How to implement EAP-TLS with freeradius and wpa_supplicant?

Zheng, Jiajia jiajia.zheng at intel.com
Thu May 13 04:53:31 CEST 2010


Alan DeKok wrote:
> Zheng, Jiajia wrote:
>>> 11. EAP-TLS failed, see the attached tls.log for the output of
>>> radiusd Could you help me out on this issue?
> 
>   Paste the debug output into the "self-help" form at:
> 
> http://networkradius.com/freeradius.html
> 
>   Look for red text.
> 
>>> Is there anything I did wrong? Let me know if you need more
>>> debugging info.
> 
>   The debug log already shows everything you need to know.
> 
>   The CA used by the client is *not* the same as the CA used by the
> server. 
> 
Yes, from the debug log, we can tell that the CA is wrong. 
But as I mentioned that the same CA works fine with EAP-TTLS. Why it goes wrong with EAP-TLS?
Here is my configure file for EAP-TTLS which works. 
WPA_EAP_TTLS_CHAP.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
network={
ssid="ASUS-2.4G"
scan_ssid=1
key_mgmt=WPA-EAP
eap=TTLS
identity="root"
password="wireless"
ca_cert="./ca.pem"
phase2="auth=CHAP"
}
Here is my configure file for EAP-TLS which fails authentication. 
WPA_EAP_TLS.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
network={
ssid="ASUS-2.4G"
scan_ssid=1
key_mgmt=WPA-EAP
eap=TLS
identity="root"
ca_cert="./ca.pem"
client_cert="./client.pem"
private_key="./client.pem"
private_key_passwd="whatever"
}

The client.pem used by client was also copied from server. 
Is there anything wrong with my configure file? I also attached the *.pem.

Thanks,
jiajia
-------------- next part --------------
A non-text attachment was scrubbed...
Name: users
Type: application/octet-stream
Size: 6564 bytes
Desc: users
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100513/d2e3ebdf/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tls.log
Type: application/octet-stream
Size: 31095 bytes
Desc: tls.log
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100513/d2e3ebdf/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clients.conf
Type: application/octet-stream
Size: 6496 bytes
Desc: clients.conf
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100513/d2e3ebdf/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ca.pem
Type: application/octet-stream
Size: 1675 bytes
Desc: ca.pem
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100513/d2e3ebdf/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: client.pem
Type: application/octet-stream
Size: 3420 bytes
Desc: client.pem
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100513/d2e3ebdf/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: server.pem
Type: application/octet-stream
Size: 3495 bytes
Desc: server.pem
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100513/d2e3ebdf/attachment-0005.obj>


More information about the Freeradius-Users mailing list