Cannot get hostapd radius to authenticate OSEN connection.

Ben Greear greearb
Fri Mar 20 08:00:00 PDT 2015

On 03/20/2015 05:51 AM, Jouni Malinen wrote:
> On Thu, Mar 19, 2015 at 05:58:21PM -0700, Ben Greear wrote:
>> I cannot seem to get a hostapd radius server to authenticate an OSEN connection.
>> I think it might be some issue with the hostapd-radius server, but not sure why.
>> I have enabled CONFIG_EAP_UNAUTH_TLS=y in the wpa_supplicant and hostapd config files.
>> (This config option should be mentioned in the defconfig files?).
> That vendor specific EAP method is not really described anywhere and I'm
> not sure whether I'd really want to promote it much at this point in
> time. Anyway, CONFIG_EAP_UNAUTH_TLS=y is not used with OSEN. The version
> of client-unauthenticated TLS for OSEN is selected for the build with
> CONFIG_HS20=y.
>> "osen at"      WFA-UNAUTH-TLS
> This is the EAP method from CONFIG_HS2=y (the unrelated
>> Here is log.  Maybe the important bit is about not being able to find ssl ctxt?
>> 1426812366.390087: RADIUS SRV: [0x0] EAP: EAP-Response/Identity 'osen at'
>> 1426812366.390101: EAP: getNextMethod: vendor 40808 type 13
>> 1426812366.390108: TLS context not initialized - cannot use TLS-based EAP method
>> 1426812366.390112: EAP-TLS: Failed to initialize SSL.
>> 1426812366.390118: EAP: Failed to initialize EAP method 254
> Yes, this is the part that is failing.. It looks like you have not
> configured the server certificate in hostapd configuration file and
> that leaves TLS uninitialized. For any TLS-based EAP methods, the server
> will need to have its private key, server certificate, and CA
> certificate(s) configured.

Ok, I updated the hostapd-radius config file to look like this:



I am generating those certs with this logic:

      # Build the new .pem files.
      my $rbase = "/etc/raddb/";
      do_cmd("cd $rbase/certs; make; cd -", 1);

      # Build client files.
      do_cmd("cd $rbase/certs; openssl req -new -config client.cnf -keyout client_key.pem -out client_req.pem; cd -");
      do_cmd("cd $rbase/certs; openssl ca -config ca.cnf -in client_req.pem -key lanforge -batch -out client_cert.pem; cd -");
      do_cmd("cd $rbase/certs; openssl pkcs12 -export -clcerts -in client_cert.pem -inkey client_key.pem -out client.p12 -passin pass:lanforge -passout
pass:lanforge; cd -");

      # Copy client files to $home
      do_cmd("cd $rbase/certs; cp ca.pem client.p12 $home; cd -");

I have placed the /etc/raddb/certs/ca.pem from the hostapd-radius machine on the
supplicant station machine and I am using that file for the 'ca_cert' entry
in the wpa_supplicant config file.

It still does not work, but it gets farther and complains about the cert file from what
I can tell.  I assume I must be either generating keys incorrectly or using them incorrectly:

# From hostapd-radius logs:

1426862605.113491: RADIUS SRV: Request for session 0x1
1426862605.113499: RADIUS SRV: Received EAP data - hexdump(len=20): 02 ab 00 14 fe 00 9f 68 00 00 00 0d 00 15 03 03 00 02 02 71
1426862605.113512: EAP: EAP entering state RECEIVED
1426862605.113518: EAP: parseEapResp: rxResp=1 rxInitiate=0 respId=171 respMethod=254 respVendor=40808 respVendorMethod=13
1426862605.113526: EAP: EAP entering state INTEGRITY_CHECK
1426862605.113532: EAP: EAP entering state METHOD_RESPONSE
1426862605.113538: SSL: Received packet(len=20) - Flags 0x00
1426862605.113544: SSL: Received packet: Flags 0x0 Message Length 0
1426862605.113559: OpenSSL: RX ver=0x303 content_type=21
1426862605.113569: OpenSSL: Message - hexdump(len=2): [REMOVED]
1426862605.113577: SSL: (where=0x4004 ret=0x271)
1426862605.113584: SSL: SSL3 alert: read (remote end reported an error):fatal:bad certificate status response
1426862605.113595: SSL: (where=0x2002 ret=0x0)
1426862605.113602: SSL: SSL_accept:failed in SSLv3 read client certificate A
1426862605.113615: OpenSSL: openssl_handshake - SSL_connect error:14094459:SSL routines:SSL3_READ_BYTES:tlsv1 bad certificate status response
1426862605.113626: SSL: 0 bytes pending from ssl_out
1426862605.113634: SSL: Failed - tls_out available to report error
1426862605.113640: EAP-TLS: CONTINUE -> FAILURE

More information about the Hostap mailing list