Different root CA for wpa_supplicant and freeradius
carolin.latze at unifr.ch
Wed Jan 30 02:28:19 EST 2008
Alan DeKok wrote:
> Carolin Latze wrote:
>>> You can't have two root CA's for EAP-TLS.
>> hm... so it seems that I really misunderstood EAP-TLS.... I found a
>> tutorial for an EAP-TLS setup where I was asked to create my own CA,
>> generate a root certificate, which signs the server and client
>> certificates. I did never sign the client certificates using the server
>> certificate itself.
> Careful use of terminology is important. In this case, you are using
> ONE root certificate, not two. EAP-TLS works by authenticating client
> certificates signed by a known certificate. Subject to some
> limitations, this known certificate can be the server certificate, or
> ANY certificate that signs the server certificate, up to the root
Yes, in this case, it is only _one_ root certificate... I just described
this setup to ask whether I really need to sign client certificates
using the server certificate. That issue is solved now. But in the
future, I plan to use _two_ root certificates. My first mail was written
to ask for that future setup...
>> When I used wpa_supplicant to authenticate with
>> freeradius I was able to get "EAP state = SUCCESS".
> If you're using FreeRADIUS, see the comments in raddb/eap.conf, and
> raddb/certs/README for more information. The current 2.0.1 release
> explains some of the issues surrounding using multiple certificates for
> EAP-TLS authentication.
Ok thanks.. I read the comments in eap.conf, but was not sure about the
client side, therefore, I asked.
>> So I thought, the
>> certificates were ok. I was never able to finish the connection setup,
>> since I always got "WPA: Failed to set PTK to the driver." after EAP
>> SUCCESS, but asking google I read that this is problem with my wlan
>> card.. Am I wrong? What did I miss?
> You allowed the root CA to issue client certificates, and told the
> server to accept them. This means that the root CA can issue client
> certificates without the server knowing. If you own the root CA, that's
> OK. If the root CA is Verisign, that means *anyone* with a
> Verisign-signed certificate can issue client certificates, and be
> authenticated in your network.
Ok, thats clear now... So we misunderstood each other.
Thats for explanations.
More information about the HostAP