Problems with EAP-TTLS/EAP-TLS - One Step further
carolin.latze at unifr.ch
Thu Oct 30 10:11:39 EDT 2008
meanwhile I tried several things and didn't succeed but I have an idea
what's going wrong. It seems that the wpa_supplicant only takes the
engine for the outer authentication. Is that possible?
Why do I think that?
1) If I use the client_cert2 variable, OpenSSL claims, that it does not
find the matching certificate.
2) If I use client_cert, it will read the certificate out of the engine
in the EAP-TTLS authentication and claim that there is no engine ID when
starting with EAP-TLS and from the logs it seems, that it is reading the
engine in the outer authentication.
Therefore my question: On the wpa_supplicant homepage I saw that
EAP-TTLS/EAP-TLS has been tested with FreeRADIUS. Is there a place where
to download the test configurations? That would be very helpful for me!
I want to try to use EAP-TTLS/EAP-TLS without engine for a first test
(take out the complexity in order to understand it :)). I tried it with:
Using those certificates in normal EAP-TLS works. But in
EAP-TTLS/EAP-TLS, I get
1225375899.974397: EAP-TTLS: AVP - EAP Message
1225375899.974402: EAP-TTLS: AVP: code=79 flags=0x40 length=261
1225375899.974406: EAP-TTLS: AVP overflow (len=261, left=213) - dropped
1225375899.974411: EAP: method process -> ignore=FALSE methodState=DONE
When doing the inner authentication and I don't know why.
Carolin Latze wrote:
> Sjors Gielen wrote:
>> Carolin Latze wrote:
>>> That gives more or less the same error. But I think that cannot be the
>>> solution anyway since EAP-TTLS should not require client authentication
>>> from what I know about EAP-TTLS, but I might be wrong. But I also think
>>> the problem lies in the order of the statements.
>>> I have another more general question: Does the EAP-TTLS module call the
>>> EAP-TLS module? I mean it seems, that it works like that since I see my
>>> old debug messages but is that really correct?
>> Oops, missed this. According to this line in your wpa_supplicant.conf:
>> It does ;) Change that to
>> (or something similar) and it will probably work :)
> Tried that and still get
> OpenSSL: tls_connection_engine_private_key - Private key failed
> verification error:140A30B1:SSL routines:SSL_check_private_key:no
> certificate assigned
> :) But anyway, I really would like to have EAP-TTLS/EAP-TLS, which means
> to have mutual authentication inside a tunnel established with server
> authentication. Do you think that is possible?
> Regards and Thanks for all those hints!
Research Assistant ICT Engineer
Department of Computer Science Swisscom Strategy and Innovation
Boulevard de Pérolles 90 Ostermundigenstrasse 93
CH-1700 Fribourg CH-3006 Bern
phone: +41 26 300 83 30 +41 79 72 965 27
More information about the HostAP