OpenWrt - Passpoint Configuration
Configure Passpoint (Hotspot 2.0) on OpenWrt-based routers and access points to enable automatic WiFi authentication through IronWifi's cloud RADIUS service. This open-source solution provides WPA2/WPA3-Enterprise security without manual network selection or splash pages.
Overview
OpenWrt is an open-source Linux-based firmware for embedded devices, commonly used on wireless routers and access points. Passpoint support requires hostapd compiled with Hotspot 2.0 support.
Prerequisites
In OpenWrt:
- OpenWrt 21.02 or later (recommended)
- Access point with 802.11u/Hotspot 2.0 capable wireless chipset
- hostapd with HS2.0 support (
wpad-opensslorwpad-wolfssl)
In IronWifi Console (complete these first):
- Log in to IronWifi Management Console
- Navigate to Networks > select your network
- Enable Passpoint
- Note the following:
- RADIUS Server IPs (primary and secondary)
- RADIUS Secret
- NAI Realm (e.g.,
ironwifi.com) - Roaming Consortium OIs
Package Requirements
Install Required Packages
First, ensure you have the correct hostapd variant:
# Remove basic wpad if installed
opkg remove wpad-basic-wolfssl
# Install full wpad with 802.11u support
opkg update
opkg install wpad-openssl
# or
opkg install wpad-wolfssl
Verify Hotspot 2.0 Support
# Check hostapd capabilities
hostapd -v
# Should show HS2.0 in features
UCI Configuration
Step 1: Configure RADIUS Server
# Set RADIUS authentication server
uci set wireless.@wifi-iface[0].auth_server='radius.ironwifi.com'
uci set wireless.@wifi-iface[0].auth_port='1812'
uci set wireless.@wifi-iface[0].auth_secret='your-radius-secret'
# Set RADIUS accounting server
uci set wireless.@wifi-iface[0].acct_server='radius.ironwifi.com'
uci set wireless.@wifi-iface[0].acct_port='1813'
uci set wireless.@wifi-iface[0].acct_secret='your-radius-secret'
Step 2: Configure WPA2-Enterprise
# Configure wireless interface for WPA2-Enterprise
uci set wireless.@wifi-iface[0].ssid='Passpoint'
uci set wireless.@wifi-iface[0].encryption='wpa2+aes'
uci set wireless.@wifi-iface[0].key=''
uci set wireless.@wifi-iface[0].ieee80211w='1' # Optional: PMF
Step 3: Enable 802.11u (Interworking)
# Enable interworking
uci set wireless.@wifi-iface[0].iw_enabled='1'
# Access network type (0=Private, 2=Free public, 3=Paid public)
uci set wireless.@wifi-iface[0].iw_access_network_type='2'
# Internet connectivity
uci set wireless.@wifi-iface[0].iw_internet='1'
# Venue information
uci set wireless.@wifi-iface[0].iw_venue_group='2' # Business
uci set wireless.@wifi-iface[0].iw_venue_type='0' # Unspecified
Step 4: Enable Hotspot 2.0
# Enable HS2.0
uci set wireless.@wifi-iface[0].hs20='1'
# Disable DGAF (Downstream Group-Addressed Forwarding)
uci set wireless.@wifi-iface[0].disable_dgaf='0'
Step 5: Configure Domain Name
uci set wireless.@wifi-iface[0].hs20_domain_name='ironwifi.net'
Step 6: Configure Roaming Consortium
# Add OpenRoaming OIs
uci add_list wireless.@wifi-iface[0].hs20_roaming_consortium='5A03BA0000'
uci add_list wireless.@wifi-iface[0].hs20_roaming_consortium='004096'
Step 7: Configure NAI Realm
# NAI Realm with EAP method
uci set wireless.@wifi-iface[0].hs20_nai_realm='0,ironwifi.com,21[2:4]'
# Format: encoding,realm,eap-method[inner-auth]
# 0 = UTF-8, 21 = EAP-TTLS, [2:4] = PAP
Step 8: Apply Configuration
uci commit wireless
wifi reload
Direct hostapd Configuration
For advanced configuration, edit /etc/hostapd.conf directly:
# Basic SSID Configuration
ssid=Passpoint
wpa=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP
rsn_pairwise=CCMP
ieee80211w=1
# RADIUS Configuration
auth_server_addr=radius.ironwifi.com
