xref: /freebsd/contrib/wpa/wpa_supplicant/README-HS20 (revision 357378bbdedf24ce2b90e9bd831af4a9db3ec70a)
1wpa_supplicant and Hotspot 2.0
2==============================
3
4This document describe how the IEEE 802.11u Interworking and Wi-Fi
5Hotspot 2.0 (Release 1) implementation in wpa_supplicant can be
6configured and how an external component on the client e.g., management
7GUI or Wi-Fi framework) is used to manage this functionality.
8
9
10Introduction to Wi-Fi Hotspot 2.0
11---------------------------------
12
13Hotspot 2.0 is the name of the Wi-Fi Alliance specification that is used
14in the Wi-Fi CERTIFIED Passpoint<TM> program. More information about
15this is available in this white paper:
16
17http://www.wi-fi.org/knowledge-center/white-papers/wi-fi-certified-passpoint%E2%84%A2-new-program-wi-fi-alliance%C2%AE-enable-seamless
18
19The Hotspot 2.0 specification is also available from WFA:
20https://www.wi-fi.org/knowledge-center/published-specifications
21
22The core Interworking functionality (network selection, GAS/ANQP) were
23standardized in IEEE Std 802.11u-2011 which is now part of the IEEE Std
24802.11-2012.
25
26
27wpa_supplicant network selection
28--------------------------------
29
30Interworking support added option for configuring credentials that can
31work with multiple networks as an alternative to configuration of
32network blocks (e.g., per-SSID parameters). When requested to perform
33network selection, wpa_supplicant picks the highest priority enabled
34network block or credential. If a credential is picked (based on ANQP
35information from APs), a temporary network block is created
36automatically for the matching network. This temporary network block is
37used similarly to the network blocks that can be configured by the user,
38but it is not stored into the configuration file and is meant to be used
39only for temporary period of time since a new one can be created
40whenever needed based on ANQP information and the credential.
41
42By default, wpa_supplicant is not using automatic network selection
43unless requested explicitly with the interworking_select command. This
44can be changed with the auto_interworking=1 parameter to perform network
45selection automatically whenever trying to find a network for connection
46and none of the enabled network blocks match with the scan results. This
47case works similarly to "interworking_select auto", i.e., wpa_supplicant
48will internally determine which network or credential is going to be
49used based on configured priorities, scan results, and ANQP information.
50
51
52wpa_supplicant configuration
53----------------------------
54
55Interworking and Hotspot 2.0 functionality are optional components that
56need to be enabled in the wpa_supplicant build configuration
57(.config). This is done by adding following parameters into that file:
58
59CONFIG_INTERWORKING=y
60CONFIG_HS20=y
61
62It should be noted that this functionality requires a driver that
63supports GAS/ANQP operations. This uses the same design as P2P, i.e.,
64Action frame processing and building in user space within
65wpa_supplicant. The Linux nl80211 driver interface provides the needed
66functionality for this.
67
68
69There are number of run-time configuration parameters (e.g., in
70wpa_supplicant.conf when using the configuration file) that can be used
71to control Hotspot 2.0 operations.
72
73# Enable Interworking
74interworking=1
75
76# Enable Hotspot 2.0
77hs20=1
78
79# Parameters for controlling scanning
80
81# Homogeneous ESS identifier
82# If this is set, scans will be used to request response only from BSSes
83# belonging to the specified Homogeneous ESS. This is used only if interworking
84# is enabled.
85#hessid=00:11:22:33:44:55
86
87# Access Network Type
88# When Interworking is enabled, scans can be limited to APs that advertise the
89# specified Access Network Type (0..15; with 15 indicating wildcard match).
90# This value controls the Access Network Type value in Probe Request frames.
91#access_network_type=15
92
93# Automatic network selection behavior
94# 0 = do not automatically go through Interworking network selection
95#     (i.e., require explicit interworking_select command for this; default)
96# 1 = perform Interworking network selection if one or more
97#     credentials have been configured and scan did not find a
98#     matching network block
99#auto_interworking=0
100
101
102Credentials can be pre-configured for automatic network selection:
103
104# credential block
105#
106# Each credential used for automatic network selection is configured as a set
107# of parameters that are compared to the information advertised by the APs when
108# interworking_select and interworking_connect commands are used.
