Re: How to implement EAP-TLS with freeradius and wpa_supplicant?
Zheng, Jiajia wrote: But as I mentioned that the same CA works fine with EAP-TTLS. Why it goes wrong with EAP-TLS? EAP-TLS requires that the CA be authorized to sign client certificates. See the certificate creation scripts in 2.1.8, they may have fixes for this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to implement EAP-TLS with freeradius and wpa_supplicant?
Alan DeKok wrote: Zheng, Jiajia wrote: But as I mentioned that the same CA works fine with EAP-TTLS. Why it goes wrong with EAP-TLS? EAP-TLS requires that the CA be authorized to sign client certificates. See the certificate creation scripts in 2.1.8, they may have fixes for this. Thanks! I'll have a try. bests, jiajia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to implement EAP-TLS with freeradius and wpa_supplicant?
Sorry, I forgot the subject. Zheng, Jiajia wrote: Hi, I hope it is the right place to ask questions about EAP-TLS with radius server. I installed freeradius-2.1.6 rpm package on my Fedora 10 system. EAP_PEAP, EAP_TTLS_CHAP, TTLS_MD5, TTLS_MSCHAP, etc. work fine. However, EAP-TLS handshake failed. Here are my steps to implement EAT-TLS with radius server. 1. on server: yum install freeradius 2. on server: cd /etc/raddb 3. on server: edit users and clients.conf (see attachments) 4. on server: radiusd -X 5. I configured the AP which is wired connected to the server using WPA-TKIP 6. copy ca.pem from server to my wireless machine. 6. I tried EAP_PEAP, EAP_TTLS_CHAP, TTLS_MD5, TTLS_MSCHAP on my wireless machine, which all worked fine. 7. on server: cd /etc/raddb/certs 8. on server: make client.pem 9. copy client.pem from server to my wireless machine 10. run wpa_supplicant on my wireless machine: wpa_supplicant -Dwext -iwlan0 -c WPA_EAP_TLS.conf WPA_EAP_TLS.conf as below, ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid=ASUS-2.4G scan_ssid=1 key_mgmt=WPA-EAP eap=TLS identity=root ca_cert=./ca.pem client_cert=./client.pem private_key=./client.pem private_key_passwd=whatever } 11. EAP-TLS failed, see the attached tls.log for the output of radiusd Could you help me out on this issue? Is there anything I did wrong? Let me know if you need more debugging info. Thanks, jiajia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to implement EAP-TLS with freeradius and wpa_supplicant?
Zheng, Jiajia wrote: 11. EAP-TLS failed, see the attached tls.log for the output of radiusd Could you help me out on this issue? Paste the debug output into the self-help form at: http://networkradius.com/freeradius.html Look for red text. Is there anything I did wrong? Let me know if you need more debugging info. The debug log already shows everything you need to know. The CA used by the client is *not* the same as the CA used by the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to implement EAP-TLS with freeradius and wpa_supplicant?
检查一下时间系统,要求在证书的有效期内 CA的事情有点难说,你再检查下配置 On Thu, May 13, 2010 at 10:53 AM, Zheng, Jiajia jiajia.zh...@intel.comwrote: Alan DeKok wrote: Zheng, Jiajia wrote: 11. EAP-TLS failed, see the attached tls.log for the output of radiusd Could you help me out on this issue? Paste the debug output into the self-help form at: http://networkradius.com/freeradius.html Look for red text. Is there anything I did wrong? Let me know if you need more debugging info. The debug log already shows everything you need to know. The CA used by the client is *not* the same as the CA used by the server. Yes, from the debug log, we can tell that the CA is wrong. But as I mentioned that the same CA works fine with EAP-TTLS. Why it goes wrong with EAP-TLS? Here is my configure file for EAP-TTLS which works. WPA_EAP_TTLS_CHAP.conf ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid=ASUS-2.4G scan_ssid=1 key_mgmt=WPA-EAP eap=TTLS identity=root password=wireless ca_cert=./ca.pem phase2=auth=CHAP } Here is my configure file for EAP-TLS which fails authentication. WPA_EAP_TLS.conf ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid=ASUS-2.4G scan_ssid=1 key_mgmt=WPA-EAP eap=TLS identity=root ca_cert=./ca.pem client_cert=./client.pem private_key=./client.pem private_key_passwd=whatever } The client.pem used by client was also copied from server. Is there anything wrong with my configure file? I also attached the *.pem. Thanks, jiajia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html