Cannot get hostapd radius to authenticate OSEN connection.

Jouni Malinen j
Fri Mar 20 09:39:52 PDT 2015

On Fri, Mar 20, 2015 at 08:00:00AM -0700, Ben Greear wrote:
> I am generating those certs with this logic:

I'd recommend taking a look at hs20/server/ca/*. Hotspot 2.0 Rel 2 has
plenty of additional requirements for certificates. The scripts in that
directory know how to add such details. You'll also need to set up OCSP
stapling which is also something that those scripts make easier. You can
use an OSU server certificate as the AAA server certificate for OSEN
purposes (there are some extra attributes included, but those do not
harm this and you'll find your life easier if you need to figure out
just one instead of two different types of server certificates.. :).

> It still does not work, but it gets farther and complains about the cert file from what
> I can tell.  I assume I must be either generating keys incorrectly or using them incorrectly:

> 1426862605.113584: SSL: SSL3 alert: read (remote end reported an error):fatal:bad certificate status response

The server did not have OCSP stapling enabled and the client required
that. See ocsp_stapling_response in hostapd/hostapd.conf.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list