Requires LANforge 5.3.2 or later on Fedora 20 or later.
![]() For more information see: WiFi Alliance Passpoint Release 2 Deployment Guidelines https://www.wi-fi.org/file/passpoint-release-2-deployment-guidelines |
![]() |
Run LANforge installation script to begin hostapd RADIUS, certificates and HotSpot 2.0 setup:
cd /home/lanforge ./lf_kinstall.pl --lfver 5.3.2 --do_radius --do_hs20
Make two copies of the ca.pem certificate to different directories:
cp /home/lanforge/hs20/ca/ca.pem /home/lanforge/ota-ca.pem cp /home/lanforge/hs20/ca/ca.pem /home/lanforge/wifi/osu_wlan2/osu-ca.pemota-ca.pem is used by the client for Over-The-Air authentication to the OSEN AP
Create devinfo.xml and devdetail.xml files in /home/lanforge/wifi/osu_wlan2
/home/lanforge/wifi/osu_wlan2/devinfo.xml
<DevInfo xmlns="urn:oma:mo:oma-dm-devinfo:1.0"> <DevId>urn:Example:HS20-station:123456</DevId> <Man>Manufacturer</Man> <Mod>HS20-station</Mod> <DmV>1.2</DmV> <Lang>en</Lang> </DevInfo>
/home/lanforge/wifi/osu_wlan2/devdetail.xml
<DevDetail xmlns="urn:oma:mo:oma-dm-devdetail:1.0"> <Ext> <org.wi-fi> <Wi-Fi> <EAPMethodList> <EAPMethod1> <EAPType>13</EAPType> </EAPMethod1> <EAPMethod2> <EAPType>21</EAPType> <InnerMethod>MS-CHAP-V2</InnerMethod> </EAPMethod2> <EAPMethod3> <EAPType>18</EAPType> </EAPMethod3> <EAPMethod4> <EAPType>23</EAPType> </EAPMethod4> <EAPMethod5> <EAPType>50</EAPType> </EAPMethod5> </EAPMethodList> <ManufacturingCertificate>false</ManufacturingCertificate> <Wi-FiMACAddress>020102030405</Wi-FiMACAddress> <IMSI>310026000000000</IMSI> <IMEI_MEID>imei:490123456789012</IMEI_MEID> <ClientTriggerRedirectURI>http://localhost:12345/</ClientTriggerRedirectURI> <Ops> <launchBrowserToURI></launchBrowserToURI> <negotiateClientCertTLS></negotiateClientCertTLS> <getCertificate></getCertificate> </Ops> </Wi-Fi> </org.wi-fi> </Ext> <URI> <MaxDepth>0</MaxDepth> <MaxTotLen>0</MaxTotLen> <MaxSegLen>0</MaxSegLen> </URI> <DevType>MobilePhone</DevType> <OEM>Manufacturer</OEM> <FwV>1.0</FwV> <SwV>1.0</SwV> <HwV>1.0</HwV> <LrgObj>false</LrgObj> </DevDetail>
Create two MAC-VLANs for two hostapd RADIUS server instances.
Go to the Port Manager tab, select eth1, select Create, select MAC-VLAN, quantity 2 then Apply.
Double-click each new MAC-VLAN interface in the Port-Mgr tab to modify. Select the RADIUS checkbox which will allow a hostapd based RADIUS server on the interfaces using the config files:
/home/lanforge/wifi/hostapd_eth1#0.conf and /home/lanforge/wifi/hostapd_eth1#1.conf
Because this is an all-in-one example, the hostapd RADIUS servers will be referenced to localhost and each MAC-VLAN interface will not need an IP address assigned. If the hostapd RADIUS servers were on different systems or networks, the appropriate IP address would be assigned here.
Create config file:
/home/lanforge/wifi/hostapd_eth1#0.conf for the hostapd RADIUS server on eth1#0.
NOTE: The eap_user_file, eap_sim_db and radius_server_auth_port are unique for each RADIUS server.
interface=eth1#0 driver=wired logger_syslog=-1 logger_syslog_level=2 logger_stdout=-1 logger_stdout_level=2 dump_file=/home/lanforge/wifi/hostapd_eth1#0.dump ctrl_interface=/var/run/hostapd ctrl_interface_group=0 ieee8021x=1 eapol_key_index_workaround=0 eap_server=1 eap_user_file=/home/lanforge/hs20/AS/hostapd-osen.eap_user server_id=ct523-3n-f20 eap_sim_db=unix:/tmp/hlr_auc_gw.sock radius_server_auth_port=1820 radius_server_clients=/home/lanforge/hs20/AS/hostap.radius_clients ca_cert=/home/lanforge/hs20/ca/ca.pem server_cert=/home/lanforge/hs20/ca/server.pem private_key=/home/lanforge/hs20/ca/server.key private_key_passwd=lanforge ocsp_stapling_response=/home/lanforge/hs20/ca/ocsp-server-cache.der
Create config file:
/home/lanforge/wifi/hostapd_eth1#1.conf for the hostapd RADIUS server on eth1#1.
