Cannot get hostapd radius to authenticate OSEN connection.

Ben Greear greearb
Sat Mar 21 08:35:17 PDT 2015

On 03/21/2015 07:13 AM, Jouni Malinen wrote:
> On Fri, Mar 20, 2015 at 02:24:03PM -0700, Ben Greear wrote:
>> Ok, I started looking at hs20/server/ca/*
>> It is absolutely beyond comprehension :)
> Like I said, you really need to be familiar with the Hotspot 2.0
> specification (and certificate policy for this particular area)..
>> Anyway, my goal is to bring up everything I need on a single machine
>> so I can do isolated (as possible) testing and verification of HS20.
> I do have such a setup, but it takes quite significant effort to get
> everything running.. Especially OSCP stapling was a pain a while back,
> but this should be easier now that recent enough versions of various
> components are included in common Linux distributions and one does not
> need to manually update things..

There are some oscp-*.sh scripts in the hs20/server/ca directory.

Are these the scripts to run to start up the OSCP stapling service,
or is more needed?

>> I guess I could start by making a new openssl.cnf that uses `hostname`
>> instead of the stuff, or does that actually matter?
> The DNS name itself does not matter (well, apart from obviously having
> to be resolvable by the server and clients connecting to do OSU). The
> other things in the certificates do matter, though, i.e., there are
> rules even for the exact format used as the CN in the CA certificates,
> etc.

Can you point me to what part of the spec defines this if you know?

I also notice that it appears you are using different hostnames and keys
for various servers (osu-revoked, osu-client, osu, ocsp, etc).  Can we run this all one one machine
and use just one key for the one machine/hostname?


Ben Greear <greearb at>
Candela Technologies Inc

More information about the Hostap mailing list