Cannot get hostapd radius to authenticate OSEN connection.

Jouni Malinen j at w1.fi
Sat Mar 21 10:13:21 EDT 2015


On Fri, Mar 20, 2015 at 02:24:03PM -0700, Ben Greear wrote:
> Ok, I started looking at hs20/server/ca/*
> 
> It is absolutely beyond comprehension :)

Like I said, you really need to be familiar with the Hotspot 2.0
specification (and certificate policy for this particular area)..

> Anyway, my goal is to bring up everything I need on a single machine
> so I can do isolated (as possible) testing and verification of HS20.

I do have such a setup, but it takes quite significant effort to get
everything running.. Especially OSCP stapling was a pain a while back,
but this should be easier now that recent enough versions of various
components are included in common Linux distributions and one does not
need to manually update things..

> I guess I could start by making a new openssl.cnf that uses `hostname`
> instead of the w1.fi stuff, or does that actually matter?

The DNS name itself does not matter (well, apart from obviously having
to be resolvable by the server and clients connecting to do OSU). The
other things in the certificates do matter, though, i.e., there are
rules even for the exact format used as the CN in the CA certificates,
etc.
 
-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list