109#
110# credential fields:
111#
112# temporary: Whether this credential is temporary and not to be saved
113#
114# priority: Priority group
115#	By default, all networks and credentials get the same priority group
116#	(0). This field can be used to give higher priority for credentials
117#	(and similarly in struct wpa_ssid for network blocks) to change the
118#	Interworking automatic networking selection behavior. The matching
119#	network (based on either an enabled network block or a credential)
120#	with the highest priority value will be selected.
121#
122# pcsc: Use PC/SC and SIM/USIM card
123#
124# realm: Home Realm for Interworking
125#
126# username: Username for Interworking network selection
127#
128# password: Password for Interworking network selection
129#
130# ca_cert: CA certificate for Interworking network selection
131#
132# client_cert: File path to client certificate file (PEM/DER)
133#	This field is used with Interworking networking selection for a case
134#	where client certificate/private key is used for authentication
135#	(EAP-TLS). Full path to the file should be used since working
136#	directory may change when wpa_supplicant is run in the background.
137#
138#	Alternatively, a named configuration blob can be used by setting
139#	this to blob://blob_name.
140#
141# private_key: File path to client private key file (PEM/DER/PFX)
142#	When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
143#	commented out. Both the private key and certificate will be read
144#	from the PKCS#12 file in this case. Full path to the file should be
145#	used since working directory may change when wpa_supplicant is run
146#	in the background.
147#
148#	Windows certificate store can be used by leaving client_cert out and
149#	configuring private_key in one of the following formats:
150#
151#	cert://substring_to_match
152#
153#	hash://certificate_thumbprint_in_hex
154#
155#	For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
156#
157#	Note that when running wpa_supplicant as an application, the user
158#	certificate store (My user account) is used, whereas computer store
159#	(Computer account) is used when running wpasvc as a service.
160#
161#	Alternatively, a named configuration blob can be used by setting
162#	this to blob://blob_name.
163#
164# private_key_passwd: Password for private key file
165#
166# imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format
167#
168# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
169#	format
170#
171# imsi_privacy_cert: IMSI privacy certificate (PEM encoded X.509v3 certificate)
172#	This field is used with EAP-SIM/AKA/AKA' to encrypt the permanent
173#	identity (IMSI) to improve privacy. The X.509v3 certificate needs to
174#	include a 2048-bit RSA public key and this is from the operator who
175#	authenticates the SIM/USIM.
176# imsi_privacy_attr: IMSI privacy attribute
177#	This field is used to help the EAP-SIM/AKA/AKA' server to identify
178#	the used certificate (and as such, the matching private key). This
179#	is set to an attribute in name=value format if the operator needs
180#	this information.
181#
182# domain_suffix_match: Constraint for server domain name
183#	If set, this FQDN is used as a suffix match requirement for the AAA
184#	server certificate in SubjectAltName dNSName element(s). If a
185#	matching dNSName is found, this constraint is met. If no dNSName
186#	values are present, this constraint is matched against SubjectName CN
187#	using same suffix match comparison. Suffix match here means that the
188#	host/domain name is compared one label at a time starting from the
189#	top-level domain and all the labels in @domain_suffix_match shall be
190#	included in the certificate. The certificate may include additional
191#	sub-level labels in addition to the required labels.
192#
193#	For example, domain_suffix_match=example.com would match
194#	test.example.com but would not match test-example.com.
195#
196# domain: Home service provider FQDN(s)
197#	This is used to compare against the Domain Name List to figure out
198#	whether the AP is operated by the Home SP. Multiple domain entries can
199#	be used to configure alternative FQDNs that will be considered home
200#	networks.
201#
202# home_ois: Home OI(s)
203#	This string field contains one or more comma delimited OIs (hexdump)
204#	identifying the access the access points that support authentication
205#	with this credential. There are an alternative to the use of the realm
206#	parameter. When using Home OIs to match the network, the EAP parameters
207#	need to be pre-configured with the credentials since the NAI Realm
208#	information may not be available or fetched.
209#	A successful authentication with the access point is possible as soon
210#	as at least one Home OI from the list matches an OI in the Roaming
211#	Consortium advertised by the access point.
