Cannot get hostapd radius to authenticate OSEN connection.

Ben Greear greearb
Fri Mar 20 11:50:02 PDT 2015

On 03/20/2015 09:39 AM, Jouni Malinen wrote:
> On Fri, Mar 20, 2015 at 08:00:00AM -0700, Ben Greear wrote:
>> I am generating those certs with this logic:
> ..
> I'd recommend taking a look at hs20/server/ca/*. Hotspot 2.0 Rel 2 has
> plenty of additional requirements for certificates. The scripts in that
> directory know how to add such details. You'll also need to set up OCSP
> stapling which is also something that those scripts make easier. You can
> use an OSU server certificate as the AAA server certificate for OSEN
> purposes (there are some extra attributes included, but those do not
> harm this and you'll find your life easier if you need to figure out
> just one instead of two different types of server certificates.. :).

Ok, that sounds promising.

I was thinking that I would want two different sets of keys, one for OSEN
radius and one for the 'real' AP's radius so that I was more certain that
various HS20 logic is working properly and not just getting lucky due
to stale or mis-used keys & certs?

I hope & plan to script generating of all of this so that I don't have to manually
deal with it later....

>> It still does not work, but it gets farther and complains about the cert file from what
>> I can tell.  I assume I must be either generating keys incorrectly or using them incorrectly:
>> 1426862605.113584: SSL: SSL3 alert: read (remote end reported an error):fatal:bad certificate status response
> The server did not have OCSP stapling enabled and the client required
> that. See ocsp_stapling_response in hostapd/hostapd.conf.


Ben Greear <greearb at>
Candela Technologies Inc

More information about the Hostap mailing list