802.1x auth with wpa_supp?
jkmaline at cc.hut.fi
Sun Oct 3 22:49:39 EDT 2004
On Fri, Sep 17, 2004 at 08:43:09PM +1200, Morgan Read wrote:
> But, I'm getting stuck with my private key? I've included what
> seemed to be one cycle of the debug below, plus a couple of extra
> error examples which are a little different (first).
> Here's the command I used to generate the private key; the instructions
> I followed are from a v basic howto for xsupplicant at my uni:
> <http://www.ece.auckland.ac.nz/%7Etcol036/wireless/wireless.html> -
Those instructions are very confusing.. The configuration seems to be
using EAP-PEAP and the instructions talk about "optional key". If you
want to use a client key with EAP-PEAP (or well, TLS in general) you
will need to generate a certificate request and get the public key
signed by a CA. However, the instructions did not mention anything about
getting CA to sign a client certificate.
There is not much point in generating client keys without having some
kind of PKI in place so that the server could actually verify the key.
> EAP-PEAP: Phase2 type: MSCHAPV2
> SSL: Trusted root certificate(s) loaded
> SSL: Private key failed verification: error:140CB07C:SSL
> routines:SSL_use_PrivateKey_file:bad ssl filetype
> SSL - SSL error: error:140A30B1:SSL routines:SSL_check_private_key:no
> certificate assigned
wpa_supplicant requires both the private key and certificate. However,
one does not normally use client key/certificate at all with EAP-PEAP.
The client side credentials are verified in the inner phase 2
authentication, e.g., EAP-MSGCHAPv2 username&password in this case.
In other words, the normal EAP-PEAP/MSCHAPv2 configuration includes
ca_cert="path to trusted CA certificate"
Following items are usually _not_ used for EAP-PEAP/MSCHAPv2:
Jouni Malinen PGP id EFC895FA
More information about the HostAP