Home | History | Annotate | Download | only in server 
      1 Hotspot 2.0 OSU server
      2 ======================
      3 
      4 The information in this document is based on the assumption that Ubuntu
      5 12.04 server (64-bit) distribution is used and the web server is
      6 Apache2. Neither of these are requirements for the installation, but if
      7 other combinations are used, the package names and configuration
      8 parameters may need to be adjusted.
      9 
     10 NOTE: This implementation and the example configuration here is meant
     11 only for testing purposes in a lab environment. This design is not
     12 secure to be installed in a publicly available Internet server without
     13 considerable amount of modification and review for security issues.
     14 
     15 NOTE: While this describes use on Ubuntu 12.04, the version of Apache2
     16 included in that distribution is not new enough to support all OSU
     17 server validation steps. In other words, it may be most adapt the steps
     18 described here to Ubuntu 13.10.
     19 
     20 
     21 Build dependencies
     22 ------------------
     23 
     24 Ubuntu 12.04 server
     25 - default installation
     26 - upgraded to latest package versions
     27   sudo apt-get update
     28   sudo apt-get upgrade
     29 
     30 Packages needed for running the service:
     31   sudo apt-get install sqlite3
     32   sudo apt-get install apache2
     33   sudo apt-get install php5-sqlite libapache2-mod-php5
     34 
     35 Additional packages needed for building the components:
     36   sudo apt-get install build-essential
     37   sudo apt-get install libsqlite3-dev
     38   sudo apt-get install libssl-dev
     39   sudo apt-get install libxml2-dev
     40 
     41 
     42 Installation location
     43 ---------------------
     44 
     45 Select a location for the installation root directory. The example here
     46 assumes /home/user/hs20-server to be used, but this can be changed by
     47 editing couple of files as indicated below.
     48 
     49 sudo mkdir -p /home/user/hs20-server
     50 sudo chown $USER /home/user/hs20-server
     51 mkdir -p /home/user/hs20-server/spp
     52 mkdir -p /home/user/hs20-server/AS
     53 
     54 
     55 Build
     56 -----
     57 
     58 # hostapd as RADIUS server
     59 cd hostapd
     60 
     61 #example build configuration
     62 cat > .config <<EOF
     63 CONFIG_DRIVER_NONE=y
     64 CONFIG_PKCS12=y
     65 CONFIG_RADIUS_SERVER=y
     66 CONFIG_EAP=y
     67 CONFIG_EAP_TLS=y
     68 CONFIG_EAP_MSCHAPV2=y
     69 CONFIG_EAP_PEAP=y
     70 CONFIG_EAP_GTC=y
     71 CONFIG_EAP_TTLS=y
     72 CONFIG_EAP_SIM=y
     73 CONFIG_EAP_AKA=y
     74 CONFIG_EAP_AKA_PRIME=y
     75 CONFIG_SQLITE=y
     76 CONFIG_HS20=y
     77 EOF
     78 
     79 make hostapd hlr_auc_gw
     80 cp hostapd hlr_auc_gw /home/user/hs20-server/AS
     81 
     82 # build hs20_spp_server
     83 cd ../hs20/server
     84 make clean
     85 make
     86 cp hs20_spp_server /home/user/hs20-server/spp
     87 # prepare database (web server user/group needs to have write access)
     88 mkdir -p /home/user/hs20-server/AS/DB
     89 sudo chgrp www-data /home/user/hs20-server/AS/DB
     90 sudo chmod g+w /home/user/hs20-server/AS/DB
     91 sqlite3 /home/user/hs20-server/AS/DB/eap_user.db < sql.txt
     92 sudo chgrp www-data /home/user/hs20-server/AS/DB/eap_user.db
     93 sudo chmod g+w /home/user/hs20-server/AS/DB/eap_user.db
     94 # add example configuration (note: need to update URLs to match the system)
     95 sqlite3 /home/user/hs20-server/AS/DB/eap_user.db < sql-example.txt
     96 
     97 # copy PHP scripts
     98 # Modify config.php if different installation directory is used.