212#	(Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/HomeOIList/<X+>/HomeOI)
213#
214# required_home_ois: Required Home OI(s)
215#	This string field contains the set of Home OI(s) (hexdump) that are
216#	required to be advertised by the AP for the credential to be considered
217#	matching.
218#	(Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/HomeOIList/<X+>/HomeOIRequired)
219#
220# roaming_consortium: Roaming Consortium OI
221#	Deprecated: use home_ois instead.
222#	If roaming_consortium_len is non-zero, this field contains the
223#	Roaming Consortium OI that can be used to determine which access
224#	points support authentication with this credential. This is an
225#	alternative to the use of the realm parameter. When using Roaming
226#	Consortium to match the network, the EAP parameters need to be
227#	pre-configured with the credential since the NAI Realm information
228#	may not be available or fetched.
229#
230# required_roaming_consortium: Required Roaming Consortium OI
231#	Deprecated: use required_home_ois instead.
232#	If required_roaming_consortium_len is non-zero, this field contains the
233#	Roaming Consortium OI that is required to be advertised by the AP for
234#	the credential to be considered matching.
235#
236# roaming_consortiums: Roaming Consortium OI(s) memberships
237#	This string field contains one or more comma delimited OIs (hexdump)
238#	identifying the roaming consortiums of which the provider is a member.
239#	The list is sorted from the most preferred one to the least preferred
240#	one. A match between the Roaming Consortium OIs advertised by an AP and
241#	the OIs in this list indicates that successful authentication is
242#	possible.
243#	(Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/RoamingConsortiumOI)
244#
245# eap: Pre-configured EAP method
246#	This optional field can be used to specify which EAP method will be
247#	used with this credential. If not set, the EAP method is selected
248#	automatically based on ANQP information (e.g., NAI Realm).
249#
250# phase1: Pre-configure Phase 1 (outer authentication) parameters
251#	This optional field is used with like the 'eap' parameter.
252#
253# phase2: Pre-configure Phase 2 (inner authentication) parameters
254#	This optional field is used with like the 'eap' parameter.
255#
256# excluded_ssid: Excluded SSID
257#	This optional field can be used to excluded specific SSID(s) from
258#	matching with the network. Multiple entries can be used to specify more
259#	than one SSID.
260#
261# roaming_partner: Roaming partner information
262#	This optional field can be used to configure preferences between roaming
263#	partners. The field is a string in following format:
264#	<FQDN>,<0/1 exact match>,<priority>,<* or country code>
265#	(non-exact match means any subdomain matches the entry; priority is in
266#	0..255 range with 0 being the highest priority)
267#
268# update_identifier: PPS MO ID
269#	(Hotspot 2.0 PerProviderSubscription/UpdateIdentifier)
270#
271# provisioning_sp: FQDN of the SP that provisioned the credential
272#	This optional field can be used to keep track of the SP that provisioned
273#	the credential to find the PPS MO (./Wi-Fi/<provisioning_sp>).
274#
275# sp_priority: Credential priority within a provisioning SP
276#	This is the priority of the credential among all credentials
277#	provisioned by the same SP (i.e., for entries that have identical
278#	provisioning_sp value). The range of this priority is 0-255 with 0
279#	being the highest and 255 the lower priority.
280#
281# Minimum backhaul threshold (PPS/<X+>/Policy/MinBackhauldThreshold/*)
282#	These fields can be used to specify minimum download/upload backhaul
283#	bandwidth that is preferred for the credential. This constraint is
284#	ignored if the AP does not advertise WAN Metrics information or if the
285#	limit would prevent any connection. Values are in kilobits per second.
286# min_dl_bandwidth_home
287# min_ul_bandwidth_home
288# min_dl_bandwidth_roaming
289# min_ul_bandwidth_roaming
290#
291# max_bss_load: Maximum BSS Load Channel Utilization (1..255)
292#	(PPS/<X+>/Policy/MaximumBSSLoadValue)
293#	This value is used as the maximum channel utilization for network
294#	selection purposes for home networks. If the AP does not advertise
295#	BSS Load or if the limit would prevent any connection, this constraint
296#	will be ignored.
