Problems with EAP-TTLS/EAP-TLS - One Step further

Carolin Latze carolin.latze at unifr.ch
Fri Oct 31 07:49:49 EDT 2008


My message with the debug attachment got bounced... you can download the
debug log here:

http://diuf.unifr.ch/people/latzec/debug311008.txt

regards
Carolin

Carolin Latze wrote:
> Jouni Malinen wrote:
>   
>> On Thu, Oct 30, 2008 at 03:11:39PM +0100, Carolin Latze wrote:
>>
>>   
>>     
>>> meanwhile I tried several things and didn't succeed but I have an idea 
>>> what's going wrong. It seems that the wpa_supplicant only takes the 
>>> engine for the outer authentication. Is that possible?
>>>     
>>>       
>> Yes, that is quite possible. I have not tested using OpenSSL engine in
>> phase 2.
>>   
>>     
> Ok... I will go on debugging when I got it running without engine. If
> you have some hints where to start it, I would be happy (otherwise I
> start grepping through the code). At the moment I am still working with
> wpa_supplicant 0.5.9 since I integrated the TPM engine into that version
> and 0.6 brought a lot of changes. Seems like I have to reimplement my
> integration in version 0.6. So if there is not strong need to change the
> version, I would prefer to postpone it.
>   
>>   
>>     
>>> Therefore my question: On the wpa_supplicant homepage I saw that 
>>> EAP-TTLS/EAP-TLS has been tested with FreeRADIUS. Is there a place where 
>>> to download the test configurations? That would be very helpful for me! 
>>> I want to try to use EAP-TTLS/EAP-TLS without engine for a first test 
>>> (take out the complexity in order to understand it :)). I tried it with:
>>>     
>>>       
>> This worked when I lasted tested it, but I've only tested without an
>> engine and EAP-TLS inside EAP-PEAP or -TTLS has previously been somewhat
>> of a problem case, so you may need to update FreeRADIUS unless you are
>> using the latest release.
>>   
>>     
> Is that a problem of FreeRADIUS? As I wrote, I also do not use the
> newest wpa_supplicant. But anyhow, I upgraded the FreeRADIUS to version
> 2.1.1. I also tried it with the latest version from git (2.1.2). But I
> get still the same error. I attached the complete log to this mail.
>   
>>   
>>     
>>>         eap=TTLS
>>>
>>>         phase2="autheap=TLS"
>>>
>>>         identity="10.1.1.5"
>>>         ca_cert="/home/latze/cert/cacert.pem"
>>>         client_cert2="/home/latze/cert/basisk_cert.pem"
>>>         private_key2="/home/latze/cert/basisk_key.pem"
>>>         private_key2_passwd="PW"
>>>     
>>>       
>> I would recommend including ca_cert2 here, too, so that wpa_supplicant
>> will verify server certificate in phase2 should the server be using a
>> different key in phase 1 and 2 (not really a very likely case, but
>> anyway, it is good to validate certificates both in phase 1 and 2).
>>   
>>     
> Ok, changed that.
>
> Regards
> Carolin
>
>   

-- 
Carolin Latze
Research Assistant			ICT Engineer

Department of Computer Science		Swisscom Strategy and Innovation
Boulevard de Pérolles 90		Ostermundigenstrasse 93
CH-1700 Fribourg      			CH-3006 Bern
	
phone: +41 26 300 83 30			+41 79 72 965 27
homepage: http://diuf.unifr.ch/people/latzec




More information about the HostAP mailing list