[PATCH 01/12] hs20-ca: improve setup.sh and .conf for more flexibility.

Jouni Malinen j at w1.fi
Fri Mar 27 13:52:26 EDT 2015


On Thu, Mar 26, 2015 at 05:39:47PM -0400, greearb at candelatech.com wrote:
> This gives more flexibility when generating keys so
> that users do not have to edit files to generate their
> own specific keys.
> 
> Update hs20 notes as well.

OK.. So this was a rebased version of the previous one I commented on.
Anyway, the same comments apply here.

> Signed-off-by: Ben Greear<greearb at candelatech.com>

Space before '<'.

> diff --git a/hs20/server/hs20-osu-server.txt b/hs20/server/hs20-osu-server.txt
> @@ -18,6 +18,10 @@ server validation steps. In other words, it may be most adapt the steps
> +There is a set of example files from a working configuration on
> +a Fedora 20 machine in the ./examples/Fedora20/ directory.

I'm unlikely to accept some of those files into hostap.git, so I would
suggest removing this note for now.

> @@ -128,6 +145,7 @@ EOF
>  # Configure RADIUS authentication service
>  # Note: Change the URL to match the setup
>  # Note: Install AAA server key/certificate and root CA in Key directory
> +# NOTE: ca.pem is a copy of the hs20-server/ca/ca.pem file

There is no such requirement for non-OSEN case, so should not claim that
either. The OSU and AAA trust roots are almost always different in real
deployments.

> +OSEN Radius configuration notes.
> +
> +The OSEN RADIUS server config file should have the 'ocsp_stapling_response'
> +configuration in it.  For example:
> +
> +# hostapd-radius config for the radius used by the OSEN AP
> +interface=eth0#0
> +driver=wired

Why driver=wired? driver=none is the one to use for RADIUS server only
case..

> +#ieee8021x=1
> +eapol_key_index_workaround=0

These have nothing to do with RADIUS server configuration.

> +eap_user_file=/home/user/hs20-server/AS/hostapd.eap_user

Would be good to have OSEN mentioned somewhere in the file name to make
this more obvious (there is going to be only a single entry in that
file for the specific OSEN user).

> +eap_sim_db=unix:/tmp/hlr_auc_gw.sock

This should not be included for OSEN (i.e., it is used only with
EAP-SIM/AKA/AKA').

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list