297#
298# req_conn_capab: Required connection capability
299#	(PPS/<X+>/Policy/RequiredProtoPortTuple)
300#	This value is used to configure set of required protocol/port pairs that
301#	a roaming network shall support (include explicitly in Connection
302#	Capability ANQP element). This constraint is ignored if the AP does not
303#	advertise Connection Capability or if this constraint would prevent any
304#	network connection. This policy is not used in home networks.
305#	Format: <protocol>[:<comma-separated list of ports]
306#	Multiple entries can be used to list multiple requirements.
307#	For example, number of common TCP protocols:
308#	req_conn_capab=6:22,80,443
309#	For example, IPSec/IKE:
310#	req_conn_capab=17:500
311#	req_conn_capab=50
312#
313# ocsp: Whether to use/require OCSP to check server certificate
314#	0 = do not use OCSP stapling (TLS certificate status extension)
315#	1 = try to use OCSP stapling, but not require response
316#	2 = require valid OCSP stapling response
317#
318# sim_num: Identifier for which SIM to use in multi-SIM devices
319#
320# engine: Whether to use an engine for private key operations (0/1)
321# engine_id: String identifying the engine to use
322# ca_cert_id: The CA certificate identifier when using an engine
323# cert_id: The certificate identifier when using an engine
324# key_id: The private key identifier when using an engine
325#
326# for example:
327#
328#cred={
329#	realm="example.com"
330#	username="user@example.com"
331#	password="password"
332#	ca_cert="/etc/wpa_supplicant/ca.pem"
333#	domain="example.com"
334#	domain_suffix_match="example.com"
335#}
336#
337#cred={
338#	imsi="310026-000000000"
339#	milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82"
340#}
341#
342#cred={
343#	realm="example.com"
344#	username="user"
345#	password="password"
346#	ca_cert="/etc/wpa_supplicant/ca.pem"
347#	domain="example.com"
348#	home_ois="223344"
349#	roaming_consortiums="112233,4455667788,aabbcc"
350#	eap=TTLS
351#	phase2="auth=MSCHAPV2"
352#}
353
354
355Control interface
356-----------------
357
358wpa_supplicant provides a control interface that can be used from
359external programs to manage various operations. The included command
360line tool, wpa_cli, can be used for manual testing with this interface.
361
362Following wpa_cli interactive mode commands show some examples of manual
363operations related to Hotspot 2.0:
364
365Remove configured networks and credentials:
366
367> remove_network all
368OK
369> remove_cred all
370OK
371
372
373Add a username/password credential:
374
375> add_cred
3760
377> set_cred 0 realm "mail.example.com"
378OK
379> set_cred 0 username "username"
380OK
381> set_cred 0 password "password"
382OK
383> set_cred 0 priority 1
384OK
385> set_cred 0 temporary 1
386OK
387
388Add a SIM credential using a simulated SIM/USIM card for testing:
389
390> add_cred
3911
392> set_cred 1 imsi "23456-0000000000"
393OK
394> set_cred 1 milenage "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123"
395OK
396> set_cred 1 priority 1
397OK
398
399Note: the return value of add_cred is used as the first argument to
400the following set_cred commands.
401
402Add a SIM credential using a external SIM/USIM processing:
403
404> set external_sim 1
405OK
406> add_cred
4071
408> set_cred 1 imsi "23456-0000000000"
409OK
410> set_cred 1 eap SIM
411OK
412
413
414Add a WPA2-Enterprise network:
415
416> add_network
4170
418> set_network 0 key_mgmt WPA-EAP
419OK
420> set_network 0 ssid "enterprise"
421OK
422> set_network 0 eap TTLS
423OK
424> set_network 0 anonymous_identity "anonymous"
425OK
426> set_network 0 identity "user"
427OK
428> set_network 0 password "password"
429OK
430> set_network 0 priority 0
431OK
432> enable_network 0 no-connect
433OK
434
435
436Add an open network:
437
438> add_network
4393
440> set_network 3 key_mgmt NONE
441OK
442> set_network 3 ssid "coffee-shop"
443OK
444> select_network 3
445OK
446
447Note: the return value of add_network is used as the first argument to
448the following set_network commands.
