Connecting using wpa_supplicant to a WPA EAP-TLS network

Soh Kam Yung sohkamyung at gmail.com
Mon Oct 13 03:41:04 EDT 2008


I am having to understand how to configure wpa_supplicant (I am using
version 0.5.10) to connected to a WPA-Enterprise (EAP-TLS) network
setup by my company's MIS.

In examples/wpa2-eap-ccmp.conf, I see:

=====
# WPA2-EAP/CCMP using EAP-TLS

ctrl_interface=/var/run/wpa_supplicant

network={
	ssid="example wpa2-eap network"
	key_mgmt=WPA-EAP
	proto=WPA2
	pairwise=CCMP
	group=CCMP
	eap=TLS
	ca_cert="/etc/cert/ca.pem"
	private_key="/etc/cert/user.p12"
	private_key_passwd="PKCS#12 passhrase"
}
=====

But in the README, I see:

=====
# work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers
network={
	ssid="work"
	scan_ssid=1
	key_mgmt=WPA-EAP
	pairwise=CCMP TKIP
	group=CCMP TKIP
	eap=TLS
	identity="user at example.com"
	ca_cert="/etc/cert/ca.pem"
	client_cert="/etc/cert/user.pem"
	private_key="/etc/cert/user.prv"
	private_key_passwd="password"
}
=====

Are all the parameters (identity, ca_cert, client_cert, private_key,
private_key_passwd) required?

My MIS says that no identity is required.  Does this mean I can leave
it out or should I configure it as identity=""?

I exported my client certificate from my Windows Machine (using
Internet Explorer) at a PKCS#12 file and I am trying to use openssl to
generate the various certificates.

The wpa_supplicant README has an example on how to use openssl to get
the ca_cert and client_cert:

# convert client certificate and private key to PEM format
openssl pkcs12 -in example.pfx -out user.pem -clcerts
# convert CA certificate (if included in PFX file) to PEM format
openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys

How do I use openssl to generate the private_key? Is it:
openssl pkcs12 -in example.pfx -out user.prv

Regards,
Kam-Yung
-- 
Soh Kam Yung
my Google Reader Shared links:
(http://www.google.com/reader/shared/16851815156817689753)
my Google Reader Shared SFAS links:
(http://www.google.com/reader/shared/user/16851815156817689753/label/sfas)


More information about the HostAP mailing list