diff --git a/hs20/client/osu_client.c b/hs20/client/osu_client.c
index d73feb1..de70065 100644
--- a/hs20/client/osu_client.c
+++ b/hs20/client/osu_client.c
@@ -105,6 +105,35 @@
 }
 
 
+static int android_update_permission(const char *path, mode_t mode)
+{
+#ifdef ANDROID
+	/* we need to change file/folder permission for Android */
+
+	if (!path) {
+		wpa_printf(MSG_ERROR, "file path null");
+		return -1;
+	}
+
+	/* Allow processes running with Group ID as AID_WIFI,
+	 * to read files from SP, SP/<fqdn>, Cert and osu-info directories */
+	if (chown(path, -1, AID_WIFI)) {
+		wpa_printf(MSG_INFO, "CTRL: Could not chown directory: %s",
+			   strerror(errno));
+		return -1;
+	}
+
+	if (chmod(path, mode) < 0) {
+		wpa_printf(MSG_INFO, "CTRL: Could not chmod directory: %s",
+			   strerror(errno));
+		return -1;
+	}
+#endif  /* ANDROID */
+
+	return 0;
+}
+
+
 int osu_get_certificate(struct hs20_osu_client *ctx, xml_node_t *getcert)
 {
 	xml_node_t *node;
@@ -169,6 +198,8 @@
 	}
 
 	mkdir("Cert", S_IRWXU);
+	android_update_permission("Cert", S_IRWXU | S_IRWXG);
+
 	if (est_load_cacerts(ctx, url) < 0 ||
 	    est_build_csr(ctx, url) < 0 ||
 	    est_simple_enroll(ctx, url, user, pw) < 0)
@@ -578,20 +609,8 @@
 		}
 	}
 
-#ifdef ANDROID
-	/* Allow processes running with Group ID as AID_WIFI,
-	 * to read files from SP/<fqdn> directory */
-	if (chown(fname, -1, AID_WIFI)) {
-		wpa_printf(MSG_INFO, "CTRL: Could not chown directory: %s",
-			   strerror(errno));
-		/* Try to continue anyway */
-	}
-	if (chmod(fname, S_IRWXU | S_IRGRP | S_IXGRP) < 0) {
-		wpa_printf(MSG_INFO, "CTRL: Could not chmod directory: %s",
-			   strerror(errno));
-		/* Try to continue anyway */
-	}
-#endif /* ANDROID */
+	android_update_permission("SP", S_IRWXU | S_IRGRP | S_IXGRP);
+	android_update_permission(fname, S_IRWXU | S_IRGRP | S_IXGRP);
 
 	snprintf(fname, fname_len, "SP/%s/pps.xml", fqdn);
 
@@ -1289,7 +1308,9 @@
 	if (str == NULL)
 		return;
 	wpa_printf(MSG_INFO, "- HomeSP/RoamingConsortiumOI = %s", str);
-	/* TODO: Set to wpa_supplicant */
+	if (set_cred_quoted(ctx->ifname, id, "roaming_consortiums",
+			    str) < 0)
+		wpa_printf(MSG_INFO, "Failed to set cred roaming_consortiums");
 	xml_node_get_text_free(ctx->xml, str);
 }
 
