Cannot get hostapd radius to authenticate OSEN connection.

Ben Greear greearb at candelatech.com
Sat Mar 21 11:35:17 EDT 2015



On 03/21/2015 07:13 AM, Jouni Malinen wrote:
> On Fri, Mar 20, 2015 at 02:24:03PM -0700, Ben Greear wrote:
>> Ok, I started looking at hs20/server/ca/*
>>
>> It is absolutely beyond comprehension :)
>
> Like I said, you really need to be familiar with the Hotspot 2.0
> specification (and certificate policy for this particular area)..
>
>> Anyway, my goal is to bring up everything I need on a single machine
>> so I can do isolated (as possible) testing and verification of HS20.
>
> I do have such a setup, but it takes quite significant effort to get
> everything running.. Especially OSCP stapling was a pain a while back,
> but this should be easier now that recent enough versions of various
> components are included in common Linux distributions and one does not
> need to manually update things..

There are some oscp-*.sh scripts in the hs20/server/ca directory.

Are these the scripts to run to start up the OSCP stapling service,
or is more needed?


>> I guess I could start by making a new openssl.cnf that uses `hostname`
>> instead of the w1.fi stuff, or does that actually matter?
>
> The DNS name itself does not matter (well, apart from obviously having
> to be resolvable by the server and clients connecting to do OSU). The
> other things in the certificates do matter, though, i.e., there are
> rules even for the exact format used as the CN in the CA certificates,
> etc.

Can you point me to what part of the spec defines this if you know?

I also notice that it appears you are using different hostnames and keys
for various servers (osu-revoked, osu-client, osu, ocsp, etc).  Can we run this all one one machine
and use just one key for the one machine/hostname?

Thanks,
Ben

-- 
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com


More information about the HostAP mailing list