Cannot get hostapd radius to authenticate OSEN connection.

Jouni Malinen j at w1.fi
Fri Mar 20 08:51:10 EDT 2015


On Thu, Mar 19, 2015 at 05:58:21PM -0700, Ben Greear wrote:
> I cannot seem to get a hostapd radius server to authenticate an OSEN connection.
> I think it might be some issue with the hostapd-radius server, but not sure why.
> 
> I have enabled CONFIG_EAP_UNAUTH_TLS=y in the wpa_supplicant and hostapd config files.
> (This config option should be mentioned in the defconfig files?).

That vendor specific EAP method is not really described anywhere and I'm
not sure whether I'd really want to promote it much at this point in
time. Anyway, CONFIG_EAP_UNAUTH_TLS=y is not used with OSEN. The version
of client-unauthenticated TLS for OSEN is selected for the build with
CONFIG_HS20=y.

> "osen at lanforge.com"      WFA-UNAUTH-TLS

This is the EAP method from CONFIG_HS2=y (the unrelated
CONFIG_EAP_UNAUTH_TLS=y is "UNAUTH-TLS").

> Here is log.  Maybe the important bit is about not being able to find ssl ctxt?

> 1426812366.390087: RADIUS SRV: [0x0 127.0.0.1] EAP: EAP-Response/Identity 'osen at lanforge.com'
> 1426812366.390101: EAP: getNextMethod: vendor 40808 type 13
> 1426812366.390108: TLS context not initialized - cannot use TLS-based EAP method
> 1426812366.390112: EAP-TLS: Failed to initialize SSL.
> 1426812366.390118: EAP: Failed to initialize EAP method 254

Yes, this is the part that is failing.. It looks like you have not
configured the server certificate in hostapd configuration file and
that leaves TLS uninitialized. For any TLS-based EAP methods, the server
will need to have its private key, server certificate, and CA
certificate(s) configured.
 
-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list