[PATCH 01/12] hs20-ca: improve setup.sh and .conf for more flexibility.
Ben Greear
greearb at candelatech.com
Fri Mar 27 14:04:03 EDT 2015
On 03/27/2015 10:52 AM, Jouni Malinen wrote:
> On Thu, Mar 26, 2015 at 05:39:47PM -0400, greearb at candelatech.com wrote:
>> This gives more flexibility when generating keys so
>> that users do not have to edit files to generate their
>> own specific keys.
>>
>> Update hs20 notes as well.
>
> OK.. So this was a rebased version of the previous one I commented on.
> Anyway, the same comments apply here.
>
>> Signed-off-by: Ben Greear<greearb at candelatech.com>
>
> Space before '<'.
>
>> diff --git a/hs20/server/hs20-osu-server.txt b/hs20/server/hs20-osu-server.txt
>> @@ -18,6 +18,10 @@ server validation steps. In other words, it may be most adapt the steps
>> +There is a set of example files from a working configuration on
>> +a Fedora 20 machine in the ./examples/Fedora20/ directory.
>
> I'm unlikely to accept some of those files into hostap.git, so I would
> suggest removing this note for now.
>
>> @@ -128,6 +145,7 @@ EOF
>> # Configure RADIUS authentication service
>> # Note: Change the URL to match the setup
>> # Note: Install AAA server key/certificate and root CA in Key directory
>> +# NOTE: ca.pem is a copy of the hs20-server/ca/ca.pem file
>
> There is no such requirement for non-OSEN case, so should not claim that
> either. The OSU and AAA trust roots are almost always different in real
> deployments.
So, setup.sh is creating (and my example is using) the ca.pem that was meant for the OSU
for the AAA as well?
Should setup.sh add a new section to generate an AAA OSEN key for that radius
server so we can have a more realistic setup? (I can work on adding this,
but I would probably need some fairly detailed guidance in order to do it properly.)
And maybe for the 'real' AAA server as well?
And if so, what would the client use for its osu-ca.pem file?
>> +OSEN Radius configuration notes.
>> +
>> +The OSEN RADIUS server config file should have the 'ocsp_stapling_response'
>> +configuration in it. For example:
>> +
>> +# hostapd-radius config for the radius used by the OSEN AP
>> +interface=eth0#0
>> +driver=wired
>
> Why driver=wired? driver=none is the one to use for RADIUS server only
> case..
>
>> +#ieee8021x=1
>> +eapol_key_index_workaround=0
>
> These have nothing to do with RADIUS server configuration.
>
>> +eap_user_file=/home/user/hs20-server/AS/hostapd.eap_user
>
> Would be good to have OSEN mentioned somewhere in the file name to make
> this more obvious (there is going to be only a single entry in that
> file for the specific OSEN user).
>
>> +eap_sim_db=unix:/tmp/hlr_auc_gw.sock
>
> This should not be included for OSEN (i.e., it is used only with
> EAP-SIM/AKA/AKA').
I'll fix all of that.
Thanks,
Ben
--
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc http://www.candelatech.com
More information about the HostAP
mailing list