1Hotspot 2.0 OSU server 2====================== 3 4The information in this document is based on the assumption that Ubuntu 512.04 server (64-bit) distribution is used and the web server is 6Apache2. Neither of these are requirements for the installation, but if 7other combinations are used, the package names and configuration 8parameters may need to be adjusted. 9 10NOTE: This implementation and the example configuration here is meant 11only for testing purposes in a lab environment. This design is not 12secure to be installed in a publicly available Internet server without 13considerable amount of modification and review for security issues. 14 15NOTE: While this describes use on Ubuntu 12.04, the version of Apache2 16included in that distribution is not new enough to support all OSU 17server validation steps. In other words, it may be most adapt the steps 18described here to Ubuntu 13.10. 19 20 21Build dependencies 22------------------ 23 24Ubuntu 12.04 server 25- default installation 26- upgraded to latest package versions 27 sudo apt-get update 28 sudo apt-get upgrade 29 30Packages needed for running the service: 31 sudo apt-get install sqlite3 32 sudo apt-get install apache2 33 sudo apt-get install php5-sqlite libapache2-mod-php5 34 35Additional packages needed for building the components: 36 sudo apt-get install build-essential 37 sudo apt-get install libsqlite3-dev 38 sudo apt-get install libssl-dev 39 sudo apt-get install libxml2-dev 40 41 42Installation location 43--------------------- 44 45Select a location for the installation root directory. The example here 46assumes /home/user/hs20-server to be used, but this can be changed by 47editing couple of files as indicated below. 48 49sudo mkdir -p /home/user/hs20-server 50sudo chown $USER /home/user/hs20-server 51mkdir -p /home/user/hs20-server/spp 52mkdir -p /home/user/hs20-server/AS 53 54 55Build 56----- 57 58# hostapd as RADIUS server 59cd hostapd 60 61#example build configuration 62cat > .config <<EOF 63CONFIG_DRIVER_NONE=y 64CONFIG_PKCS12=y 65CONFIG_RADIUS_SERVER=y 66CONFIG_EAP=y 67CONFIG_EAP_TLS=y 68CONFIG_EAP_MSCHAPV2=y 69CONFIG_EAP_PEAP=y 70CONFIG_EAP_GTC=y 71CONFIG_EAP_TTLS=y 72CONFIG_EAP_SIM=y 73CONFIG_EAP_AKA=y 74CONFIG_EAP_AKA_PRIME=y 75CONFIG_SQLITE=y 76CONFIG_HS20=y 77EOF 78 79make hostapd hlr_auc_gw 80cp hostapd hlr_auc_gw /home/user/hs20-server/AS 81 82# build hs20_spp_server 83cd ../hs20/server 84make clean 85make 86cp hs20_spp_server /home/user/hs20-server/spp 87# prepare database (web server user/group needs to have write access) 88mkdir -p /home/user/hs20-server/AS/DB 89sudo chgrp www-data /home/user/hs20-server/AS/DB 90sudo chmod g+w /home/user/hs20-server/AS/DB 91sqlite3 /home/user/hs20-server/AS/DB/eap_user.db < sql.txt 92sudo chgrp www-data /home/user/hs20-server/AS/DB/eap_user.db 93sudo chmod g+w /home/user/hs20-server/AS/DB/eap_user.db 94# add example configuration (note: need to update URLs to match the system) 95sqlite3 /home/user/hs20-server/AS/DB/eap_user.db < sql-example.txt 96 97# copy PHP scripts 98# Modify config.php if different installation directory is used. 99# Modify PHP scripts to get the desired behavior for user interaction (or use 100# the examples as-is for initial testing). 101cp -r www /home/user/hs20-server 102 103# Build local keys and certs 104cd ca 105# Display help options. 106./setup.sh -h 107 108# Remove old keys, fill in appropriate values, and generate your keys. 109# For instance: 110./clean.sh 111rm -fr rootCA" 112old_hostname=myserver.local 113./setup.sh -C "Hotspot 2.0 Trust Root CA - CT" -d $old_hostname \ 114 -I "Hotspot 2.0 Intermediate CA - CT" -o $old_hostname-osu-client \ 115 -O $old_hostname-oscp -p lanforge -S $old_hostname \ 116 -V $old_hostname-osu-revoked \ 117 -m local -u http://$old_hostname:8888/ 118 119# Configure subscription policies 120mkdir -p /home/user/hs20-server/spp/policy 121cat > /home/user/hs20-server/spp/policy/default.xml <<EOF 122<Policy> 123 <PolicyUpdate> 124 <UpdateInterval>30</UpdateInterval> 125 <UpdateMethod>ClientInitiated</UpdateMethod> 126 <Restriction>Unrestricted</Restriction> 127 <URI>https://policy-server.osu.example.com/hs20/spp.php</URI> 128 </PolicyUpdate> 129</Policy> 130EOF 131 132 133# Install Hotspot 2.0 SPP and OMA DM XML schema/DTD files 134 135# XML schema for SPP 136# Copy the latest XML schema into /home/user/hs20-server/spp/spp.xsd 137 138# OMA DM Device Description Framework DTD 139# Copy into /home/user/hs20-server/spp/dm_ddf-v1_2.dtd 140# http://www.openmobilealliance.org/tech/DTD/dm_ddf-v1_2.dtd 141 142 143# Configure RADIUS authentication service 144# Note: Change the URL to match the setup 145# Note: Install AAA server key/certificate and root CA in Key directory 146 147cat > /home/user/hs20-server/AS/as-sql.conf <<EOF 148driver=none 149radius_server_clients=as.radius_clients 150eap_server=1 151eap_user_file=sqlite:DB/eap_user.db 152ca_cert=Key/ca.pem 153server_cert=Key/server.pem 154private_key=Key/server.key 155private_key_passwd=passphrase 156eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=eap_sim.db 157subscr_remediation_url=https://subscription-server.osu.example.com/hs20/spp.php 158EOF 159 160# Set RADIUS passphrase for the APs 161# Note: Modify to match the setup 162cat > /home/user/hs20-server/AS/as.radius_clients <<EOF 1630.0.0.0/0 radius 164EOF 165 166 167Start RADIUS authentication server 168---------------------------------- 169 170cd /home/user/hs20-server/AS 171./hostapd -B as-sql.conf 172 173 174OSEN RADIUS server configuration notes 175 176The OSEN RADIUS server config file should have the 'ocsp_stapling_response' 177configuration in it. For example: 178 179# hostapd-radius config for the radius used by the OSEN AP 180interface=eth0#0 181driver=none 182logger_syslog=-1 183logger_syslog_level=2 184logger_stdout=-1 185logger_stdout_level=2 186ctrl_interface=/var/run/hostapd 187ctrl_interface_group=0 188eap_server=1 189eap_user_file=/home/user/hs20-server/AS/hostapd-osen.eap_user 190server_id=ben-ota-2-osen 191radius_server_auth_port=1811 192radius_server_clients=/home/user/hs20-server/AS/hostap.radius_clients 193 194ca_cert=/home/user/hs20-server/ca/ca.pem 195server_cert=/home/user/hs20-server/ca/server.pem 196private_key=/home/user/hs20-server/ca/server.key 197private_key_passwd=whatever 198 199ocsp_stapling_response=/home/user/hs20-server/ca/ocsp-server-cache.der 200 201The /home/user/hs20-server/AS/hostapd-osen.eap_user file should look 202similar to this, and should coorelate with the osu_nai entry in 203the non-OSEN VAP config file. For instance: 204 205# cat hostapd-osen.eap_user 206# For OSEN authentication (Hotspot 2.0 Release 2) 207"osen@w1.fi" WFA-UNAUTH-TLS 208 209 210# Run OCSP server: 211cd /home/user/hs20-server/ca 212./ocsp-responder.sh& 213 214# Update cache (This should be run periodically) 215./ocsp-update-cache.sh 216 217 218Configure web server 219-------------------- 220 221Edit /etc/apache2/sites-available/default-ssl 222 223Add following block just before "SSL Engine Switch" line": 224 225 Alias /hs20/ "/home/user/hs20-server/www/" 226 <Directory "/home/user/hs20-server/www/"> 227 Options Indexes MultiViews FollowSymLinks 228 AllowOverride None 229 Order allow,deny 230 Allow from all 231 </Directory> 232 233Update SSL configuration to use the OSU server certificate/key. 234They keys and certs are called 'server.key' and 'server.pem' from 235ca/setup.sh. 236 237Enable default-ssl site and restart Apache2: 238 sudo a2ensite default-ssl 239 sudo a2enmod ssl 240 sudo service apache2 restart 241 242 243Management UI 244------------- 245 246The sample PHP scripts include a management UI for testing 247purposes. That is available at https://<server>/hs20/users.php 248 249 250AP configuration 251---------------- 252 253APs can now be configured to use the OSU server as the RADIUS 254authentication server. In addition, the OSU Provider List ANQP element 255should be configured to use the SPP (SOAP+XML) option and with the 256following Server URL: 257https://<server>/hs20/spp.php/signup?realm=example.com 258