@@ -1442,10 +1463,92 @@
 }
 
 
+static void set_pps_cred_eap_method_eap_type(struct hs20_osu_client *ctx,
+					     int id, xml_node_t *node)
+{
+	char *str = xml_node_get_text(ctx->xml, node);
+	int type;
+	const char *eap_method = NULL;
+
+	if (!str)
+		return;
+	wpa_printf(MSG_INFO,
+		   "- Credential/UsernamePassword/EAPMethod/EAPType = %s", str);
+	type = atoi(str);
+	switch (type) {
+	case EAP_TYPE_TLS:
+		eap_method = "TLS";
+		break;
+	case EAP_TYPE_TTLS:
+		eap_method = "TTLS";
+		break;
+	case EAP_TYPE_PEAP:
+		eap_method = "PEAP";
+		break;
+	case EAP_TYPE_PWD:
+		eap_method = "PWD";
+		break;
+	}
+	xml_node_get_text_free(ctx->xml, str);
+	if (!eap_method) {
+		wpa_printf(MSG_INFO, "Unknown EAPType value");
+		return;
+	}
+
+	if (set_cred(ctx->ifname, id, "eap", eap_method) < 0)
+		wpa_printf(MSG_INFO, "Failed to set cred eap");
+}
+
+
+static void set_pps_cred_eap_method_inner_method(struct hs20_osu_client *ctx,
+						 int id, xml_node_t *node)
+{
+	char *str = xml_node_get_text(ctx->xml, node);
+	const char *phase2 = NULL;
+
+	if (!str)
+		return;
+	wpa_printf(MSG_INFO,
+		   "- Credential/UsernamePassword/EAPMethod/InnerMethod = %s",
+		   str);
+	if (os_strcmp(str, "PAP") == 0)
+		phase2 = "auth=PAP";
+	else if (os_strcmp(str, "CHAP") == 0)
+		phase2 = "auth=CHAP";
+	else if (os_strcmp(str, "MS-CHAP") == 0)
+		phase2 = "auth=MSCHAP";
+	else if (os_strcmp(str, "MS-CHAP-V2") == 0)
+		phase2 = "auth=MSCHAPV2";
+	xml_node_get_text_free(ctx->xml, str);
+	if (!phase2) {
+		wpa_printf(MSG_INFO, "Unknown InnerMethod value");
+		return;
+	}
+
+	if (set_cred_quoted(ctx->ifname, id, "phase2", phase2) < 0)
+		wpa_printf(MSG_INFO, "Failed to set cred phase2");
+}
+
+
 static void set_pps_cred_eap_method(struct hs20_osu_client *ctx, int id,
 				    xml_node_t *node)
 {
-	wpa_printf(MSG_INFO, "- Credential/UsernamePassword/EAPMethod - TODO");
+	xml_node_t *child;
+	const char *name;
+
+	wpa_printf(MSG_INFO, "- Credential/UsernamePassword/EAPMethod");
+
+	xml_node_for_each_child(ctx->xml, child, node) {
+		xml_node_for_each_check(ctx->xml, child);
+		name = xml_node_get_localname(ctx->xml, child);
+		if (os_strcasecmp(name, "EAPType") == 0)
+			set_pps_cred_eap_method_eap_type(ctx, id, child);
+		else if (os_strcasecmp(name, "InnerMethod") == 0)
+			set_pps_cred_eap_method_inner_method(ctx, id, child);
+		else
+			wpa_printf(MSG_INFO, "Unknown Credential/UsernamePassword/EAPMethod node '%s'",
+				   name);
+	}
 }
 
 
@@ -2346,15 +2449,7 @@
 		return -1;
 	}
 
-#ifdef ANDROID
-	/* Allow processes running with Group ID as AID_WIFI
-	 * to read/write files from osu-info directory
-	 */
-	if (chown(fname, -1, AID_WIFI)) {
-		wpa_printf(MSG_INFO, "Could not chown osu-info directory: %s",
-			   strerror(errno));
-	}
-#endif /* ANDROID */
+	android_update_permission(fname, S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH);
 
 	snprintf(buf, sizeof(buf), "SET osu_dir %s", fname);
 	if (wpa_command(ifname, buf) < 0) {
diff --git a/hs20/server/hs20-osu-server.txt b/hs20/server/hs20-osu-server.txt
index 20774a6..70f1313 100644
--- a/hs20/server/hs20-osu-server.txt
+++ b/hs20/server/hs20-osu-server.txt
@@ -2,7 +2,7 @@
 ======================
 
 The information in this document is based on the assumption that Ubuntu
-12.04 server (64-bit) distribution is used and the web server is
+16.04 server (64-bit) distribution is used and the web server is
 Apache2. Neither of these are requirements for the installation, but if
 other combinations are used, the package names and configuration
 parameters may need to be adjusted.
@@ -12,16 +12,11 @@
 secure to be installed in a publicly available Internet server without
 considerable amount of modification and review for security issues.
 
