Evan Vittitow wrote:
I got a "Lull" in my school work long enough such that I can work on Free Radius, homework combined with minor Illness did that.
Allright, just so everyone is on the same page. I want to implement Host based 802.1X with PEAP or EAP-TLS. Currently, all my Samba Hosts have a Object in the LDAP database that looks like uid=kurama$,ou=Hosts,dc=pukey where Kurama is the host name.
There isn't a pasword because this isn't user based. Its Host. I want
This shows lack of understanding. If these samba hosts are members of a domain then they *do* have passwords, and a sufficiently recent combination of software will allow them to do PEAP. But if you want to use EAP-TLS that ought to work too.
the Linux Hosts (All running Mandriva 2007) to be able to use Xsupplicant to authenticate to the Wireless network with their valid TLS Cert.
But whenever I try, I get
[CONFIG] Working from config file /etc/xsupplicant.conf. Network ID from EAP hint : Pukey If this is a wired network, the above ID can be used in the configuration file to identify this network. [CONFIG] Working from config file /etc/xsupplicant.conf. [CONFIG] Identity : kurama [CONFIG] Socket 4 (frame handler) had an event! [CONFIG] Trying to load root certificate /etc/raddb/certs/cert-clt.pem or certificate directory (null) [CONFIG] Loaded root certificate /etc/raddb/certs/cert-clt.pem and directory (null) [CONFIG] Socket 4 (frame handler) had an event! OpenSSL Error -- error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Library : SSL routines Function : SSL3_GET_SERVER_CERTIFICATE Reason : certificate verify failed
To repeat my previous email - xsupplicant does not have a CA cert that allows it to trust the server. The line: Loaded root certificate /etc/raddb/certs/cert-clt.pem ...looks wrong. It looks as if you've told xsupp that the CA cert is the client cert, which it isn't. They're different things. In FreeRadius, the "eap.conf" file will have: eap { tls { certificate_file = /path/to/file.pem } } ...and if you run (against that file): openssl x509 -noout -text -in /path/to/file.pem | egrep '(Subject|Issuer):' ...you'll get something like: Issuer: C=US, O=MyOrg, OU=MyCA, CN=My Certificate Authority Subject: C=US, O=MyOrg, OU=MyCA, CN=wireless.myorg.com The certificate you supply to the CLIENT as the *CA* must be the ISSUER cert - that is, the one with: Subject: C=US, O=MyOrg, OU=MyCA, CN=My Certificate Authority I would glance at the xsupp documentation to give more advice but the crapforge^Wsourceforge docs links appears to lead in a loop. This is one reason amongst many others you should seriously consider using wpa_supplicant on the clients.