Candela Technologies Logo
Network Testing and Emulation Solutions

LANforge WiFi testing HotSpot 2.0 Release 2

Goal: Setup HotSpot 2.0 Release 2 Example

Requires LANforge 5.3.2 or later on Fedora 20 or later.
  • Run LANforge install script to begin setup of HotSpot 2.0 R2 related servers and certificates.
  • Configure the OSU Server-only authenticated layer-2 Encryption Network (OSEN) AP and Passpoint AP.
  • Initiate Online Sign-Up (OSU) procedure, select a provider and obtain an IP address from the Passpoint AP.
  • Send traffic through the Service Provider Network.


For more information see:
WiFi Alliance Passpoint Release 2 Deployment Guidelines
https://www.wi-fi.org/file/passpoint-release-2-deployment-guidelines
 
  1. Run LANforge installation script to begin hostapd RADIUS, certificates and HotSpot 2.0 setup:
    cd /home/lanforge
./lf_kinstall.pl --lfver 5.3.2 --do_radius --do_hs20
  2. Make two copies of the ca.pem certificate to different directories:
    cp /home/lanforge/hs20/ca/ca.pem /home/lanforge/ota-ca.pem
cp /home/lanforge/hs20/ca/ca.pem /home/lanforge/wifi/osu_wlan2/osu-ca.pem
    ota-ca.pem is used by the client for Over-The-Air authentication to the OSEN AP
    osu-ca.pem is used by the client for the Online-Sign-Up server authentication before connecting to the Passpoint AP

    This is an all-in-one example on a single LANforge system, but if the authentication servers were setup on different systems, the proper certificates would need to be copied instead.
  3. Create devinfo.xml and devdetail.xml files in /home/lanforge/wifi/osu_wlan2
    1. /home/lanforge/wifi/osu_wlan2/devinfo.xml 
      <DevInfo xmlns="urn:oma:mo:oma-dm-devinfo:1.0">
        <DevId>urn:Example:HS20-station:123456</DevId>
        <Man>Manufacturer</Man>
        <Mod>HS20-station</Mod>
        <DmV>1.2</DmV>
        <Lang>en</Lang>
</DevInfo>
    2. /home/lanforge/wifi/osu_wlan2/devdetail.xml 
      <DevDetail xmlns="urn:oma:mo:oma-dm-devdetail:1.0">
        <Ext>
                <org.wi-fi>
                        <Wi-Fi>
                                <EAPMethodList>
                                        <EAPMethod1>
                                                <EAPType>13</EAPType>
                                        </EAPMethod1>
                                        <EAPMethod2>
                                                <EAPType>21</EAPType>
                                                <InnerMethod>MS-CHAP-V2</InnerMethod>
                                        </EAPMethod2>
                                        <EAPMethod3>
                                                <EAPType>18</EAPType>
                                        </EAPMethod3>
                                        <EAPMethod4>
                                                <EAPType>23</EAPType>
                                        </EAPMethod4>
                                        <EAPMethod5>
                                                <EAPType>50</EAPType>
                                        </EAPMethod5>
                                </EAPMethodList>
                                <ManufacturingCertificate>false</ManufacturingCertificate>
                                <Wi-FiMACAddress>020102030405</Wi-FiMACAddress>
                                <IMSI>310026000000000</IMSI>
                                <IMEI_MEID>imei:490123456789012</IMEI_MEID>
                                <ClientTriggerRedirectURI>http://localhost:12345/</ClientTriggerRedirectURI>
                                <Ops>
                                        <launchBrowserToURI></launchBrowserToURI>
                                        <negotiateClientCertTLS></negotiateClientCertTLS>
                                        <getCertificate></getCertificate>
                                </Ops>
                        </Wi-Fi>
                </org.wi-fi>
        </Ext>
        <URI>
                <MaxDepth>0</MaxDepth>
                <MaxTotLen>0</MaxTotLen>
                <MaxSegLen>0</MaxSegLen>
        </URI>
        <DevType>MobilePhone</DevType>
        <OEM>Manufacturer</OEM>
        <FwV>1.0</FwV>
        <SwV>1.0</SwV>
        <HwV>1.0</HwV>
        <LrgObj>false</LrgObj>
</DevDetail>
  4. Create two MAC-VLANs for two hostapd RADIUS server instances.
    1. Go to the Port Manager tab, select eth1, select Create, select MAC-VLAN, quantity 2 then Apply. screenshot
    2. Double-click each new MAC-VLAN interface in the Port-Mgr tab to modify. Select the RADIUS checkbox which will allow a hostapd based RADIUS server on the interfaces using the config files:
      /home/lanforge/wifi/hostapd_eth1#0.conf and /home/lanforge/wifi/hostapd_eth1#1.conf