auth_server_port=1812
auth_server_shared_secret=your-radius-secret
acct_server_addr=radius.ironwifi.com
acct_server_port=1813
acct_server_shared_secret=your-radius-secret
# 802.11u / Interworking
interworking=1
access_network_type=2
internet=1
venue_group=2
venue_type=0
venue_name=eng:IronWifi Hotspot
# Hotspot 2.0
hs20=1
disable_dgaf=0
osen=0
# Domain Name
domain_name=ironwifi.net
# Roaming Consortium (OpenRoaming)
roaming_consortium=5A03BA0000
roaming_consortium=004096
# NAI Realm
# Format: encoding,realm,eap_method[auth_param]
nai_realm=0,ironwifi.com,21[2:4]
# Operator Friendly Name
hs20_oper_friendly_name=eng:IronWifi
# WAN Metrics (optional)
hs20_wan_metrics=01:8000:1000:80:240:0
# Connection Capability (optional)
hs20_conn_capab=6:80:1
hs20_conn_capab=6:443:1
hs20_conn_capab=17:5060:1
Advanced Configuration
3GPP Cellular Information
For carrier WiFi offload:
# In hostapd.conf
anqp_3gpp_cell_net=310,410;311,480
Or via UCI:
uci set wireless.@wifi-iface[0].anqp_3gpp_cell_net='310,410;311,480'
Operating Class
Define supported frequency bands:
# In hostapd.conf
hs20_operating_class=51
# 51 = 5GHz channels 36-48
# 73 = 5GHz channels 149-161
# 81 = 2.4GHz
Proxy ARP
Enable proxy ARP for better isolation:
uci set wireless.@wifi-iface[0].proxy_arp='1'
OpenRoaming Configuration
Full OpenRoaming Setup
# Configure for OpenRoaming
uci add_list wireless.@wifi-iface[0].hs20_roaming_consortium='5A03BA0000'
uci add_list wireless.@wifi-iface[0].hs20_roaming_consortium='004096'
# Add OpenRoaming domains
uci set wireless.@wifi-iface[0].hs20_domain_name='ironwifi.net;openroaming.org'
# Multiple NAI realms
uci add_list wireless.@wifi-iface[0].hs20_nai_realm='0,ironwifi.com,21[2:4]'
uci add_list wireless.@wifi-iface[0].hs20_nai_realm='0,openroaming.org,21[2:4]'
uci commit wireless
wifi reload
Verification
Check Hostapd Status
# View hostapd status
hostapd_cli -i wlan0 status
# Check HS2.0 is enabled
hostapd_cli -i wlan0 get_config | grep hs20
View ANQP Information
# Show ANQP elements
hostapd_cli -i wlan0 anqp_get 0
Check Connected Clients
# List associated stations
hostapd_cli -i wlan0 all_sta
Test RADIUS Connectivity
# Install radtest if needed
opkg install freeradius3-utils
# Test authentication
radtest user password radius.ironwifi.com 1812 your-secret
Troubleshooting
Passpoint Network Not Visible
-
Verify HS2.0 is enabled
hostapd_cli -i wlan0 status | grep hs20 -
Check hostapd supports HS2.0
hostapd -v 2>&1 | grep -i hs2 -
Verify wireless driver supports 802.11u
iw phy | grep -i 'valid interface'
Authentication Failures
-
Check RADIUS connectivity
tcpdump -i any port 1812 -
Review hostapd logs
logread | grep hostapd -
Verify NAI realm format
- Ensure encoding is correct (0 for UTF-8)
- Check EAP method matches server config
Common Errors
| Error | Solution |
|---|---|
| "HS2.0 not supported" | Install wpad-openssl package |
| "RADIUS timeout" | Check network connectivity and firewall |
| "Invalid NAI realm" | Verify realm format and encoding |
| "GAS query failed" | Check 802.11u configuration |
Debug Mode
Enable debug logging:
# Edit /etc/config/wireless
uci set wireless.@wifi-iface[0].log_level='0'
uci commit wireless
wifi reload
# View detailed logs
logread -f | grep -E '(hostapd|wpa)'
Best Practices
- Use wpad-openssl: Required for full HS2.0 support
- Keep firmware updated: Latest OpenWrt for best compatibility
- Test with multiple devices: Verify Passpoint works across platforms
- Monitor logs: Watch for authentication issues
- Backup configuration: Save working config before changes
- Use PMF: Enable 802.11w for better security