Cannot get hostapd radius to authenticate OSEN connection.

Ben Greear greearb
Mon Mar 23 11:13:42 PDT 2015

On 03/22/2015 10:35 AM, Jouni Malinen wrote:
> On Sat, Mar 21, 2015 at 08:35:17AM -0700, Ben Greear wrote:
>> There are some oscp-*.sh scripts in the hs20/server/ca directory.
>> Are these the scripts to run to start up the OSCP stapling service,
>> or is more needed?
> They can be used to start an OCSP responder and fetch a cached OCSP
> response for hostapd-as-RADIUS-authenticator-server. In addition, the
> web server running the OSU service would either point directly to that
> OCSP responder or used some external scripts to periodically update the
> response depending on how the HTTPS server is configured.

I managed to get OSEN station to associate with ocsp=2 !

I sent patches with some updated notes and example OSEN
hostapd-radius config file.

These are on top of the previous few hs20 related patches I sent.

While looking at the server/ca dir, I notice you have and files.  I used
the and that seemed to work, but can you explain
what the script is supposed to be doing?

>>> The DNS name itself does not matter (well, apart from obviously having
>>> to be resolvable by the server and clients connecting to do OSU). The
>>> other things in the certificates do matter, though, i.e., there are
>>> rules even for the exact format used as the CN in the CA certificates,
>>> etc.
>> Can you point me to what part of the spec defines this if you know?
> That's mostly in the certificate policy document.

Ok, I need to read that next...whatever I am using now at least somewhat
works, but maybe I am just not yet utilizing the parts that pertain
to the restrictions you mention.


Ben Greear <greearb at>
Candela Technologies Inc

More information about the Hostap mailing list