      Because this is an all-in-one example, the hostapd RADIUS servers will be referenced to localhost and each MAC-VLAN interface will not need an IP address assigned. If the hostapd RADIUS servers were on different systems or networks, the appropriate IP address would be assigned here.
    3. Create config file:
      /home/lanforge/wifi/hostapd_eth1#0.conf for the hostapd RADIUS server on eth1#0.
      NOTE: The eap_user_file, eap_sim_db and radius_server_auth_port are unique for each RADIUS server.
      interface=eth1#0
driver=wired
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
dump_file=/home/lanforge/wifi/hostapd_eth1#0.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=/home/lanforge/hs20/AS/hostapd-osen.eap_user
server_id=ct523-3n-f20
eap_sim_db=unix:/tmp/hlr_auc_gw.sock
radius_server_auth_port=1820
radius_server_clients=/home/lanforge/hs20/AS/hostap.radius_clients

ca_cert=/home/lanforge/hs20/ca/ca.pem
server_cert=/home/lanforge/hs20/ca/server.pem
private_key=/home/lanforge/hs20/ca/server.key
private_key_passwd=lanforge

ocsp_stapling_response=/home/lanforge/hs20/ca/ocsp-server-cache.der
    4. Create config file:
      /home/lanforge/wifi/hostapd_eth1#1.conf for the hostapd RADIUS server on eth1#1.
      NOTE: The eap_user_file, eap_sim_db and radius_server_auth_port are unique for each RADIUS server.
      interface=eth1#1
driver=wired
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
dump_file=/home/lanforge/wifi/hostapd_eth1#1.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=sqlite:/home/lanforge/hs20/AS/DB/eap_user.db
server_id=ct523-3n-f20
eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=/home/lanforge/hs20/AS/DB/eap_sim.db
radius_server_auth_port=1821
radius_server_clients=/home/lanforge/hs20/AS/hostap.radius_clients

ca_cert=/home/lanforge/hs20/ca/ca.pem
server_cert=/home/lanforge/hs20/ca/server.pem
private_key=/home/lanforge/hs20/ca/server.key
private_key_passwd=lanforge

ocsp_stapling_response=/home/lanforge/hs20/ca/ocsp-server-cache.der
    5. Start the hlr_auc_gw tool:
      cd /home/lanforge
      . lanforge.profile
      hlr_auc_gw -m /etc/hlr_auc_gw.milenage_db > /tmp/hlr_auc_gw.log &
      NOTE: If the hlr_auc_gw does not start, you may have to remove the file /tmp/hlr_auc_gw.sock first.
    6. Reset the MAC-VLAN interfaces on the Port Mgr tab so that the new hostapd RADIUS servers are started. Check that they are running with the command:
      ps auxwww |grep hostapd_eth

