OpenWrt - Passpoint configuration

In this guide we describe how to configure your Meraki devices to work with Passpoint profiles, OpenRoaming and SIM card authentication


    1. OpenWrt compatible device with Passpoint-capable wireless device (PHY).
    2. OpenWrt 21.02, or newer, including wpad (hostapd) built with hs20 option.
    3. Full version of iw package in OpenWrt.
    4. 802.1x infrastructure (RADIUS server).
    5. Information about the assigned RADIUS servers (Server IP address, port numbers, shared secrets):
      1. Email or document that contains this information


      2. Access to the IronWiFi Management Console - Sign in or Open Account


    Wpad, a hostapd variant, needs to be built with hs20 option. To check whether the program is capable of Hotspot 2.0, please try:

    # strings /usr/sbin/wpad | grep hs20

    If nothing shows up, that wpad isn't capable of Hotspot 2.0.


    The default package installed is normally wpad-basic (-wolfssl), which doesn't have Hotspot 2.0 support. You have to remove wpad-basic and install a full version of wpad, such as wpad-openssl.

    In addition, the iw package also needs to be replaced with iw-full package. Please be careful not to have wireless drivers also removed. If they are deleted, you have to re-install them.

    Unlike the hostapd configuration on a Linux box, hostapd.conf cannot be edited manually. UCI (Unified Configuration Interface) is used to auto-generate the hostapd.conf on OpenWrt.


    More specifically, a shell script "/lib/netifd/" will generate "/var/run/hostapd-phyX.conf" based on the wireless configuration file "/etc/config/wireless" in the UCI.


    Hotspot 2.0 configuration

    We assume that an SSID has already been configured with WPA2/3 Enterprise (802.1x). Please refer to other documents for this configuration.

    Hotspot 2.0 can be enabled by adding some option and list lines to the "config wifi-iface 'wifinetX'" section. An example is shown below. Some lines need to be fixed according to your own service.


    option iw_enabled '1'
    option iw_interworking '1'
    option iw_access_network_type '3'
    option iw_internet '1'
    option iw_disable_dgaf '1'
    option iw_asra '0'
    option iw_esr '0'
    option iw_uesa '0'
    option iw_venue_group '2'
    option iw_venue_type '8'
    option iw_hessid '00:00:00:01:02:03'
    list iw_roaming_consortium 'AA146B0000'
    list iw_roaming_consortium 'BAA2D00000'
    list iw_roaming_consortium '5A03BA0000'
    list iw_nai_realm '0,ironwifi,13[5:6],21[2:4][5:7]'
    list iw_venue_name 'eng:somePublicSpace'
    list iw_venue_url '1:'
    option iw_network_auth_type '00'
    option iw_ipaddr_type_availability '0c'
    list iw_domain_name ''
    list iw_domain_name ''
    list iw_domain_name ''
    list iw_domain_name ''
    list iw_domain_name ''
    option hs20 '1'
    option hs20_oper_friendly_name 'eng:IronWiFiPasspoint'
    option hs20_operating_class '517C'


    As you can easily guess, "option" is used to specify only one option, while "list" is used to list multiple options. In the example above, one NAI realm, ironwifi, is configured with EAP methods "EAP-TLS with certificate" and "EAP-TTLS/MSCHAPv2 with username/password."

    The parameter names and their contents can be found in the template of the hostapd configuration file. Please look into the "/lib/netifd/" script to see which options are actually available.

    Testing the Hotspot 2.0 functionality

    To make the configuration effective,

    # wifi


    To see whether the SSID becomes available,

    # iwinfo


    And, you should see "Hotspot 2.0" message or a description embedded in the Passpoint profile on a client device.

    The following command shows you whether Passpoint is supported by the Wi-Fi device on Windows 10/11. If "ANQP Service Information Discovery" is "Supported," Passpoint is supposed to work.

      > netsh wlan show wirelesscapabilities


    If wpad won't come up and the SSID disappears after setting "option iw_enabled '1'", there may be some wrong or missing parameters in the configuration.

    Support of Hotspot 2.0 seems still in flux as of writing. A known problem is that UCI leaves iw_venue_name and iw_venue_url to blank and wpad fails to start. Please check "/var/run/hostapd-phyX.conf" and see whether the parameters are passed correctly.