1 wpa_supplicant and Hotspot 2.0
2 ==============================
4 This document describe how the IEEE 802.11u Interworking and Wi-Fi
5 Hotspot 2.0 (Release 1) implementation in wpa_supplicant can be
6 configured and how an external component on the client e.g., management
7 GUI or Wi-Fi framework) is used to manage this functionality.
10 Introduction to Wi-Fi Hotspot 2.0
11 ---------------------------------
13 Hotspot 2.0 is the name of the Wi-Fi Alliance specification that is used
14 in the Wi-Fi CERTIFIED Passpoint<TM> program. More information about
15 this is available in this white paper:
17 http://www.wi-fi.org/knowledge-center/white-papers/wi-fi-certified-passpoint%E2%84%A2-new-program-wi-fi-alliance%C2%AE-enable-seamless
19 The Hotspot 2.0 specification is also available from WFA:
20 https://www.wi-fi.org/knowledge-center/published-specifications
22 The core Interworking functionality (network selection, GAS/ANQP) were
23 standardized in IEEE Std 802.11u-2011 which is now part of the IEEE Std
27 wpa_supplicant configuration
28 ----------------------------
30 Interworking and Hotspot 2.0 functionality are optional components that
31 need to be enabled in the wpa_supplicant build configuration
32 (.config). This is done by adding following parameters into that file:
37 It should be noted that this functionality requires a driver that
38 supports GAS/ANQP operations. This uses the same design as P2P, i.e.,
39 Action frame processing and building in user space within
40 wpa_supplicant. The Linux nl80211 driver interface provides the needed
41 functionality for this.
44 There are number of run-time configuration parameters (e.g., in
45 wpa_supplicant.conf when using the configuration file) that can be used
46 to control Hotspot 2.0 operations.
54 # Parameters for controlling scanning
56 # Homogenous ESS identifier
57 # If this is set, scans will be used to request response only from BSSes
58 # belonging to the specified Homogeneous ESS. This is used only if interworking
60 #hessid=00:11:22:33:44:55
63 # When Interworking is enabled, scans can be limited to APs that advertise the
64 # specified Access Network Type (0..15; with 15 indicating wildcard match).
65 # This value controls the Access Network Type value in Probe Request frames.
66 #access_network_type=15
69 Credentials can be pre-configured for automatic network selection:
73 # Each credential used for automatic network selection is configured as a set
74 # of parameters that are compared to the information advertised by the APs when
75 # interworking_select and interworking_connect commands are used.
79 # priority: Priority group
80 # By default, all networks and credentials get the same priority group
81 # (0). This field can be used to give higher priority for credentials
82 # (and similarly in struct wpa_ssid for network blocks) to change the
83 # Interworking automatic networking selection behavior. The matching
84 # network (based on either an enabled network block or a credential)
85 # with the highest priority value will be selected.
87 # pcsc: Use PC/SC and SIM/USIM card
89 # realm: Home Realm for Interworking
91 # username: Username for Interworking network selection
93 # password: Password for Interworking network selection
95 # ca_cert: CA certificate for Interworking network selection
97 # client_cert: File path to client certificate file (PEM/DER)
98 # This field is used with Interworking networking selection for a case
99 # where client certificate/private key is used for authentication
100 # (EAP-TLS). Full path to the file should be used since working
101 # directory may change when wpa_supplicant is run in the background.
103 # Alternatively, a named configuration blob can be used by setting
104 # this to blob://blob_name.
106 # private_key: File path to client private key file (PEM/DER/PFX)
107 # When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
108 # commented out. Both the private key and certificate will be read
109 # from the PKCS#12 file in this case. Full path to the file should be
110 # used since working directory may change when wpa_supplicant is run
113 # Windows certificate store can be used by leaving client_cert out and
114 # configuring private_key in one of the following formats:
116 # cert://substring_to_match
118 # hash://certificate_thumbprint_in_hex
120 # For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
122 # Note that when running wpa_supplicant as an application, the user
123 # certificate store (My user account) is used, whereas computer store
124 # (Computer account) is used when running wpasvc as a service.
126 # Alternatively, a named configuration blob can be used by setting
127 # this to blob://blob_name.
