User Tools

Site Tools


hotspot

This is an old revision of the document!


Hotspot 2.0 Provisioning

Hotspot 2.0 support in desktop Linux is nearly non-existant. Hotspot network operators like Comcast, Time Warner, or AT&T only provide routes to provision “main stream” devices like Windows, Mac, iOS, or Android. This leaves Linux users to fend for themselves.

IWD now supports Hotspot 2.0 networks, and therefore needs some way of creating a provisioning file for a given network. I have found the easiest way to accomplish this is by using the iOS security profile that the network operators let you download when setting up your iOS device. If your network operator allows you do directly download the iOS security profile then your in luck. The same could also be said for other security profiles formats (e.g. Windows/Mac) but so far only iOS has been attempted.

Downloading the security profile

If the network operators will allow you to download and install the security profile directly from an iOS device you should also be able to download it onto your Linux desktop with some chrome trickery.

First, find the page which allows you to download the profile. This is going to be different for each network provider, but for example this is XFinity's:

http://wifi.xfinity.com//connect-devices.php

You can navigate to “Handheld Devices”, then “iPhone”. On that page there is a link to download the security profile directly.

At this point you need to open up the chrome inspector (Right click → “Inspect”)

In the inspection window near the top left there is a button “Toggle device toolbar”. Clicking this will put a new toolbar above the web page. There should be a drop down which lets you select any number of devices. Choose any iPhone model there (I chose iPhone X).

You can then download the security profile. In the XFINITY case it redirected to a login page, then another page to download the profile. After each redirect I needed to ensure the device was still set to “iPhone X” as it was getting reset back to the original device.

Assuming everything worked you should now have a downloaded iOS security profile.

Extracting the certificates

Dumping the contents of the security profile shows that its in some binary format. There is some ASCII in there, which will tell you the type of network security (TTLS/AKA/SIM etc.) but we also need the certificate in order to verify the AP we are going to connect to. The certs can be extracted using openssl:

  openssl cms -in <profile> -inform der -noout -print -cmsout -certsout my_provider_cert.crt

Where <profile> is the iOS profile previously downloaded.

This certificate can now be used as the CACert in your hotspot provisioning file.

Writing the IWD provisioning file

Inside the original iOS security profile there is some XML mixed throughout the binary data. There is probably a clean way of extracting this, but there are very few XML nodes we actually care about so manual inspection is easy enough. The node we care about is “EAPClientConfiguration”. The “AcceptEAPTypes” provide the EAP method number used for this network. This will likely be “21”, which corresponds to TTLS. You can map the integer values to names inside src/eap-private.h

hotspot.1562617916.txt.gz · Last modified: 2019/07/08 20:31 by James Prestwood