAUTH-TLS 637 identity="anonymous (a] example.com" 638 ca_cert="osu-ca.pem" 639 ocsp=2 640 } 641 642 643 Hotspot 2.0 connection with external network selection 644 ------------------------------------------------------ 645 646 When a component controlling wpa_supplicant takes care of Interworking 647 network selection, following configuration and network profile 648 parameters can be used to configure a temporary network profile for a 649 Hotspot 2.0 connection (e.g., with SET, ADD_NETWORK, SET_NETWORK, and 650 SELECT_NETWORK control interface commands): 651 652 interworking=1 653 hs20=1 654 auto_interworking=0 655 656 network={ 657 ssid="test-hs20" 658 proto=RSN 659 key_mgmt=WPA-EAP 660 pairwise=CCMP 661 anonymous_identity="anonymous (a] example.com" 662 identity="hs20-test (a] example.com" 663 password="password" 664 ca_cert="ca.pem" 665 eap=TTLS 666 phase2="auth=MSCHAPV2" 667 update_identifier=54321 668 roaming_consortium_selection=112233 669 #ocsp=2 670 } 671 672 673 These parameters are set based on the PPS MO credential and/or NAI Realm 674 list ANQP-element: 675 676 anonymous_identity: Credential/UsernamePassword/Username with username part 677 replaced with "anonymous" 678 identity: Credential/UsernamePassword/Username 679 password: Credential/UsernamePassword/Password 680 update_identifier: PPS/UpdateIdentifier 681 ca_cert: from the downloaded trust root based on PPS information 682 eap: Credential/UsernamePassword/EAPMethod or NAI Realm list 683 phase2: Credential/UsernamePassword/EAPMethod or NAI Realm list 684 roaming_consortium_selection: Matching OI from HomeSP/RoamingConsortiumOI 685 ocsp: Credential/CheckAAAServerCertStatus 686
Indexes created Sun Apr 19 00:22:55 UTC 2026