129 # private_key_passwd: Password for private key file
131 # imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format
133 # milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
136 # domain: Home service provider FQDN
137 # This is used to compare against the Domain Name List to figure out
138 # whether the AP is operated by the Home SP.
140 # roaming_consortium: Roaming Consortium OI
141 # If roaming_consortium_len is non-zero, this field contains the
142 # Roaming Consortium OI that can be used to determine which access
143 # points support authentication with this credential. This is an
144 # alternative to the use of the realm parameter. When using Roaming
145 # Consortium to match the network, the EAP parameters need to be
146 # pre-configured with the credential since the NAI Realm information
147 # may not be available or fetched.
149 # eap: Pre-configured EAP method
150 # This optional field can be used to specify which EAP method will be
151 # used with this credential. If not set, the EAP method is selected
152 # automatically based on ANQP information (e.g., NAI Realm).
154 # phase1: Pre-configure Phase 1 (outer authentication) parameters
155 # This optional field is used with like the 'eap' parameter.
157 # phase2: Pre-configure Phase 2 (inner authentication) parameters
158 # This optional field is used with like the 'eap' parameter.
163 # realm="example.com"
164 # username="user@example.com"
165 # password="password"
166 # ca_cert="/etc/wpa_supplicant/ca.pem"
167 # domain="example.com"
171 # imsi="310026-000000000"
172 # milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82"
176 # realm="example.com"
178 # password="password"
179 # ca_cert="/etc/wpa_supplicant/ca.pem"
180 # domain="example.com"
181 # roaming_consortium=223344
183 # phase2="auth=MSCHAPV2"
190 wpa_supplicant provides a control interface that can be used from
191 external programs to manage various operations. The included command
192 line tool, wpa_cli, can be used for manual testing with this interface.
194 Following wpa_cli interactive mode commands show some examples of manual
195 operations related to Hotspot 2.0:
197 Remove configured networks and credentials:
205 Add a username/password credential:
209 > set_cred 0 realm "mail.example.com"
211 > set_cred 0 username "username"
213 > set_cred 0 password "password"
215 > set_cred 0 priority 1
218 Add a SIM credential using a simulated SIM/USIM card for testing:
222 > set_cred 1 imsi "23456-0000000000"
224 > set_cred 1 milenage "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123"
226 > set_cred 1 priority 1
229 Note: the return value of add_cred is used as the first argument to
230 the following set_cred commands.
233 Add a WPA2-Enterprise network:
237 > set_network 0 key_mgmt WPA-EAP
239 > set_network 0 ssid "enterprise"
241 > set_network 0 eap TTLS
243 > set_network 0 anonymous_identity "anonymous"
245 > set_network 0 identity "user"
247 > set_network 0 password "password"
249 > set_network 0 priority 0
251 > enable_network 0 no-connect
259 > set_network 3 key_mgmt NONE
261 > set_network 3 ssid "coffee-shop"
266 Note: the return value of add_network is used as the first argument to
267 the following set_network commands.
269 The preferred credentials/networks can be indicated with the priority
270 parameter (1 is higher priority than 0).