NOTE: The eap_user_file, eap_sim_db and radius_server_auth_port are unique for each RADIUS server.
interface=eth1#1 driver=wired logger_syslog=-1 logger_syslog_level=2 logger_stdout=-1 logger_stdout_level=2 dump_file=/home/lanforge/wifi/hostapd_eth1#1.dump ctrl_interface=/var/run/hostapd ctrl_interface_group=0 ieee8021x=1 eapol_key_index_workaround=0 eap_server=1 eap_user_file=sqlite:/home/lanforge/hs20/AS/DB/eap_user.db server_id=ct523-3n-f20 eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=/home/lanforge/hs20/AS/DB/eap_sim.db radius_server_auth_port=1821 radius_server_clients=/home/lanforge/hs20/AS/hostap.radius_clients ca_cert=/home/lanforge/hs20/ca/ca.pem server_cert=/home/lanforge/hs20/ca/server.pem private_key=/home/lanforge/hs20/ca/server.key private_key_passwd=lanforge ocsp_stapling_response=/home/lanforge/hs20/ca/ocsp-server-cache.der
Start the hlr_auc_gw tool:
cd /home/lanforgeNOTE: If the hlr_auc_gw does not start, you may have to remove the file /tmp/hlr_auc_gw.sock first.
. lanforge.profile
hlr_auc_gw -m /etc/hlr_auc_gw.milenage_db > /tmp/hlr_auc_gw.log &
Reset the MAC-VLAN interfaces on the Port Mgr tab so that the new hostapd RADIUS servers are started. Check that they are running with the command:
ps auxwww |grep hostapd_eth
cat /home/lanforge/wifi/hostapd_log_eth1#0.txt cat /home/lanforge/wifi/hostapd_log_eth1#1.txt
Create two VAPs for the HotSpot 2.0 Release 2 Network.
Go to the Port Mgr tab and create one VAP on wiphy0 and one VAP on wiphy1.
Modify the first VAP on wiphy0 to be the OSEN AP. Configure IP Address and SSID.
Select the Advanced Configuration tab in the Port-Modify window to configure 802.1x and RADIUS server information.
Select the Custom WiFi tab to add the following lines for HotSpot 2.0 Release 2.
ocsp_stapling_response=/home/lanforge/hs20/ca/ocsp-server-cache.der
Modify the second VAP on wiphy1 to be the Passpoint AP. Configure IP Address and SSID.
Select the Advanced Configuration tab in the Port-Modify window to configure 802.1x, 802.1u, HotSpot 2.0, RADIUS server and other information.
Select the Custom WiFi tab to add the following lines for HotSpot 2.0 Release 2.
hs20_icon=64:64:eng:image/png:logo-64x64.png:/home/lanforge/hs20/www/logo-64x64.png osu_ssid="ABCD-1234" osu_server_uri=https://osu-server.ct523-3n-f20.lanforge.local/hs20/spp.php/signup?realm=ct523-3n-f20.lanforge.local osu_friendly_name=eng:LANforge HS20 Operator osu_nai=osen@lanforge.com osu_method_list=1 0 osu_icon=logo-64x64.png osu_service_desc=eng:LANforge Example services
Modify wiphy0 and wiphy1 to be on the same channel and select OK.
In Netsmith, setup each VAP with DHCP Service on different IP networks.
Check that the VAP hostapd processes are running with the command:
ps auxwww |grep hostapd_vap
tail -f /home/lanforge/wifi/hostapd_log_vap1.txt tail -f /home/lanforge/wifi/hostapd_log_vap2.txt
For more information see WiFi Testing: Configuring a Virtual AP with Limited Stations
Start the Online Certificate Status Protocol (OCSP) script which will restart the OCSP Responder and update the cache once per minute. It is only required on the VAP or server side of a HotSpot 2.0 R2 network.
cd /home/lanforge ./ocsp.bash > /dev/null 2>&1 &
In Netsmith, we can label the two Virtual Routers containing each VAP. We also setup a single TCP connection named 'test1' between the client (wlan2) and a virtual interface connected to the Passpoint AP. In this way, we can verify that the client is only allowed to pass traffic once it has met the authentication requirements for the HotSpot and Service Provider Networks.
Setup wlan2 as the HotSpot 2.0 R2 client.
Modify wlan2 on the Port Mgr tab and set the SSID to the OSEN AP's SSID 'ABCD-1234' in this example and set the authentication to OSEN.
In wlan2 Advanced WiFi Settings, select Advanced/802.1x, set Key Management, EAP Identity and CA Cert File.
In wlan2 Misc Configuration, set OCSP to Required.
Admin up wlan2 and it will associate with the OSEN AP and obtain an IP address on the OSEN AP IP network.
Initiate Online Sign-Up
In a terminal window type the following:
cd /home/lanforge/wifi/osu_wlan2 ~lanforge/local/hs20/client/hs20-osu-client -x /home/lanforge/local/hs20/spp/spp.xsd -dd -S wlan2 signup
Select 'LANforge HS20 Operator' from the Service Provider List.
Select 'Sign up for free access' from the Online Sign-Up page.
Select the Accept button to complete the Online Sign-Up.
Client wlan2 will obtain an IP address on the Passpoint AP IP network and TCP connection 'test1' can now pass traffic.
If wlan2 is reset or reassociates with the OSEN AP, you will have to remove the Service Provider (SP) directory before attempting the Online Sign-Up again.
cd /home/lanforge/wifi/osu_wlan2 rm -rf SP