-NOTE: While this describes use on Ubuntu 12.04, the version of Apache2
-included in that distribution is not new enough to support all OSU
-server validation steps. In other words, it may be most adapt the steps
-described here to Ubuntu 13.10.
-
 
 Build dependencies
 ------------------
 
-Ubuntu 12.04 server
+Ubuntu 16.04 server
 - default installation
 - upgraded to latest package versions
   sudo apt-get update
@@ -30,7 +25,7 @@
 Packages needed for running the service:
   sudo apt-get install sqlite3
   sudo apt-get install apache2
-  sudo apt-get install php5-sqlite libapache2-mod-php5
+  sudo apt-get install php-sqlite3 php-xml libapache2-mod-php
 
 Additional packages needed for building the components:
   sudo apt-get install build-essential
@@ -100,6 +95,12 @@
 # the examples as-is for initial testing).
 cp -r www /home/user/hs20-server
 
+# Create /home/user/hs20-server/terms-and-conditions file (HTML segment to be
+# inserted within the BODY section of the page).
+cat > /home/user/hs20-server/terms-and-conditions <<EOF
+<P>Terms and conditions..</P>
+EOF
+
 # Build local keys and certs
 cd ca
 # Display help options.
@@ -226,8 +227,7 @@
         <Directory "/home/user/hs20-server/www/">
                 Options Indexes MultiViews FollowSymLinks
                 AllowOverride None
-                Order allow,deny
-                Allow from all
+		Require all granted
         </Directory>
 
 Update SSL configuration to use the OSU server certificate/key.
diff --git a/hs20/server/sql.txt b/hs20/server/sql.txt
index 6609538..74d9f4a 100644
--- a/hs20/server/sql.txt
+++ b/hs20/server/sql.txt
@@ -50,10 +50,34 @@
 	osu_password TEXT,
 	shared INTEGER,
 	cert TEXT,
-	cert_pem TEXT
+	cert_pem TEXT,
+	t_c_timestamp INTEGER
 );
 