273 Interworking network selection can be started with interworking_select
274 command. This instructs wpa_supplicant to run a network scan and iterate
275 through the discovered APs to request ANQP information from the APs that
276 advertise support for Interworking/Hotspot 2.0:
278 > interworking_select
280 <3>Starting ANQP fetch for 02:00:00:00:01:00
281 <3>RX-ANQP 02:00:00:00:01:00 ANQP Capability list
282 <3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list
283 <3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List
284 <3>ANQP fetch completed
285 <3>INTERWORKING-AP 02:00:00:00:01:00 type=unknown
288 INTERWORKING-AP event messages indicate the APs that support network
289 selection and for which there is a matching
290 credential. interworking_connect command can be used to select a network
294 > interworking_connect 02:00:00:00:01:00
296 <3>CTRL-EVENT-SCAN-RESULTS
297 <3>SME: Trying to authenticate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz)
298 <3>Trying to associate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz)
299 <3>Associated with 02:00:00:00:01:00
300 <3>CTRL-EVENT-EAP-STARTED EAP authentication started
301 <3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
302 <3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
303 <3>CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
304 <3>WPA: Key negotiation completed with 02:00:00:00:01:00 [PTK=CCMP GTK=CCMP]
305 <3>CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:01:00 completed (auth) [id=0 id_str=]
308 wpa_supplicant creates a temporary network block for the selected
309 network based on the configured credential and ANQP information from the
313 network id / ssid / bssid / flags
314 0 Example Network any [CURRENT]
315 > get_network 0 key_mgmt
321 Alternatively to using an external program to select the network,
322 "interworking_select auto" command can be used to request wpa_supplicant
323 to select which network to use based on configured priorities:
328 <3>CTRL-EVENT-DISCONNECTED bssid=02:00:00:00:01:00 reason=1 locally_generated=1
329 > interworking_select auto
331 <3>Starting ANQP fetch for 02:00:00:00:01:00
332 <3>RX-ANQP 02:00:00:00:01:00 ANQP Capability list
333 <3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list
334 <3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List
335 <3>ANQP fetch completed
336 <3>INTERWORKING-AP 02:00:00:00:01:00 type=unknown
337 <3>CTRL-EVENT-SCAN-RESULTS
338 <3>SME: Trying to authenticate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz)
339 <3>Trying to associate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz)
340 <3>Associated with 02:00:00:00:01:00
341 <3>CTRL-EVENT-EAP-STARTED EAP authentication started
342 <3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
343 <3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
344 <3>CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
345 <3>WPA: Key negotiation completed with 02:00:00:00:01:00 [PTK=CCMP GTK=CCMP]
346 <3>CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:01:00 completed (reauth) [id=0 id_str=]
349 The connection status can be shown with the status command:
352 bssid=02:00:00:00:01:00
356 pairwise_cipher=CCMP <--- link layer security indication
358 key_mgmt=WPA2/IEEE 802.1X/EAP
360 p2p_device_address=02:00:00:00:00:00
361 address=02:00:00:00:00:00
362 hs20=1 <--- HS 2.0 indication
363 Supplicant PAE state=AUTHENTICATED
364 suppPortStatus=Authorized
366 selectedMethod=21 (EAP-TTLS)
367 EAP TLS cipher=AES-128-SHA
368 EAP-TTLSv0 Phase2 method=PAP
372 bssid=02:00:00:00:02:00
380 p2p_device_address=02:00:00:00:00:00
381 address=02:00:00:00:00:00
384 Note: The Hotspot 2.0 indication is shown as "hs20=1" in the status
385 command output. Link layer security is indicated with the
386 pairwise_cipher (CCMP = secure, NONE = no encryption used).
389 Also the scan results include the Hotspot 2.0 indication:
392 bssid / frequency / signal level / flags / ssid
393 02:00:00:00:01:00 2412 -30 [WPA2-EAP-CCMP][ESS][HS20] Example Network
396 ANQP information for the BSS can be fetched using the BSS command:
398 > bss 02:00:00:00:01:00
400 bssid=02:00:00:00:01:00
409 ie=000f4578616d706c65204e6574776f726b010882848b960c1218240301012a010432043048606c30140100000fac040100000fac040100000fac0100007f04000000806b091e07010203040506076c027f006f1001531122331020304050010203040506dd05506f9a1000
410 flags=[WPA2-EAP-CCMP][ESS][HS20]
412 anqp_roaming_consortium=031122330510203040500601020304050603fedcba
415 ANQP queries can also be requested with the anqp_get and hs20_anqp_get
418 > anqp_get 02:00:00:00:01:00 261
420 <3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list
421 > hs20_anqp_get 02:00:00:00:01:00 2
423 <3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List
425 In addition, fetch_anqp command can be used to request similar set of
426 ANQP queries to be done as is run as part of interworking_select:
430 <3>CTRL-EVENT-SCAN-RESULTS
433 <3>Starting ANQP fetch for 02:00:00:00:01:00
434 <3>RX-ANQP 02:00:00:00:01:00 ANQP Capability list
435 <3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list
436 <3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List
437 <3>ANQP fetch completed