      If they are not running, check the log files for problems:
      cat /home/lanforge/wifi/hostapd_log_eth1#0.txt
cat /home/lanforge/wifi/hostapd_log_eth1#1.txt
  5. Create two VAPs for the HotSpot 2.0 Release 2 Network.
    1. Go to the Port Mgr tab and create one VAP on wiphy0 and one VAP on wiphy1.
    2. Modify the first VAP on wiphy0 to be the OSEN AP. Configure IP Address and SSID. screenshot
    3. Select the Advanced Configuration tab in the Port-Modify window to configure 802.1x and RADIUS server information. screenshot
    4. Select the Custom WiFi tab to add the following lines for HotSpot 2.0 Release 2.
      ocsp_stapling_response=/home/lanforge/hs20/ca/ocsp-server-cache.der
      screenshot
    5. Modify the second VAP on wiphy1 to be the Passpoint AP. Configure IP Address and SSID. screenshot
    6. Select the Advanced Configuration tab in the Port-Modify window to configure 802.1x, 802.1u, HotSpot 2.0, RADIUS server and other information. screenshot
    7. Select the Custom WiFi tab to add the following lines for HotSpot 2.0 Release 2.
      hs20_icon=64:64:eng:image/png:logo-64x64.png:/home/lanforge/hs20/www/logo-64x64.png
osu_ssid="ABCD-1234"
osu_server_uri=https://osu-server.ct523-3n-f20.lanforge.local/hs20/spp.php/signup?realm=ct523-3n-f20.lanforge.local
osu_friendly_name=eng:LANforge HS20 Operator
osu_nai=osen@lanforge.com
osu_method_list=1 0
osu_icon=logo-64x64.png
osu_service_desc=eng:LANforge Example services
      screenshot
    8. Modify wiphy0 and wiphy1 to be on the same channel and select OK.

    9. In Netsmith, setup each VAP with DHCP Service on different IP networks.


    10. Check that the VAP hostapd processes are running with the command:
      ps auxwww |grep hostapd_vap

      If they are not running, check the log files for problems:
      tail -f /home/lanforge/wifi/hostapd_log_vap1.txt
tail -f /home/lanforge/wifi/hostapd_log_vap2.txt

    For more information see WiFi Testing: Configuring a Virtual AP with Limited Stations

  6. Start the Online Certificate Status Protocol (OCSP) script which will restart the OCSP Responder and update the cache once per minute. It is only required on the VAP or server side of a HotSpot 2.0 R2 network. 
    cd /home/lanforge
./ocsp.bash > /dev/null 2>&1 &
  7. In Netsmith, we can label the two Virtual Routers containing each VAP. We also setup a single TCP connection named 'test1' between the client (wlan2) and a virtual interface connected to the Passpoint AP. In this way, we can verify that the client is only allowed to pass traffic once it has met the authentication requirements for the HotSpot and Service Provider Networks. screenshot

      For more information see

      , Virtual Router with NAT Cookbook , Virtual Router with DHCP Cookbook
  8. Setup wlan2 as the HotSpot 2.0 R2 client.
    1. Modify wlan2 on the Port Mgr tab and set the SSID to the OSEN AP's SSID 'ABCD-1234' in this example and set the authentication to OSEN.
      screenshot
    2. In wlan2 Advanced WiFi Settings, select Advanced/802.1x, set Key Management, EAP Identity and CA Cert File.
      screenshot
    3. In wlan2 Misc Configuration, set OCSP to Required.
      screenshot
    4. Admin up wlan2 and it will associate with the OSEN AP and obtain an IP address on the OSEN AP IP network.
      screenshot
  9. Initiate Online Sign-Up
    1. In a terminal window type the following:
      cd /home/lanforge/wifi/osu_wlan2
~lanforge/local/hs20/client/hs20-osu-client -x /home/lanforge/local/hs20/spp/spp.xsd -dd -S wlan2 signup
    2. Select 'LANforge HS20 Operator' from the Service Provider List.
      screenshot
    3. Select 'Sign up for free access' from the Online Sign-Up page.
      screenshot
    4. Select the Accept button to complete the Online Sign-Up.
      screenshot
  10. Client wlan2 will obtain an IP address on the Passpoint AP IP network and TCP connection 'test1' can now pass traffic.


  11. If wlan2 is reset or reassociates with the OSEN AP, you will have to remove the Service Provider (SP) directory before attempting the Online Sign-Up again.
    cd /home/lanforge/wifi/osu_wlan2
rm -rf SP
Candela  Technologies, 2417 Main Street, Suite 201, Ferndale, WA 98248, USA
www.candelatech.com | sales@candelatech.com | +1.360.380.1618
Google+ | Facebook | LinkedIn | Blog