449
450The preferred credentials/networks can be indicated with the priority
451parameter (1 is higher priority than 0).
452
453
454Interworking network selection can be started with interworking_select
455command. This instructs wpa_supplicant to run a network scan and iterate
456through the discovered APs to request ANQP information from the APs that
457advertise support for Interworking/Hotspot 2.0:
458
459> interworking_select
460OK
461<3>Starting ANQP fetch for 02:00:00:00:01:00
462<3>RX-ANQP 02:00:00:00:01:00 ANQP Capability list
463<3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list
464<3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List
465<3>ANQP fetch completed
466<3>INTERWORKING-AP 02:00:00:00:01:00 type=unknown
467
468
469INTERWORKING-AP event messages indicate the APs that support network
470selection and for which there is a matching
471credential. interworking_connect command can be used to select a network
472to connect with:
473
474
475> interworking_connect 02:00:00:00:01:00
476OK
477<3>CTRL-EVENT-SCAN-RESULTS
478<3>SME: Trying to authenticate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz)
479<3>Trying to associate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz)
480<3>Associated with 02:00:00:00:01:00
481<3>CTRL-EVENT-EAP-STARTED EAP authentication started
482<3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
483<3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
484<3>CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
485<3>WPA: Key negotiation completed with 02:00:00:00:01:00 [PTK=CCMP GTK=CCMP]
486<3>CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:01:00 completed (auth) [id=0 id_str=]
487
488
489wpa_supplicant creates a temporary network block for the selected
490network based on the configured credential and ANQP information from the
491AP:
492
493> list_networks
494network id / ssid / bssid / flags
4950	Example Network	any	[CURRENT]
496> get_network 0 key_mgmt
497WPA-EAP
498> get_network 0 eap
499TTLS
500
501
502Alternatively to using an external program to select the network,
503"interworking_select auto" command can be used to request wpa_supplicant
504to select which network to use based on configured priorities:
505
506
507> remove_network all
508OK
509<3>CTRL-EVENT-DISCONNECTED bssid=02:00:00:00:01:00 reason=1 locally_generated=1
510> interworking_select auto
511OK
512<3>Starting ANQP fetch for 02:00:00:00:01:00
513<3>RX-ANQP 02:00:00:00:01:00 ANQP Capability list
514<3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list
515<3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List
516<3>ANQP fetch completed
517<3>INTERWORKING-AP 02:00:00:00:01:00 type=unknown
518<3>CTRL-EVENT-SCAN-RESULTS
519<3>SME: Trying to authenticate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz)
520<3>Trying to associate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz)
521<3>Associated with 02:00:00:00:01:00
522<3>CTRL-EVENT-EAP-STARTED EAP authentication started
523<3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
524<3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
525<3>CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
526<3>WPA: Key negotiation completed with 02:00:00:00:01:00 [PTK=CCMP GTK=CCMP]
527<3>CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:01:00 completed (reauth) [id=0 id_str=]
528
529
530The connection status can be shown with the status command:
531
532> status
533bssid=02:00:00:00:01:00
534ssid=Example Network
535id=0
536mode=station
537pairwise_cipher=CCMP       <--- link layer security indication
538group_cipher=CCMP
539key_mgmt=WPA2/IEEE 802.1X/EAP
540wpa_state=COMPLETED
541p2p_device_address=02:00:00:00:00:00
542address=02:00:00:00:00:00
543hs20=1      <--- HS 2.0 indication
544Supplicant PAE state=AUTHENTICATED
545suppPortStatus=Authorized
546EAP state=SUCCESS
547selectedMethod=21 (EAP-TTLS)
548EAP TLS cipher=AES-128-SHA
549EAP-TTLSv0 Phase2 method=PAP
550
551
552> status
553bssid=02:00:00:00:02:00
554ssid=coffee-shop
555id=3
556mode=station
557pairwise_cipher=NONE
558group_cipher=NONE
559key_mgmt=NONE
560wpa_state=COMPLETED
561p2p_device_address=02:00:00:00:00:00
562address=02:00:00:00:00:00
563
564
565Note: The Hotspot 2.0 indication is shown as "hs20=1" in the status
566command output. Link layer security is indicated with the
567pairwise_cipher (CCMP = secure, NONE = no encryption used).