 CREATE TABLE wildcards(
 	identity TEXT PRIMARY KEY,
 	methods TEXT
 );
+
+CREATE TABLE authlog(
+	timestamp TEXT,
+	session TEXT,
+	nas_ip TEXT,
+	username TEXT,
+	note TEXT
+);
+
+CREATE TABLE pending_tc(
+	mac_addr TEXT PRIMARY KEY,
+	identity TEXT
+);
+
+CREATE TABLE current_sessions(
+	mac_addr TEXT PRIMARY KEY,
+	identity TEXT,
+	start_time TEXT,
+	nas TEXT,
+	hs20_t_c_filtering BOOLEAN,
+	waiting_coa_ack BOOLEAN,
+	coa_ack_received BOOLEAN
+);
diff --git a/hs20/server/www/config.php b/hs20/server/www/config.php
index e3af435..4272b10 100644
--- a/hs20/server/www/config.php
+++ b/hs20/server/www/config.php
@@ -1,4 +1,7 @@
 <?php
 $osu_root = "/home/user/hs20-server";
 $osu_db = "sqlite:$osu_root/AS/DB/eap_user.db";
+$t_c_file = "$osu_root/terms-and-conditions";
+$t_c_timestamp = 123456789;
+$hostapd_ctrl = "udg:///home/user/hs20-server/AS/ctrl/as"
 ?>
diff --git a/hs20/server/www/terms.php b/hs20/server/www/terms.php
new file mode 100644
index 0000000..e360be5
--- /dev/null
+++ b/hs20/server/www/terms.php
@@ -0,0 +1,79 @@
+<?php
+
+require('config.php');
+
+$db = new PDO($osu_db);
+if (!$db) {
+   die($sqliteerror);
+}
+
+if (!isset($_GET["addr"])) {
+   die("Missing addr parameter");
+}
+$addr = $_GET["addr"];
+
+$accept = isset($_GET["accept"]) && $_GET["accept"] == "yes";
+
+$res = $db->prepare("SELECT identity FROM pending_tc WHERE mac_addr=?");
+$res->execute(array($addr));
+$row = $res->fetch();
+if (!$row) {
+   die("No pending session for the specified MAC address");
+}
+$identity = $row[0];
+?>
+<html>
+<head><title>HS 2.0 Terms and Conditions</title></head>
+<body>
+
+<?php
+
+if (!$accept) {
+   echo "<p>Accept the following terms and conditions by clicking here: <a href=\"terms.php?addr=$addr&accept=yes\">Accept</a></p>\n<hr>\n";
+   readfile($t_c_file);
+} else {
+   $res = $db->prepare("UPDATE users SET t_c_timestamp=? WHERE identity=?");
+   if (!$res->execute(array($t_c_timestamp, $identity))) {
+      echo "<p>Failed to update user account.</p>";
+   } else {
+      $res = $db->prepare("DELETE FROM pending_tc WHERE mac_addr=?");
+      $res->execute(array($addr));
+
+      echo "<p>Terms and conditions were accepted.</p>";
+   }
+
+   $fp = fsockopen($hostapd_ctrl);
+   if (!$fp) {
+      die("Could not connect to hostapd(AS)");
+   }
+
+   fwrite($fp, "DAC_REQUEST coa $addr t_c_clear");
+   fclose($fp);
+
+   $waiting = true;
+   $ack = false;
+   for ($i = 1; $i <= 10; $i++) {
+      $res = $db->prepare("SELECT waiting_coa_ack,coa_ack_received FROM current_sessions WHERE mac_addr=?");
+      $res->execute(array($addr));
+      $row = $res->fetch();
+      if (!$row) {
+         die("No current session for the specified MAC address");
+      }
+      $waiting = $row[0] == 1;
+      $ack = $row[1] == 1;
+      $res->closeCursor();
+      if (!$waiting)
+         break;
+      sleep(1);
+   }
+   if ($ack) {
+      echo "<P>Filtering disabled.</P>\n";
+   } else {
+      echo "<P>Failed to disable filtering.</P>\n";
+   }
+}
+
+?>
+
+</body>
+</html>
diff --git a/hs20/server/www/users.php b/hs20/server/www/users.php
index c340a33..c265372 100644
--- a/hs20/server/www/users.php
+++ b/hs20/server/www/users.php
@@ -107,6 +107,10 @@
   $db->exec("UPDATE users SET osu_user='$osu_user', osu_password='$osu_password' WHERE rowid=$id");
 }
 
+if ($cmd == 'clear-t-c' && $id > 0) {
+	$db->exec("UPDATE users SET t_c_timestamp=NULL WHERE rowid=$id");
+}
+
 $dump = 0;
 
 if ($id > 0) {
@@ -234,6 +238,13 @@
 echo "<input type=\"submit\" value=\"Set OSU credentials\">\n";
 echo "</form>\n";
 
+if (strlen($row['t_c_timestamp']) > 0) {
+	echo "<br>\n";
+	echo "<a href=\"users.php?cmd=clear-t-c&id=" .
+		$row['rowid'] .
+		"\">Clear Terms and Conditions acceptance</a><br>\n";
+}
+
 echo "<hr>\n";
 
 $user = $row['identity'];
@@ -303,7 +314,7 @@
 echo "<br>\n";
 
 echo "<table border=1>\n";
-echo "<tr><th>User<th>Realm<th>Remediation<th>Policy<th>Account type<th>Phase 2 method(s)<th>DevId\n";
+echo "<tr><th>User<th>Realm<th>Remediation<th>Policy<th>Account type<th>Phase 2 method(s)<th>DevId<th>T&C\n";
 
 $res = $db->query('SELECT rowid,* FROM users WHERE phase2=1');
 foreach ($res as $row) {
@@ -338,6 +349,7 @@
 	    break;
 	  }
 	}
+	echo "<td>" . $row['t_c_timestamp'];
 	echo "\n";
 }
 echo "</table>\n";