Re: How to implement EAP-TLS with freeradius and wpa_supplicant?

2010-05-13 Thread Alan DeKok 
Zheng, Jiajia wrote:
 But as I mentioned that the same CA works fine with EAP-TTLS. Why it goes 
 wrong with EAP-TLS?

  EAP-TLS requires that the CA be authorized to sign client
certificates.  See the certificate creation scripts in 2.1.8, they may
have fixes for this.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How to implement EAP-TLS with freeradius and wpa_supplicant?

2010-05-13 Thread Zheng, Jiajia 
Alan DeKok wrote:
 Zheng, Jiajia wrote:
 But as I mentioned that the same CA works fine with EAP-TTLS. Why it
 goes wrong with EAP-TLS? 
 
   EAP-TLS requires that the CA be authorized to sign client
 certificates.  See the certificate creation scripts in 2.1.8, they may
 have fixes for this.
 
Thanks! I'll have a try. 

bests, 
jiajia
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How to implement EAP-TLS with freeradius and wpa_supplicant?

2010-05-12 Thread Zheng, Jiajia 
Sorry, I forgot the subject. 

Zheng, Jiajia wrote:
 Hi,
 I hope it is the right place to ask questions about EAP-TLS with
 radius server. 
 I installed freeradius-2.1.6 rpm package on my Fedora 10 system.
 EAP_PEAP, EAP_TTLS_CHAP, TTLS_MD5, TTLS_MSCHAP, etc. work fine.
 However, EAP-TLS handshake failed. Here are my steps to implement
 EAT-TLS with radius server.  
 1. on server: yum install freeradius
 2. on server: cd /etc/raddb
 3. on server: edit users and clients.conf (see attachments)
 4. on server: radiusd -X
 5. I configured the AP which is wired connected to the server using
 WPA-TKIP 
 6. copy ca.pem from server to my wireless machine.
 6. I tried EAP_PEAP, EAP_TTLS_CHAP, TTLS_MD5, TTLS_MSCHAP on my
 wireless machine, which all worked fine. 
 7. on server: cd /etc/raddb/certs
 8. on server: make client.pem
 9. copy client.pem from server to my wireless machine
 10. run wpa_supplicant on my wireless machine: wpa_supplicant -Dwext
  -iwlan0 -c WPA_EAP_TLS.conf WPA_EAP_TLS.conf as below,
 ctrl_interface=/var/run/wpa_supplicant
 ctrl_interface_group=wheel
 network={
 ssid=ASUS-2.4G
 scan_ssid=1
 key_mgmt=WPA-EAP
 eap=TLS
 identity=root
 ca_cert=./ca.pem
 client_cert=./client.pem
 private_key=./client.pem
 private_key_passwd=whatever
 }
 11. EAP-TLS failed, see the attached tls.log for the output of radiusd
 Could you help me out on this issue?
 Is there anything I did wrong? Let me know if you need more debugging
 info. 
 
 Thanks,
 jiajia



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to implement EAP-TLS with freeradius and wpa_supplicant?

2010-05-12 Thread Alan DeKok 
Zheng, Jiajia wrote:
 11. EAP-TLS failed, see the attached tls.log for the output of radiusd
 Could you help me out on this issue?

  Paste the debug output into the self-help form at:

http://networkradius.com/freeradius.html

  Look for red text.

 Is there anything I did wrong? Let me know if you need more debugging
 info. 

  The debug log already shows everything you need to know.

  The CA used by the client is *not* the same as the CA used by the server.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to implement EAP-TLS with freeradius and wpa_supplicant?

2010-05-12 Thread sunhualing 
检查一下时间系统,要求在证书的有效期内
CA的事情有点难说,你再检查下配置

On Thu, May 13, 2010 at 10:53 AM, Zheng, Jiajia jiajia.zh...@intel.comwrote:

 Alan DeKok wrote:
  Zheng, Jiajia wrote:
  11. EAP-TLS failed, see the attached tls.log for the output of
  radiusd Could you help me out on this issue?
 
Paste the debug output into the self-help form at:
 
  http://networkradius.com/freeradius.html
 
Look for red text.
 
  Is there anything I did wrong? Let me know if you need more
  debugging info.
 
The debug log already shows everything you need to know.
 
The CA used by the client is *not* the same as the CA used by the
  server.
 
 Yes, from the debug log, we can tell that the CA is wrong.
 But as I mentioned that the same CA works fine with EAP-TTLS. Why it goes
 wrong with EAP-TLS?
 Here is my configure file for EAP-TTLS which works.
 WPA_EAP_TTLS_CHAP.conf
 ctrl_interface=/var/run/wpa_supplicant
 ctrl_interface_group=wheel
 network={
 ssid=ASUS-2.4G
 scan_ssid=1
 key_mgmt=WPA-EAP
 eap=TTLS
 identity=root
 password=wireless
 ca_cert=./ca.pem
 phase2=auth=CHAP
 }
 Here is my configure file for EAP-TLS which fails authentication.
 WPA_EAP_TLS.conf
 ctrl_interface=/var/run/wpa_supplicant
 ctrl_interface_group=wheel
 network={
 ssid=ASUS-2.4G
 scan_ssid=1
 key_mgmt=WPA-EAP
 eap=TLS
 identity=root
 ca_cert=./ca.pem
 client_cert=./client.pem
 private_key=./client.pem
 private_key_passwd=whatever
 }

 The client.pem used by client was also copied from server.
 Is there anything wrong with my configure file? I also attached the *.pem.

 Thanks,
 jiajia
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html