Hi, I hope it is the right place to ask questions about EAP-TLS with radius server. I installed freeradius-2.1.6 rpm package on my Fedora 10 system. EAP_PEAP, EAP_TTLS_CHAP, TTLS_MD5, TTLS_MSCHAP, etc. work fine. However, EAP-TLS handshake failed. Here are my steps to implement EAT-TLS with radius server. 1. on server: yum install freeradius 2. on server: cd /etc/raddb 3. on server: edit users and clients.conf (see attachments) 4. on server: radiusd -X 5. I configured the AP which is wired connected to the server using WPA-TKIP 6. copy ca.pem from server to my wireless machine. 6. I tried EAP_PEAP, EAP_TTLS_CHAP, TTLS_MD5, TTLS_MSCHAP on my wireless machine, which all worked fine. 7. on server: cd /etc/raddb/certs 8. on server: make client.pem 9. copy client.pem from server to my wireless machine 10. run wpa_supplicant on my wireless machine: wpa_supplicant -Dwext -iwlan0 -c WPA_EAP_TLS.conf WPA_EAP_TLS.conf as below, ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="ASUS-2.4G" scan_ssid=1 key_mgmt=WPA-EAP eap=TLS identity="root" ca_cert="./ca.pem" client_cert="./client.pem" private_key="./client.pem" private_key_passwd="whatever" } 11. EAP-TLS failed, see the attached tls.log for the output of radiusd Could you help me out on this issue? Is there anything I did wrong? Let me know if you need more debugging info. Thanks, jiajia
Sorry, I forgot the subject. Zheng, Jiajia wrote:
Hi, I hope it is the right place to ask questions about EAP-TLS with radius server. I installed freeradius-2.1.6 rpm package on my Fedora 10 system. EAP_PEAP, EAP_TTLS_CHAP, TTLS_MD5, TTLS_MSCHAP, etc. work fine. However, EAP-TLS handshake failed. Here are my steps to implement EAT-TLS with radius server. 1. on server: yum install freeradius 2. on server: cd /etc/raddb 3. on server: edit users and clients.conf (see attachments) 4. on server: radiusd -X 5. I configured the AP which is wired connected to the server using WPA-TKIP 6. copy ca.pem from server to my wireless machine. 6. I tried EAP_PEAP, EAP_TTLS_CHAP, TTLS_MD5, TTLS_MSCHAP on my wireless machine, which all worked fine. 7. on server: cd /etc/raddb/certs 8. on server: make client.pem 9. copy client.pem from server to my wireless machine 10. run wpa_supplicant on my wireless machine: wpa_supplicant -Dwext -iwlan0 -c WPA_EAP_TLS.conf WPA_EAP_TLS.conf as below, ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="ASUS-2.4G" scan_ssid=1 key_mgmt=WPA-EAP eap=TLS identity="root" ca_cert="./ca.pem" client_cert="./client.pem" private_key="./client.pem" private_key_passwd="whatever" } 11. EAP-TLS failed, see the attached tls.log for the output of radiusd Could you help me out on this issue? Is there anything I did wrong? Let me know if you need more debugging info.
Thanks, jiajia
Zheng, Jiajia wrote:
11. EAP-TLS failed, see the attached tls.log for the output of radiusd Could you help me out on this issue?
Paste the debug output into the "self-help" form at: http://networkradius.com/freeradius.html Look for red text.
Is there anything I did wrong? Let me know if you need more debugging info.
The debug log already shows everything you need to know. The CA used by the client is *not* the same as the CA used by the server. Alan DeKok.
Alan DeKok wrote:
Zheng, Jiajia wrote:
11. EAP-TLS failed, see the attached tls.log for the output of radiusd Could you help me out on this issue?
Paste the debug output into the "self-help" form at:
http://networkradius.com/freeradius.html
Look for red text.
Is there anything I did wrong? Let me know if you need more debugging info.
The debug log already shows everything you need to know.
The CA used by the client is *not* the same as the CA used by the server.
Yes, from the debug log, we can tell that the CA is wrong. But as I mentioned that the same CA works fine with EAP-TTLS. Why it goes wrong with EAP-TLS? Here is my configure file for EAP-TTLS which works. WPA_EAP_TTLS_CHAP.conf ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="ASUS-2.4G" scan_ssid=1 key_mgmt=WPA-EAP eap=TTLS identity="root" password="wireless" ca_cert="./ca.pem" phase2="auth=CHAP" } Here is my configure file for EAP-TLS which fails authentication. WPA_EAP_TLS.conf ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="ASUS-2.4G" scan_ssid=1 key_mgmt=WPA-EAP eap=TLS identity="root" ca_cert="./ca.pem" client_cert="./client.pem" private_key="./client.pem" private_key_passwd="whatever" } The client.pem used by client was also copied from server. Is there anything wrong with my configure file? I also attached the *.pem. Thanks, jiajia
检查一下时间系统,要求在证书的有效期内 CA的事情有点难说,你再检查下配置 On Thu, May 13, 2010 at 10:53 AM, Zheng, Jiajia <jiajia.zheng@intel.com>wrote:
Alan DeKok wrote:
Zheng, Jiajia wrote:
11. EAP-TLS failed, see the attached tls.log for the output of radiusd Could you help me out on this issue?
Paste the debug output into the "self-help" form at:
http://networkradius.com/freeradius.html
Look for red text.
Is there anything I did wrong? Let me know if you need more debugging info.
The debug log already shows everything you need to know.
The CA used by the client is *not* the same as the CA used by the server.
Yes, from the debug log, we can tell that the CA is wrong. But as I mentioned that the same CA works fine with EAP-TTLS. Why it goes wrong with EAP-TLS? Here is my configure file for EAP-TTLS which works. WPA_EAP_TTLS_CHAP.conf ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="ASUS-2.4G" scan_ssid=1 key_mgmt=WPA-EAP eap=TTLS identity="root" password="wireless" ca_cert="./ca.pem" phase2="auth=CHAP" } Here is my configure file for EAP-TLS which fails authentication. WPA_EAP_TLS.conf ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="ASUS-2.4G" scan_ssid=1 key_mgmt=WPA-EAP eap=TLS identity="root" ca_cert="./ca.pem" client_cert="./client.pem" private_key="./client.pem" private_key_passwd="whatever" }
The client.pem used by client was also copied from server. Is there anything wrong with my configure file? I also attached the *.pem.
Thanks, jiajia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Zheng, Jiajia wrote:
But as I mentioned that the same CA works fine with EAP-TTLS. Why it goes wrong with EAP-TLS?
EAP-TLS requires that the CA be authorized to sign client certificates. See the certificate creation scripts in 2.1.8, they may have fixes for this. Alan DeKok.
Alan DeKok wrote:
Zheng, Jiajia wrote:
But as I mentioned that the same CA works fine with EAP-TTLS. Why it goes wrong with EAP-TLS?
EAP-TLS requires that the CA be authorized to sign client certificates. See the certificate creation scripts in 2.1.8, they may have fixes for this.
Thanks! I'll have a try. bests, jiajia
participants (3)
-
Alan DeKok -
sunhualing -
Zheng, Jiajia