The EAP Saga begins.

Phil Mayers p.mayers at imperial.ac.uk
Mon Jan 29 01:12:28 CET 2007 

Evan Vittitow wrote:
> I got a "Lull" in my school work long enough such that I can work on
> Free Radius, homework combined with minor Illness did that.
> 
> Allright, just so everyone is on the same page. I want to implement Host
> based 802.1X with PEAP or EAP-TLS. Currently, all my Samba Hosts have a
> Object in the LDAP database that looks like
> uid=kurama$,ou=Hosts,dc=pukey where Kurama is the host name.
> 
> There isn't a pasword because this isn't user based. Its Host. I want

This shows lack of understanding. If these samba hosts are members of a 
domain then they *do* have passwords, and a sufficiently recent 
combination of software will allow them to do PEAP. But if you want to 
use EAP-TLS that ought to work too.

> the Linux Hosts (All running Mandriva 2007) to be able to use
> Xsupplicant to authenticate to the Wireless network with their valid TLS
> Cert.
> 
> But whenever I try, I get
> 
> [CONFIG] Working from config file /etc/xsupplicant.conf.
> Network ID from EAP hint : Pukey
> If this is a wired network, the above ID can be used in the
> configuration file to identify this network.
> [CONFIG] Working from config file /etc/xsupplicant.conf.
> [CONFIG] Identity : kurama
> [CONFIG] Socket 4 (frame handler) had an event!
> [CONFIG] Trying to load root certificate /etc/raddb/certs/cert-clt.pem
> or certificate directory (null)
> [CONFIG] Loaded root certificate /etc/raddb/certs/cert-clt.pem and
> directory (null)
> [CONFIG] Socket 4 (frame handler) had an event!
> OpenSSL Error -- error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Library  : SSL routines
> Function : SSL3_GET_SERVER_CERTIFICATE
> Reason   : certificate verify failed

To repeat my previous email - xsupplicant does not have a CA cert that 
allows it to trust the server.

The line:

Loaded root certificate /etc/raddb/certs/cert-clt.pem

...looks wrong. It looks as if you've told xsupp that the CA cert is the 
client cert, which it isn't. They're different things.

In FreeRadius, the "eap.conf" file will have:

eap {
   tls {
     certificate_file = /path/to/file.pem
   }
}

...and if you run (against that file):

openssl x509 -noout -text -in /path/to/file.pem  |
  egrep '(Subject|Issuer):'

...you'll get something like:

Issuer: C=US, O=MyOrg, OU=MyCA, CN=My Certificate Authority
Subject: C=US, O=MyOrg, OU=MyCA, CN=wireless.myorg.com

The certificate you supply to the CLIENT as the *CA* must be the ISSUER 
cert - that is, the one with:

Subject: C=US, O=MyOrg, OU=MyCA, CN=My Certificate Authority

I would glance at the xsupp documentation to give more advice but the 
crapforge^Wsourceforge docs links appears to lead in a loop. This is one 
reason amongst many others you should seriously consider using 
wpa_supplicant on the clients.

More information about the Freeradius-Users mailing list