Cannot get hostapd radius to authenticate OSEN connection.

Ben Greear greearb at candelatech.com
Mon Mar 23 14:13:42 EDT 2015


On 03/22/2015 10:35 AM, Jouni Malinen wrote:
> On Sat, Mar 21, 2015 at 08:35:17AM -0700, Ben Greear wrote:
>> There are some oscp-*.sh scripts in the hs20/server/ca directory.
>>
>> Are these the scripts to run to start up the OSCP stapling service,
>> or is more needed?
> 
> They can be used to start an OCSP responder and fetch a cached OCSP
> response for hostapd-as-RADIUS-authenticator-server. In addition, the
> web server running the OSU service would either point directly to that
> OCSP responder or used some external scripts to periodically update the
> response depending on how the HTTPS server is configured.

I managed to get OSEN station to associate with ocsp=2 !

I sent patches with some updated notes and example OSEN
hostapd-radius config file.

These are on top of the previous few hs20 related patches I sent.

While looking at the server/ca dir, I notice you have
ocsp-responder-ica.sh and ocsp-responder.sh files.  I used
the ocsp-responder.sh and that seemed to work, but can you explain
what the ocsp-responder-ica.sh script is supposed to be doing?


>>> The DNS name itself does not matter (well, apart from obviously having
>>> to be resolvable by the server and clients connecting to do OSU). The
>>> other things in the certificates do matter, though, i.e., there are
>>> rules even for the exact format used as the CN in the CA certificates,
>>> etc.
>>
>> Can you point me to what part of the spec defines this if you know?
> 
> That's mostly in the certificate policy document.

Ok, I need to read that next...whatever I am using now at least somewhat
works, but maybe I am just not yet utilizing the parts that pertain
to the restrictions you mention.

Thanks,
Ben

-- 
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com



More information about the HostAP mailing list