Linux and Hotspot 2.0/Passpoint

• The Hotspot2.0/Passpoint support is probably the most difficult when compared to the other operating systems.
• You will need to get your hands dirty and create a config file for the wpa_supplicant program that it can use to connect to a Hotspot2.0/Passpoint network.
• If you are familiar with the standard wpa_supplicant config file then the learning curve will be less steep.

• Below is a sample config file that is used to connect as a client to a Hotspot2.0/Passpoint network.

wpa_supplicant-wbw.conf

country=ZA
interworking=1
hs20=1
auto_interworking=1
cred={
   realm="radiusdesk.com"
   ca_cert="/etc/ssl/certs/ca-certificates.crt"
   username="koos@hotspottwo"
   password="testing123"
   domain_suffix_match="mesh-manager.com;radiusdesk.com;openwrt.org"
   phase2="auth=MSCHAPV2"
   eap=TTLS
}
 
network={
   scan_ssid=1
   ssid="_Passpoint"
   key_mgmt=WPA-EAP WPA-EAP-SHA256
   ca_cert="/etc/ssl/certs/ca-certificates.crt"
   identity="koos@hotspottwo"
   anonymous_identity="anonymous@uam.mesh-manager.com"
   password="testing123"
   domain_suffix_match="mesh-manager.com;radiusdesk.com;openwrt.org"
   phase2="auth=MSCHAPV2"
   eap=TTLS
   proto=RSN
   ieee80211w=1
   beacon_int=100
}

• The cred section is specifically to connect to Hotspot2.0/Passpoint networks.
• There are more detail here: https://web.mit.edu/freebsd/head/contrib/wpa/wpa_supplicant/README-HS20

• The network section is pretty standard and covered many places where wpa_supplicant is discussed.
• There is one item to take note of and that is the ssid. Although it is not used in Hotspot 2.0, we still need to specify it.
• We use a convention of _Passpoint.
• You will also note that some items listed under network is also listed under cred. That is normal.

• By default, wpa_supplicant is not using automatic network selection unless requested explicitly with the interworking_select command. This can be changed with the auto_interworking=1 parameter to perform network selection automatically whenever trying to find a network for connection and none of the enabled network blocks match with the scan results.
• interworking and hs20 both has to be specified as active in the config file.

• With the following log output you can see how wpa_supplicant finds and connects to an SSID.

Wed Jul 23 10:28:09 2025 daemon.notice netifd: Network device 'zro0' link is down
Wed Jul 23 10:28:13 2025 daemon.notice wpa_supplicant[1837]: wbw: Starting ANQP fetch for 82:af:ca:18:22:48 (HESSID 00:00:00:01:02:03)
Wed Jul 23 10:28:13 2025 daemon.notice wpa_supplicant[1837]: wbw: GAS-QUERY-START addr=82:af:ca:18:22:48 dialog_token=33 freq=2412
Wed Jul 23 10:28:13 2025 daemon.notice wpa_supplicant[1837]: wbw: GAS-QUERY-DONE addr=82:af:ca:18:22:48 dialog_token=33 freq=2412 status_code=0 result=SUCCESS
Wed Jul 23 10:28:13 2025 daemon.notice wpa_supplicant[1837]: wbw: RX-ANQP 82:af:ca:18:22:48 ANQP Capability list
Wed Jul 23 10:28:13 2025 daemon.notice wpa_supplicant[1837]: wbw: RX-ANQP 82:af:ca:18:22:48 NAI Realm list
Wed Jul 23 10:28:13 2025 daemon.notice wpa_supplicant[1837]: wbw: RX-HS20-ANQP 82:af:ca:18:22:48 HS Capability List
Wed Jul 23 10:28:13 2025 daemon.notice wpa_supplicant[1837]: wbw: ANQP-QUERY-DONE addr=82:af:ca:18:22:48 result=SUCCESS
Wed Jul 23 10:28:13 2025 daemon.notice wpa_supplicant[1837]: wbw: ANQP fetch completed
Wed Jul 23 10:28:13 2025 daemon.notice wpa_supplicant[1837]: wbw: INTERWORKING-AP 82:af:ca:18:22:48 type=unknown id=2 priority=0 sp_priority=0
Wed Jul 23 10:28:13 2025 daemon.notice wpa_supplicant[1837]: wbw: INTERWORKING-SELECTED 82:af:ca:18:22:48
Wed Jul 23 10:28:13 2025 daemon.notice wpa_supplicant[1837]: wbw: SME: Trying to authenticate with 82:af:ca:18:22:48 (SSID='HotspotTwo Wireless' freq=2412 MHz)
Wed Jul 23 10:28:14 2025 kern.info kernel: [45847.860419] wbw: authenticate with 82:af:ca:18:22:48 (local address=82:af:ca:6d:64:d0)
Wed Jul 23 10:28:14 2025 kern.info kernel: [45847.868519] wbw: send auth to 82:af:ca:18:22:48 (try 1/3)
Wed Jul 23 10:28:14 2025 kern.info kernel: [45847.880117] wbw: authenticated

• Here you can see ANQP and GAS working together to locate an SSID it can connect to.