HS 2.0: Add some documentation for OSEN and network block use

This adds notes on how wpa_supplicant can be configured for OSEN for a
link-layer protected online signup connection and how network profiles
can be set for a Hotspot 2.0 data connection when using external
Interworking network selection.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2016-01-04 21:34:39 +02:00 committed by Jouni Malinen
parent e114e999e0
commit aeb408fff1
2 changed files with 69 additions and 0 deletions

View file

@ -564,3 +564,68 @@ OK
<3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list
<3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List
<3>ANQP fetch completed
Hotspot 2.0 Rel 2 online signup and OSEN
----------------------------------------
Following parameters can be used to create a network profile for
link-layer protected Hotspot 2.0 online signup connection with
OSEN. Note that ssid and identify (NAI) values need to be set based on
the information for the selected provider in the OSU Providers list
ANQP-element.
network={
ssid="HS 2.0 OSU"
proto=OSEN
key_mgmt=OSEN
pairwise=CCMP
group=GTK_NOT_USED
eap=WFA-UNAUTH-TLS
identity="anonymous@example.com"
ca_cert="osu-ca.pem"
ocsp=2
}
Hotspot 2.0 connection with external network selection
------------------------------------------------------
When an component controlling wpa_supplicant takes care of Interworking
network selection, following configuration and network profile
parameters can be used to configure a temporary network profile for a
Hotspot 2.0 connection (e.g., with SET, ADD_NETWORK, SET_NETWORK, and
SELECT_NETWORK control interface commands):
interworking=1
hs20=1
auto_interworking=0
network={
ssid="test-hs20"
proto=RSN
key_mgmt=WPA-EAP
pairwise=CCMP
anonymous_identity="anonymous@example.com"
identity="hs20-test@example.com"
password="password"
ca_cert="ca.pem"
eap=TTLS
phase2="auth=MSCHAPV2"
update_identifier=54321
#ocsp=2
}
These parameters are set based on the PPS MO credential and/or NAI Realm
list ANQP-element:
anonymous_identity: Credential/UsernamePassword/Username with username part
replaced with "anonymous"
identity: Credential/UsernamePassword/Username
password: Credential/UsernamePassword/Password
update_identifier: PPS/UpdateIdentifier
ca_cert: from the downloaded trust root based on PPS information
eap: Credential/UsernamePassword/EAPMethod or NAI Realm list
phase2: Credential/UsernamePassword/EAPMethod or NAI Realm list
ocsp: Credential/CheckAAAServerCertStatus

View file

@ -762,6 +762,7 @@ fast_reauth=1
# FT-SAE = SAE with FT
# WPA-EAP-SUITE-B = Suite B 128-bit level
# WPA-EAP-SUITE-B-192 = Suite B 192-bit level
# OSEN = Hotspot 2.0 Rel 2 online signup connection
# If not set, this defaults to: WPA-PSK WPA-EAP
#
# ieee80211w: whether management frame protection is enabled
@ -1121,6 +1122,9 @@ fast_reauth=1
# number of authentication servers. Strict EAP conformance mode can be
# configured by disabling workarounds with eap_workaround=0.
# update_identifier: PPS MO ID
# (Hotspot 2.0 PerProviderSubscription/UpdateIdentifier)
# Station inactivity limit
#
# If a station does not send anything in ap_max_inactivity seconds, an