     99 # Modify PHP scripts to get the desired behavior for user interaction (or use
    100 # the examples as-is for initial testing).
    101 cp -r www /home/user/hs20-server
    102 
    103 
    104 # Configure subscription policies
    105 mkdir -p /home/user/hs20-server/spp/policy
    106 cat > /home/user/hs20-server/spp/policy/default.xml <<EOF
    107 <Policy>
    108 	<PolicyUpdate>
    109 		<UpdateInterval>30</UpdateInterval>
    110 		<UpdateMethod>ClientInitiated</UpdateMethod>
    111 		<Restriction>Unrestricted</Restriction>
    112 		<URI>https://policy-server.osu.example.com/hs20/spp.php</URI>
    113 	</PolicyUpdate>
    114 </Policy>
    115 EOF
    116 
    117 
    118 # Install Hotspot 2.0 SPP and OMA DM XML schema/DTD files
    119 
    120 # XML schema for SPP
    121 # Copy the latest XML schema into /home/user/hs20-server/spp/spp.xsd
    122 
    123 # OMA DM Device Description Framework DTD
    124 # Copy into /home/user/hs20-server/spp/dm_ddf-v1_2.dtd
    125 # http://www.openmobilealliance.org/tech/DTD/dm_ddf-v1_2.dtd
    126 
    127 
    128 # Configure RADIUS authentication service
    129 # Note: Change the URL to match the setup
    130 # Note: Install AAA server key/certificate and root CA in Key directory
    131 
    132 cat > /home/user/hs20-server/AS/as-sql.conf <<EOF
    133 driver=none
    134 radius_server_clients=as.radius_clients
    135 eap_server=1
    136 eap_user_file=sqlite:DB/eap_user.db
    137 ca_cert=Key/ca.pem
    138 server_cert=Key/server.pem
    139 private_key=Key/server.key
    140 private_key_passwd=passphrase
    141 eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=eap_sim.db
    142 subscr_remediation_url=https://subscription-server.osu.example.com/hs20/spp.php
    143 EOF
    144 
    145 # Set RADIUS passphrase for the APs
    146 # Note: Modify to match the setup
    147 cat > /home/user/hs20-server/AS/as.radius_clients <<EOF
    148 0.0.0.0/0	radius
    149 EOF
    150 
    151 
    152 Start RADIUS authentication server
    153 ----------------------------------
    154 
    155 cd /home/user/hs20-server/AS
    156 ./hostapd -B as-sql.conf
    157 
    158 
    159 Configure web server
    160 --------------------
    161 
    162 Edit /etc/apache2/sites-available/default-ssl
    163 
    164 Add following block just before "SSL Engine Switch" line":
    165 
    166         Alias /hs20/ "/home/user/hs20-server/www/"
    167         <Directory "/home/user/hs20-server/www/">
    168                 Options Indexes MultiViews FollowSymLinks
    169                 AllowOverride None
    170                 Order allow,deny
    171                 Allow from all
    172         </Directory>
    173 
    174 Update SSL configuration to use the OSU server certificate/key.
    175 
    176 Enable default-ssl site and restart Apache2:
    177   sudo a2ensite default-ssl
    178   sudo a2enmod ssl
    179   sudo service apache2 restart
    180 
    181 
    182 Management UI
    183 -------------
    184 
    185 The sample PHP scripts include a management UI for testing
    186 purposes. That is available at https://<server>/hs20/users.php
    187 
    188 
    189 AP configuration
    190 ----------------
    191 
    192 APs can now be configured to use the OSU server as the RADIUS
    193 authentication server. In addition, the OSU Provider List ANQP element
    194 should be configured to use the SPP (SOAP+XML) option and with the
    195 following Server URL:
    196 https://<server>/hs20/spp.php/signup?realm=example.com
    197