Cannot get hostapd radius to authenticate OSEN connection.

Jouni Malinen j at w1.fi
Sun Mar 22 13:35:37 EDT 2015


On Sat, Mar 21, 2015 at 08:35:17AM -0700, Ben Greear wrote:
> There are some oscp-*.sh scripts in the hs20/server/ca directory.
> 
> Are these the scripts to run to start up the OSCP stapling service,
> or is more needed?

They can be used to start an OCSP responder and fetch a cached OCSP
response for hostapd-as-RADIUS-authenticator-server. In addition, the
web server running the OSU service would either point directly to that
OCSP responder or used some external scripts to periodically update the
response depending on how the HTTPS server is configured.

> >The DNS name itself does not matter (well, apart from obviously having
> >to be resolvable by the server and clients connecting to do OSU). The
> >other things in the certificates do matter, though, i.e., there are
> >rules even for the exact format used as the CN in the CA certificates,
> >etc.
> 
> Can you point me to what part of the spec defines this if you know?

That's mostly in the certificate policy document.

> I also notice that it appears you are using different hostnames and keys
> for various servers (osu-revoked, osu-client, osu, ocsp, etc).  Can we run this all one one machine
> and use just one key for the one machine/hostname?

Sure. I have all those separate names to make it easier to check
functionality in logs, but all the names point to the same IP address.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list