Cannot get hostapd radius to authenticate OSEN connection.
Ben Greear
greearb
Mon Mar 23 11:13:42 PDT 2015
On 03/22/2015 10:35 AM, Jouni Malinen wrote:
> On Sat, Mar 21, 2015 at 08:35:17AM -0700, Ben Greear wrote:
>> There are some oscp-*.sh scripts in the hs20/server/ca directory.
>>
>> Are these the scripts to run to start up the OSCP stapling service,
>> or is more needed?
>
> They can be used to start an OCSP responder and fetch a cached OCSP
> response for hostapd-as-RADIUS-authenticator-server. In addition, the
> web server running the OSU service would either point directly to that
> OCSP responder or used some external scripts to periodically update the
> response depending on how the HTTPS server is configured.
I managed to get OSEN station to associate with ocsp=2 !
I sent patches with some updated notes and example OSEN
hostapd-radius config file.
These are on top of the previous few hs20 related patches I sent.
While looking at the server/ca dir, I notice you have
ocsp-responder-ica.sh and ocsp-responder.sh files. I used
the ocsp-responder.sh and that seemed to work, but can you explain
what the ocsp-responder-ica.sh script is supposed to be doing?
>>> The DNS name itself does not matter (well, apart from obviously having
>>> to be resolvable by the server and clients connecting to do OSU). The
>>> other things in the certificates do matter, though, i.e., there are
>>> rules even for the exact format used as the CN in the CA certificates,
>>> etc.
>>
>> Can you point me to what part of the spec defines this if you know?
>
> That's mostly in the certificate policy document.
Ok, I need to read that next...whatever I am using now at least somewhat
works, but maybe I am just not yet utilizing the parts that pertain
to the restrictions you mention.
Thanks,
Ben
--
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc http://www.candelatech.com
More information about the Hostap
mailing list