Hotspot 2.0 OSU server
======================
The information in this document is based on the assumption that Ubuntu
16.04 server (64-bit) distribution is used and the web server is
Apache2. Neither of these are requirements for the installation, but if
other combinations are used, the package names and configuration
parameters may need to be adjusted.
NOTE: This implementation and the example configuration here is meant
only for testing purposes in a lab environment. This design is not
secure to be installed in a publicly available Internet server without
considerable amount of modification and review for security issues.
Build dependencies
------------------
Ubuntu 16.04 server
- default installation
- upgraded to latest package versions
sudo apt-get update
sudo apt-get upgrade
Packages needed for running the service:
sudo apt-get install sqlite3
sudo apt-get install apache2
sudo apt-get install php-sqlite3 php-xml libapache2-mod-php
Additional packages needed for building the components:
sudo apt-get install build-essential
sudo apt-get install libsqlite3-dev
sudo apt-get install libssl-dev
sudo apt-get install libxml2-dev
Installation location
---------------------
Select a location for the installation root directory. The example here
assumes /home/user/hs20-server to be used, but this can be changed by
editing couple of files as indicated below.
sudo mkdir -p /home/user/hs20-server
sudo chown $USER /home/user/hs20-server
mkdir -p /home/user/hs20-server/spp
mkdir -p /home/user/hs20-server/AS
Build
-----
# hostapd as RADIUS server
cd hostapd
#example build configuration
cat > .config < /home/user/hs20-server/terms-and-conditions <Terms and conditions..
EOF
# Build local keys and certs
cd ca
# Display help options.
./setup.sh -h
# Remove old keys, fill in appropriate values, and generate your keys.
# For instance:
./clean.sh
rm -fr rootCA"
old_hostname=myserver.local
./setup.sh -C "Hotspot 2.0 Trust Root CA - CT" \
-o $old_hostname-osu-client \
-O $old_hostname-oscp -p lanforge -S $old_hostname \
-V $old_hostname-osu-revoked \
-m local -u http://$old_hostname:8888/
# Configure subscription policies
mkdir -p /home/user/hs20-server/spp/policy
cat > /home/user/hs20-server/spp/policy/default.xml <
30
ClientInitiated
Unrestricted
https://policy-server.osu.example.com/hs20/spp.php
EOF
# Install Hotspot 2.0 SPP and OMA DM XML schema/DTD files
# XML schema for SPP
# Copy the latest XML schema into /home/user/hs20-server/spp/spp.xsd
# OMA DM Device Description Framework DTD
# Copy into /home/user/hs20-server/spp/dm_ddf-v1_2.dtd
# http://www.openmobilealliance.org/tech/DTD/dm_ddf-v1_2.dtd
# Configure RADIUS authentication service
# Note: Change the URL to match the setup
# Note: Install AAA server key/certificate and root CA in Key directory
cat > /home/user/hs20-server/AS/as-sql.conf < /home/user/hs20-server/AS/as.radius_clients <
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Require all granted
Update SSL configuration to use the OSU server certificate/key.
They keys and certs are called 'server.key' and 'server.pem' from
ca/setup.sh.
Enable default-ssl site and restart Apache2:
sudo a2ensite default-ssl
sudo a2enmod ssl
sudo service apache2 restart
Management UI
-------------
The sample PHP scripts include a management UI for testing
purposes. That is available at https:///hs20/users.php
AP configuration
----------------
APs can now be configured to use the OSU server as the RADIUS
authentication server. In addition, the OSU Provider List ANQP element
should be configured to use the SPP (SOAP+XML) option and with the
following Server URL:
https:///hs20/spp.php/signup?realm=example.com