568
569
570Also the scan results include the Hotspot 2.0 indication:
571
572> scan_results
573bssid / frequency / signal level / flags / ssid
57402:00:00:00:01:00	2412	-30	[WPA2-EAP-CCMP][ESS][HS20]	Example Network
575
576
577ANQP information for the BSS can be fetched using the BSS command:
578
579> bss 02:00:00:00:01:00
580id=1
581bssid=02:00:00:00:01:00
582freq=2412
583beacon_int=100
584capabilities=0x0411
585qual=0
586noise=-92
587level=-30
588tsf=1345573286517276
589age=105
590ie=000f4578616d706c65204e6574776f726b010882848b960c1218240301012a010432043048606c30140100000fac040100000fac040100000fac0100007f04000000806b091e07010203040506076c027f006f1001531122331020304050010203040506dd05506f9a1000
591flags=[WPA2-EAP-CCMP][ESS][HS20]
592ssid=Example Network
593anqp_roaming_consortium=031122330510203040500601020304050603fedcba
594
595
596ANQP queries can also be requested with the anqp_get and hs20_anqp_get
597commands:
598
599> anqp_get 02:00:00:00:01:00 261
600OK
601<3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list
602> hs20_anqp_get 02:00:00:00:01:00 2
603OK
604<3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List
605
606In addition, fetch_anqp command can be used to request similar set of
607ANQP queries to be done as is run as part of interworking_select:
608
609> scan
610OK
611<3>CTRL-EVENT-SCAN-RESULTS
612> fetch_anqp
613OK
614<3>Starting ANQP fetch for 02:00:00:00:01:00
615<3>RX-ANQP 02:00:00:00:01:00 ANQP Capability list
616<3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list
617<3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List
618<3>ANQP fetch completed
619
620
621Hotspot 2.0 Rel 2 online signup and OSEN
622----------------------------------------
623
624Following parameters can be used to create a network profile for
625link-layer protected Hotspot 2.0 online signup connection with
626OSEN. Note that ssid and identify (NAI) values need to be set based on
627the information for the selected provider in the OSU Providers list
628ANQP-element.
629
630network={
631    ssid="HS 2.0 OSU"
632    proto=OSEN
633    key_mgmt=OSEN
634    pairwise=CCMP
635    group=GTK_NOT_USED
636    eap=WFA-UNAUTH-TLS
637    identity="anonymous@example.com"
638    ca_cert="osu-ca.pem"
639    ocsp=2
640}
641
642
643Hotspot 2.0 connection with external network selection
644------------------------------------------------------
645
646When a component controlling wpa_supplicant takes care of Interworking
647network selection, following configuration and network profile
648parameters can be used to configure a temporary network profile for a
649Hotspot 2.0 connection (e.g., with SET, ADD_NETWORK, SET_NETWORK, and
650SELECT_NETWORK control interface commands):
651
652interworking=1
653hs20=1
654auto_interworking=0
655
656network={
657    ssid="test-hs20"
658    proto=RSN
659    key_mgmt=WPA-EAP
660    pairwise=CCMP
661    anonymous_identity="anonymous@example.com"
662    identity="hs20-test@example.com"
663    password="password"
664    ca_cert="ca.pem"
665    eap=TTLS
666    phase2="auth=MSCHAPV2"
667    update_identifier=54321
668    roaming_consortium_selection=112233
669    #ocsp=2
670}
671
672
673These parameters are set based on the PPS MO credential and/or NAI Realm
674list ANQP-element:
675
676anonymous_identity: Credential/UsernamePassword/Username with username part
677		    replaced with "anonymous"
678identity: Credential/UsernamePassword/Username
679password: Credential/UsernamePassword/Password
680update_identifier: PPS/UpdateIdentifier
681ca_cert: from the downloaded trust root based on PPS information
682eap: Credential/UsernamePassword/EAPMethod or NAI Realm list
683phase2: Credential/UsernamePassword/EAPMethod or NAI Realm list
684roaming_consortium_selection: Matching OI from HomeSP/RoamingConsortiumOI
685ocsp: Credential/CheckAAAServerCertStatus
686