wpa_supplicant interoperability with IAS

JP Dong jdong at pegasuswirelesscorp.com
Mon May 22 17:22:51 EDT 2006

Dear Jouni,

We've got it. It has to be obtained on LInux computer via firefox. Thanks.


--------- Original Message --------
From: JP Dong <jdong at pegasuswirelesscorp.com>
To: Jouni Malinen <jkmaline at cc.hut.fi>
Cc: hostap at shmoo.com, eyen at pegasuswirelesscorp.com
Subject: Re: wpa_supplicant interoperability with IAS
Date: 05/22/2006 12:00

> Dear Jouni,Thanks for your comments. Please see my reply below.Regards,JP
> --------- Original Message --------From: Jouni Malinen To: Cc: hostap at shmoo.com, eyen at pegasuswirelesscorp.comSubject: Re: wpa_supplicant interoperability with IASDate: 05/19/2006 22:52On Wed, May 17, 2006 at 01:48:28PM -0700, JP Dong wrote:&gt; Hi all,We are trying to test the interoperability of wpa_supplicant with IAS radius server using EAP-TLS. We used IAS to&amp;nbsp;create the certificates for CA and a user, but we are not able to obtain the key file for the user since it is required by wpa_supplicant configuration file (or not?); however, the key and certificate for CA can be obtained. In the wpa_supplicant, the following fields are needed:ca_cer_fileprivate_cer_fileprivate_key_fileWe just wondered whether all these three files are required; if so, how they can be obtained using IAS (or if conversion is needed, how the conversion&amp;nbsp;can be done?) Any hints or suggestions would be highly appreciated.Thanks and best,JPIAS does not create certificates as far as I know. I would assume youare using IAS as the RADIUS authentication server and Microsoft CAservice as the tool for enrolling certificates.[JP] you are right, and I should say Microsoft CA services instead.What made you think the user key cannot be obtained? I have enrolledclient certificates (including private key generation) successfully withFirefox from Microsoft CA. These work fine with wpa_supplicant. Anotheroption is to enroll certificates (e.g., with WinXP) and export them asPKCS#12(PFX) file.[JP] we tried the "export" feature on Windows 2000 server, and only p7b (PKCS#7) file for CA but not for the user certificate&nbsp;can be saved. We don't know why. What Microsoft CA are you using, on Windows 2000 server or 2003 server?&nbsp;When we tried to export the user certificate (still on the server machine), the&nbsp;"private&nbsp;key" option is always disabled. =&gt; any suggestions?EAP-TLS requires user private key and certificate and a trusted CAcertificate. These do not need to be separate files, but thesekeys/certificates are needed.[JP] This is understood since the comments in the sample&nbsp;wpa_supplicant configuration file explains this clearly.-- Jouni Malinen PGP id EFC895FA. 
> _________________________________________________________
> Message sent using Winmail Mail Server 4.
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap

Message sent using Winmail Mail Server 4.

More information about the HostAP mailing list