diff options
Diffstat (limited to 'hs20/server/hs20-osu-server.txt')
-rw-r--r-- | hs20/server/hs20-osu-server.txt | 196 |
1 files changed, 196 insertions, 0 deletions
diff --git a/hs20/server/hs20-osu-server.txt b/hs20/server/hs20-osu-server.txt new file mode 100644 index 00000000..80985f73 --- /dev/null +++ b/hs20/server/hs20-osu-server.txt @@ -0,0 +1,196 @@ +Hotspot 2.0 OSU server +====================== + +The information in this document is based on the assumption that Ubuntu +12.04 server (64-bit) distribution is used and the web server is +Apache2. Neither of these are requirements for the installation, but if +other combinations are used, the package names and configuration +parameters may need to be adjusted. + +NOTE: This implementation and the example configuration here is meant +only for testing purposes in a lab environment. This design is not +secure to be installed in a publicly available Internet server without +considerable amount of modification and review for security issues. + +NOTE: While this describes use on Ubuntu 12.04, the version of Apache2 +included in that distribution is not new enough to support all OSU +server validation steps. In other words, it may be most adapt the steps +described here to Ubuntu 13.10. + + +Build dependencies +------------------ + +Ubuntu 12.04 server +- default installation +- upgraded to latest package versions + sudo apt-get update + sudo apt-get upgrade + +Packages needed for running the service: + sudo apt-get install sqlite3 + sudo apt-get install apache2 + sudo apt-get install php5-sqlite libapache2-mod-php5 + +Additional packages needed for building the components: + sudo apt-get install build-essential + sudo apt-get install libsqlite3-dev + sudo apt-get install libssl-dev + sudo apt-get install libxml2-dev + + +Installation location +--------------------- + +Select a location for the installation root directory. The example here +assumes /home/user/hs20-server to be used, but this can be changed by +editing couple of files as indicated below. + +sudo mkdir -p /home/user/hs20-server +sudo chown $USER /home/user/hs20-server +mkdir -p /home/user/hs20-server/spp +mkdir -p /home/user/hs20-server/AS + + +Build +----- + +# hostapd as RADIUS server +cd hostapd + +#example build configuration +cat > .config <<EOF +CONFIG_DRIVER_NONE=y +CONFIG_PKCS12=y +CONFIG_RADIUS_SERVER=y +CONFIG_EAP=y +CONFIG_EAP_TLS=y +CONFIG_EAP_MSCHAPV2=y +CONFIG_EAP_PEAP=y +CONFIG_EAP_GTC=y +CONFIG_EAP_TTLS=y +CONFIG_EAP_SIM=y +CONFIG_EAP_AKA=y +CONFIG_EAP_AKA_PRIME=y +CONFIG_SQLITE=y +CONFIG_HS20=y +EOF + +make hostapd hlr_auc_gw +cp hostapd hlr_auc_gw /home/user/hs20-server/AS + +# build hs20_spp_server +cd ../hs20/server +make clean +make +cp hs20_spp_server /home/user/hs20-server/spp +# prepare database (web server user/group needs to have write access) +mkdir -p /home/user/hs20-server/AS/DB +sudo chgrp www-data /home/user/hs20-server/AS/DB +sudo chmod g+w /home/user/hs20-server/AS/DB +sqlite3 /home/user/hs20-server/AS/DB/eap_user.db < sql.txt +sudo chgrp www-data /home/user/hs20-server/AS/DB/eap_user.db +sudo chmod g+w /home/user/hs20-server/AS/DB/eap_user.db +# add example configuration (note: need to update URLs to match the system) +sqlite3 /home/user/hs20-server/AS/DB/eap_user.db < sql-example.txt + +# copy PHP scripts +# Modify config.php if different installation directory is used. +# Modify PHP scripts to get the desired behavior for user interaction (or use +# the examples as-is for initial testing). +cp -r www /home/user/hs20-server + + +# Configure subscription policies +mkdir -p /home/user/hs20-server/spp/policy +cat > /home/user/hs20-server/spp/policy/default.xml <<EOF +<Policy> + <PolicyUpdate> + <UpdateInterval>30</UpdateInterval> + <UpdateMethod>ClientInitiated</UpdateMethod> + <Restriction>Unrestricted</Restriction> + <URI>https://policy-server.osu.example.com/hs20/spp.php</URI> + </PolicyUpdate> +</Policy> +EOF + + +# Install Hotspot 2.0 SPP and OMA DM XML schema/DTD files + +# XML schema for SPP +# Copy the latest XML schema into /home/user/hs20-server/spp/spp.xsd + +# OMA DM Device Description Framework DTD +# Copy into /home/user/hs20-server/spp/dm_ddf-v1_2.dtd +# http://www.openmobilealliance.org/tech/DTD/dm_ddf-v1_2.dtd + + +# Configure RADIUS authentication service +# Note: Change the URL to match the setup +# Note: Install AAA server key/certificate and root CA in Key directory + +cat > /home/user/hs20-server/AS/as-sql.conf <<EOF +driver=none +radius_server_clients=as.radius_clients +eap_server=1 +eap_user_file=sqlite:DB/eap_user.db +ca_cert=Key/ca.pem +server_cert=Key/server.pem +private_key=Key/server.key +private_key_passwd=passphrase +eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=eap_sim.db +subscr_remediation_url=https://subscription-server.osu.example.com/hs20/spp.php +EOF + +# Set RADIUS passphrase for the APs +# Note: Modify to match the setup +cat > /home/user/hs20-server/AS/as.radius_clients <<EOF +0.0.0.0/0 radius +EOF + + +Start RADIUS authentication server +---------------------------------- + +cd /home/user/hs20-server/AS +./hostapd -B as-sql.conf + + +Configure web server +-------------------- + +Edit /etc/apache2/sites-available/default-ssl + +Add following block just before "SSL Engine Switch" line": + + Alias /hs20/ "/home/user/hs20-server/www/" + <Directory "/home/user/hs20-server/www/"> + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order allow,deny + Allow from all + </Directory> + +Update SSL configuration to use the OSU server certificate/key. + +Enable default-ssl site and restart Apache2: + sudo a2ensite default-ssl + sudo a2enmod ssl + sudo service apache2 restart + + +Management UI +------------- + +The sample PHP scripts include a management UI for testing +purposes. That is available at https://<server>/hs20/users.php + + +AP configuration +---------------- + +APs can now be configured to use the OSU server as the RADIUS +authentication server. In addition, the OSU Provider List ANQP element +should be configured to use the SPP (SOAP+XML) option and with the +following Server URL: +https://<server>/hs20/spp.php/signup?realm=example.com |