Hotspot 2.0 OSU server ====================== The information in this document is based on the assumption that Ubuntu 16.04 server (64-bit) distribution is used and the web server is Apache2. Neither of these are requirements for the installation, but if other combinations are used, the package names and configuration parameters may need to be adjusted. NOTE: This implementation and the example configuration here is meant only for testing purposes in a lab environment. This design is not secure to be installed in a publicly available Internet server without considerable amount of modification and review for security issues. Build dependencies ------------------ Ubuntu 16.04 server - default installation - upgraded to latest package versions sudo apt-get update sudo apt-get upgrade Packages needed for running the service: sudo apt-get install sqlite3 sudo apt-get install apache2 sudo apt-get install php-sqlite3 php-xml libapache2-mod-php Additional packages needed for building the components: sudo apt-get install build-essential sudo apt-get install libsqlite3-dev sudo apt-get install libssl-dev sudo apt-get install libxml2-dev Installation location --------------------- Select a location for the installation root directory. The example here assumes /home/user/hs20-server to be used, but this can be changed by editing couple of files as indicated below. sudo mkdir -p /home/user/hs20-server sudo chown $USER /home/user/hs20-server mkdir -p /home/user/hs20-server/spp mkdir -p /home/user/hs20-server/AS Build ----- # hostapd as RADIUS server cd hostapd #example build configuration cat > .config < /home/user/hs20-server/terms-and-conditions <Terms and conditions..

EOF # Build local keys and certs cd ca # Display help options. ./setup.sh -h # Remove old keys, fill in appropriate values, and generate your keys. # For instance: ./clean.sh rm -fr rootCA" old_hostname=myserver.local ./setup.sh -C "Hotspot 2.0 Trust Root CA - CT" \ -o $old_hostname-osu-client \ -O $old_hostname-oscp -p lanforge -S $old_hostname \ -V $old_hostname-osu-revoked \ -m local -u http://$old_hostname:8888/ # Configure subscription policies mkdir -p /home/user/hs20-server/spp/policy cat > /home/user/hs20-server/spp/policy/default.xml < 30 ClientInitiated Unrestricted https://policy-server.osu.example.com/hs20/spp.php EOF # Install Hotspot 2.0 SPP and OMA DM XML schema/DTD files # XML schema for SPP # Copy the latest XML schema into /home/user/hs20-server/spp/spp.xsd # OMA DM Device Description Framework DTD # Copy into /home/user/hs20-server/spp/dm_ddf-v1_2.dtd # http://www.openmobilealliance.org/tech/DTD/dm_ddf-v1_2.dtd # Configure RADIUS authentication service # Note: Change the URL to match the setup # Note: Install AAA server key/certificate and root CA in Key directory cat > /home/user/hs20-server/AS/as-sql.conf < /home/user/hs20-server/AS/as.radius_clients < Options Indexes MultiViews FollowSymLinks AllowOverride None Require all granted SSLOptions +StdEnvVars Update SSL configuration to use the OSU server certificate/key. They keys and certs are called 'server.key' and 'server.pem' from ca/setup.sh. To support subscription remediation using client certificates, set "SSLVerifyClient optional" and configure the trust root CA(s) for the client certificates with SSLCACertificateFile. Enable default-ssl site and restart Apache2: sudo a2ensite default-ssl sudo a2enmod ssl sudo service apache2 restart Management UI ------------- The sample PHP scripts include a management UI for testing purposes. That is available at https:///hs20/users.php AP configuration ---------------- APs can now be configured to use the OSU server as the RADIUS authentication server. In addition, the OSU Provider List ANQP element should be configured to use the SPP (SOAP+XML) option and with the following Server URL: https:///hs20/spp.php/signup?realm=example.com