Hotspot 2.0 support in desktop Linux is nearly non-existant. Hotspot network operators like Comcast, Time Warner, or AT&T only provide routes to provision “main stream” devices like Windows, Mac, iOS, or Android. This leaves Linux users to fend for themselves.
IWD now supports Hotspot 2.0 networks, and therefore needs some way of creating a provisioning file for a given network. I have found the easiest way to accomplish this is by using the iOS security profile that the network operators let you download when setting up your iOS device. If your network operator allows you do directly download the iOS security profile then your in luck. The same could also be said for other security profiles formats (e.g. Windows/Mac) but so far only iOS has been attempted.
If the network operators will allow you to download and install the security profile directly from an iOS device you should also be able to download it onto your Linux desktop with some chrome trickery.
First, find the page which allows you to download the profile. This is going to be different for each network provider, but for example this is XFinity's:
(Turns out that this profile does not actually configure a hotspot network, but rather a standard WPA2-Enterprise network. The procedure will still be the same as far as the iOS profile is concerned)
You can navigate to “Handheld Devices”, then “iPhone”. On that page there is a link to download the security profile directly.
At this point you need to open up the chrome inspector (Right click → “Inspect”)
In the inspection window near the top left there is a button “Toggle device toolbar”. Clicking this will put a new toolbar above the web page. There should be a drop down which lets you select any number of devices. Choose any iPhone model there (I chose iPhone X).
You can then download the security profile. In the XFINITY case it redirected to a login page, then another page to download the profile. After each redirect I needed to ensure the device was still set to “iPhone X” as it was getting reset back to the original device.
Assuming everything worked you should now have a downloaded iOS security profile.
Dumping the contents of the security profile shows that its in some binary format. There is some ASCII in there, which will tell you the type of network security (TTLS/AKA/SIM etc.) but we also need the certificate in order to verify the AP we are going to connect to. The certs can be extracted using openssl:
openssl cms -in <profile> -inform der -noout -print -cmsout -certsout my_provider_cert.crt
Where <profile> is the iOS profile previously downloaded.
This certificate can now be used as the CACert in your hotspot provisioning file.
Inside the original iOS security profile there is some XML mixed throughout the binary data. There is probably a clean way of extracting this, but there are very few XML nodes we actually care about so manual inspection is easy enough. The node we care about is “EAPClientConfiguration”. The “AcceptEAPTypes” provide the EAP method number used for this network. This will likely be “21”, which corresponds to TTLS. You can map the integer values to names inside src/eap-private.h. For now we will assume TTLS as the EAP method.
There may or may not be a key for “OuterIdentity”. Take note of this.
There also should be a key for “NAIRealmNames”. Take note of these.
Last, there should be a key for “TTLSInnerAuthentication”. Take note of this.
This should be all you need. You can now start writing the IWD provisioning file. It should look something like this, where <> values are used from above:
[Security] EAP-Method=TTLS EAP-Identity=<OuterIdentity> EAP-TTLS-Phase2-Method=Tunneled-<TTLSInnerAuthentication> [Hotspot] NAIRealmNames=<NAIRealmNames>
After filling in the values, your provisioning file will look something like this:
[Security] EAP-Method=TTLS EAP-Identityemail@example.com EAP-TTLS-Phase2-Method=Tunneled-MSCHAPV2 [Hotspot] NAIRealmNames=spectrum.com,rr.com
Save this file (naming or extension does not currently matter) into /var/lib/iwd/.hotspot and IWD will now allow connections to this network.