Hotspot 2.0 Profile

Hello. I am trying to setup Hotspot 2.0 (Passpoint r1) in a lab setting. I have a RADIUS server configured to authenticate EAP-TLS, and have successfully created and installed a profile on an iPad that will connect to the SSID providing EAP-TLS...certs, keys and all required settings.

I then created a new profile (starting with the working EAP-TLS profile) that defines Hotspot 2.0 settings (such as NAI realms, RoamingConsortiumOIs, Domain name, etc), the iPad will see the SSID and show it in the SSID list with my DisplayedOperatorName showing nicely. When I try to connect to it, however, I get the message Unable to join the network "HS20DEMO"

I have tried to look at the logs. However, the logs don't make much sense to me. I know I have the SSID configured properly because I have it working on my Android phone via their Hotspot 2.0 profile install methods. I'm not sure what I'm doing wrong.

Is there some other requirement here that I am missing? Do the HS20 profiles need to be signed in order to work properly? That's the only other thing I can think of trying. I reviewed the Configuration Profile Reference documentation many times, but nothing is stands out to me. Any help would be appreciated.

Thanks.

Passpoint Profile:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadUUID</key>
    <string>723963bd-3eb1-4bd4-a62a-36e6cc2fd22f</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadIdentifier</key>
    <string>com.examplewifi.hs20</string>
    <key>PayloadDisplayName</key>
    <string>iOS HS20 test profile</string>
    <key>PayloadDescription</key>
    <string>This is a test Hotspot 2.0 profile providing a key/cert file for EAPTLS/HS20 authentication.</string>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadType</key>
            <string>com.apple.wifi.managed</string>
            <key>PayloadUUID</key>
            <string>8110d7fa-67ec-4b22-9bd7-e8961b71b0c2</string>
            <key>PayloadIdentifier</key>
            <string>com.examplewifi.hs20config</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PayloadScope</key>
            <string>System</string>
            <key>PayloadDescription</key>
            <string>Example Wifi Hotspot 2.0 Lab</string>
            <key>PayloadDisplayName</key>
            <string>Example Wifi Hotspot 2.0 Lab</string>
            <key>AutoJoin</key>
            <true/>

            <key>DisplayedOperatorName</key>
            <string>Example Wifi Hotspot 2.0 Lab</string>
            <key>DomainName</key>
            <string>examplewifi.com</string>
            <key>ServiceProviderRoamingEnabled</key>
            <true/>

            <key>IsHotspot</key>
            <true/>

            <key>NAIRealmNames</key>
            <array>
                <string>hs20.examplewifi.com</string>
            </array>
            <key>RoamingConsortiumOIs</key>
            <array>
                <string>112233</string>
            </array>
            <key>EncryptionType</key>
            <string>WPA2</string>
            <key>EAPClientConfiguration</key>
            <dict>
                <key>AcceptEAPTypes</key>
                <array>
                    <integer>13</integer>
                </array>
                <key>TLSCertificateIsRequired</key>
                <true/>
                <key>TLSTrustedServerNames</key>
                <array>
                    <string>hs20.examplewifi.com</string>
                    <string>hs20ca.examplewifi.com</string>
                </array>
                <key>PayloadCertificateAnchorUUID</key>
                <array>
                    <string>c0f507e3-2739-42bc-b934-74775405bb2c</string>
                </array>
            </dict>
            <key>PayloadCertificateUUID</key>
            <string>fe4b01ae-e8fe-4d30-a9ee-457bf436fbf9</string>
        </dict>
        <dict>
            <key>PayloadType</key>
            <string>com.apple.security.pkcs12</string>
            <key>PayloadUUID</key>
            <string>fe4b01ae-e8fe-4d30-a9ee-457bf436fbf9</string>
            <key>PayloadIdentifier</key>
            <string>com.examplewifi.p12</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PayloadDescription</key>
            <string>This is the private key and certificate.</string>
            <key>PayloadDisplayName</key>
            <string>Private Key and Certificate</string>
            <key>Password</key>
            <string>password</string>
            <key>PayloadContent</key>
            <data>MIIQOQIBAzCCD/8GCSqGSIb3DQEHAaCCD/AEgg/sMIIP6DCCBh8G
CSqGSIb3DQEHBqCCBhAwggYMAgEAMIIGBQYJKoZIhvcNAQcBMBwG
...
NZMXmMIrkMvkBAhwM09ez52g6gICCAA=
</data>
        </dict>

        <dict>
          <key>PayloadDisplayName</key>
          <string>CA certificate</string>
          <key>PayloadIdentifier</key>
          <string>CA certificate.cert</string>
          <key>PayloadUUID</key>
          <string>c0f507e3-2739-42bc-b934-74775405bb2c</string>
          <key>PayloadType</key>
          <string>com.apple.security.pem</string>
          <key>PayloadVersion</key>
          <integer>1</integer>
          <key>PayloadCertificateFileName</key>
          <string>ca.pem</string>
          <key>PayloadContent</key>
          <data>MIIGZDCCBEygAwIBAgIJAPIkHYkIhVMLMA0GCSqGSIb3DQEBCwUA
MGoxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARPaGlvMQwwCgYDVQQH
...
Kpg=
</data>    
        </dict>

    </array>
</dict>
</plist>

Relevant iOS Logs (these logs are a capture with SSID=HS20DEMO):

wifid.txt
Up vote post of webasdf Down vote post of webasdf
1.5k views
Posted by
webasdf
Reply
Add a Comment

Replies

I figured it out. I tried a different vendor's access point and it connected just fine via Passpoint to that access point. I did more research and found a firmware update for the original access point. The firmware update fixed the issue! I was then able to login via Passpoint (HS2.0) with the original access point.

Posted by
webasdf
Up vote reply of webasdf Down vote reply of webasdf

  • Curious which vendors you were using.

    buffaloSoldier

  • Ruckus was having the issue where firmware fixed it in standalone mode. I also tested an Aruba AP that was able to successfully authenticate both iOS and Android devices.

    webasdf

  • Ruckus had the problem with old firmware on a VSZ setup. I got an R310 working in standalone mode w/ CLI config. I also tested with an Aruba AP. That AP was fine w/ both iOS and Android devices.

    webasdf
Add a Comment