Version 3.0.4 Centos 7 EAP-TLS : EAP failure
John Teasley
ollieteasley at gmail.com
Mon Feb 8 01:07:13 CET 2016
Well looks like from this point it maybe NetworkManager and how it deals
with the certs. Using wpa_supplicant I am able to connect using the
WPA_SUPPLICANT_CONFIG block below. Once I get everything sorted out I will
redo the certs. However, I dont get why this is not working with
NetworkManager. That will be for another forum I guess. I am curious though
if my traffic is now encrypted ( even though the certs are just the
snake-oil certs) when connecting using wpa_supplicant outside of network
manager.
WPA_SUPPLICANT CONFIG :
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
network={
ssid="trunk2"
scan_ssid=1
key_mgmt=WPA-EAP
pairwise=TKIP CCMP
group=TKIP CCMP
eap=TLS
identity="user at example.org"
ca_cert="/home/loper/NetworkManager_CERTS/ca.pem"
client_cert="/home/loper/NetworkManager_CERTS/user.pem"
private_key="/home/loper/NetworkManager_CERTS/client.key"
private_key_passwd="whatever"
eapol_flags=3
}
Ollie Teasley
Linux Administrator
ISMELL.SHOES, LLC
On Sun, Feb 7, 2016 at 12:17 PM, John Teasley <ollieteasley at gmail.com>
wrote:
> Thanks again Alan. Looks like I had a ton of typos in the test config.
> Wow. Sorry I wasted your time with this one. Must have been staring at it
> to long or something. Thanks again. I guess now I can read up setting up a
> better way to manage all the certs!
>
>
> NEW RESULTS :
>
> EAPOL: Received EAP-Packet frame
> EAPOL: SUPP_BE entering state REQUEST
> EAPOL: getSuppRsp
> EAP: EAP entering state RECEIVED
> EAP: Received EAP-Success
> EAP: Status notification: completion (param=success)
> EAP: EAP entering state SUCCESS
> CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
> EAPOL: SUPP_PAE entering state AUTHENTICATED
> EAPOL: SUPP_BE entering state RECEIVE
> EAPOL: SUPP_BE entering state SUCCESS
> EAPOL: SUPP_BE entering state IDLE
> eapol_sm_cb: success=1
> EAPOL: Successfully fetched key (len=32)
> PMK from EAPOL - hexdump(len=32): d8 6e 87 d3 3c 12 2e b8 83 21 72 3b cd
> c0 ae c2 8a 9a 4a 6c 28 62 2d 25 f4 22 b2 2c 3e c3 18 92
> EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit
> ENGINE: engine deinit
> MPPE keys OK: 2 mismatch: 0
> SUCCESS
>
>
> Ollie Teasley
> Linux Administrator
> ISMELL.SHOES, LLC
>
>
> On Sat, Feb 6, 2016 at 9:53 PM, Alan DeKok <aland at deployingradius.com>
> wrote:
>
>> On Feb 6, 2016, at 9:22 PM, John Teasley <ollieteasley at gmail.com> wrote:
>> > Thanks for the reply Alan! Made all the changes you indicated. However,
>> I
>> > am still having issues. Also, is it required to run a proxy if I only
>> use
>> > the radius host? This is just for a small home lab. Please see below
>> > results. I really appreciate the help.
>>
>> It's what I do, despite what some people think. :)
>>
>> > Also, while I can build from source,
>> > would doing so fix this? It seems more like something I have done
>> wrong. A
>> > rebuild would just reflect the same misconfigurations if that is what
>> the
>> > issue is.
>>
>> Again, a careful reading of the output is useful:
>>
>> From eapol_test:
>>
>> > OpenSSL: tls_connection_ca_cert - Failed to load root certificates
>> > error:02001002:system library:fopen:No such file or directory
>> > OpenSSL: pending error: error:2006D080:BIO routines:BIO_new_file:no such
>> > file
>> > OpenSSL: pending error: error:0B084002:x509 certificate
>> > routines:X509_load_cert_crl_file:system lib
>> > OpenSSL: tls_load_ca_der - Failed load CA in DER format
>> > error:02001002:system library:fopen:No such file or directory
>> > OpenSSL: pending error: error:20074002:BIO routines:FILE_CTRL:system lib
>>
>> You need to be sure that the certificate exists. Check the path in the
>> eapol_test configuration file.
>>
>> Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
More information about the Freeradius-Users
mailing list