EAP-TLS with certificate-chain
zfaigl at mik.bme.hu
Mon Feb 18 15:52:57 EST 2008
I am new on this list.
I would like to test EAP-TLS based authentication over IKEv2 protocol.
The IKEv2 implementation I use (see IKEv2 project) applies
wpa_supplicant at the client-side, and freeRadius at the server side.
I would like to test three test cases:
1. Server has an n-tier certificate chain , client has a 2-tier
certificate chain (2-tier means: the peer certificate is signed directly
by the self signed rootCA certificate)
2. Client has an n-tier certificate chain, server has a 2-tier
3. Both the client and the server have multiple tier certificate chains.
Until this time I found out, how freeRadius can be configured with
EAP-TLS, to send out a certificate-chain longer than 2-tier.
At the freeRadius side, I need to concatenate PEM format certificates in
trust order -- from server certificate until the self-signed root-CA
certificate, and give this as the server certificate file in the EAP-TLS
So "server certificate file" in case of 4-tier case is:
Moreover, in the Trusted CAs list option, I give rootCA.pem.
As a consequence, during authentication, the server sends out all the
4-tier certificate chain in the server Certificate handshake.
You can see this in my capture file (with wireshark) available on
http://www.mcl.hu/~szlaj/trace1.cap (192.168.83.3 is freeRadius,
192.168.81.3 is the Radius client).
I am currently testing the first test case, so I tried to give the
following configuration for the wpa supplicant:
Here, client-1.crt is signed by rootCA
rootCA is the common CA of the client and server.
The problem is the following:
When the client receives the first group of TLS handshake messages from
the server, it says "unknown CA" for the server certificates and the
authentication is unsuccessful.
(see the capture file).
So, I have the following questions.
1. How to reach that the client side accept the certificate-chain of the
server, if the common trusted CA is the rootCA?
2. Could you give the details of the configuration, of wpa_supplicant:
what certificate formats can I use? PEM, DER or PKCS12? I would prefer
PEM, but I can also convert to other formats.
(the only thing I found on the mailing list just mentions the
possibility of certificate-chains:
did not help me, so I am quite interested in suggestions)
3. I would like to make functioning test cases 2 and 3. But, how to
configure wpa_supplicant with n-tier client certificate chain? In these
cases, what do you think about the freeRadius side EAP-TLS configuration?
If there is any documentation, or examples on n-tier certificate chains
related with wpa_supplicant and freeradius, that would be very helpful
Mobile Innovation Center
More information about the HostAP