wpa_supplicant interoperability with IAS

JP Dong jdong at pegasuswirelesscorp.com
Mon May 22 14:59:28 EDT 2006


Dear Jouni,Thanks for your comments. Please see my reply below.Regards,JP

--------- Original Message --------From: Jouni Malinen To: Cc: hostap at shmoo.com, eyen at pegasuswirelesscorp.comSubject: Re: wpa_supplicant interoperability with IASDate: 05/19/2006 22:52On Wed, May 17, 2006 at 01:48:28PM -0700, JP Dong wrote:> Hi all,We are trying to test the interoperability of wpa_supplicant with IAS radius server using EAP-TLS. We used IAS to create the certificates for CA and a user, but we are not able to obtain the key file for the user since it is required by wpa_supplicant configuration file (or not?); however, the key and certificate for CA can be obtained. In the wpa_supplicant, the following fields are needed:ca_cer_fileprivate_cer_fileprivate_key_fileWe just wondered whether all these three files are required; if so, how they can be obtained using IAS (or if conversion is needed, how the conversion can be done?) Any hints or suggestions would be highly appreciated.Thanks and best,JPIAS does not create certificates as far as I know. I would assume youare using IAS as the RADIUS authentication server and Microsoft CAservice as the tool for enrolling certificates.[JP] you are right, and I should say Microsoft CA services instead.What made you think the user key cannot be obtained? I have enrolledclient certificates (including private key generation) successfully withFirefox from Microsoft CA. These work fine with wpa_supplicant. Anotheroption is to enroll certificates (e.g., with WinXP) and export them asPKCS#12(PFX) file.[JP] we tried the "export" feature on Windows 2000 server, and only p7b (PKCS#7) file for CA but not for the user certificate can be saved. We don't know why. What Microsoft CA are you using, on Windows 2000 server or 2003 server? When we tried to export the user certificate (still on the server machine), the "private key" option is always disabled. => any suggestions?EAP-TLS requires user private key and certificate and a trusted CAcertificate. These do not need to be separate files, but thesekeys/certificates are needed.[JP] This is understood since the comments in the sample wpa_supplicant configuration file explains this clearly.-- Jouni Malinen PGP id EFC895FA. 


_________________________________________________________
Message sent using Winmail Mail Server 4.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20060522/e841bf93/attachment.htm 


More information about the HostAP mailing list