EAP-TLS problems with RHEL 5.3

jim.sifferle at tektronix.com jim.sifferle at tektronix.com
Tue Mar 10 13:10:56 EDT 2009


Hello,

I am having problems getting Redhat Enterprise Linux 5.3 working using our EAP-TLS corporate WLAN.  I am using the following:

- RHEL 5.3, default '2.6.18-128.el5' kernel, rtl8187 kernel module (RH backported rtl8187+mac80211 from 2.6.25 / 2.6.26)
- Netgear WG111 v2 USB wireless adapter
- wpa_supplicant 0.5.10-8 (default RHEL 5.3 package)
- dhclient 3.0.5 (default RHEL 5.3 package)

- Cisco 1240AG A/B/G access points, IOS 12.3(8)JEA
   - x3 active ESSIDs (LEAP+CKIP-CMIC, EAP-TLS+TKIP/AES_CCM, Open, non-encrypted)
- MS Windows Server 2K3 / IAS RADIUS server

I cannot reliably associate to our APs.  I have successfully associated 3-4 times, however most of the time wpa_supplicant cycles from SCANNING to ASSOCIATING to DISCONNECTED.  The few times I have successfully associated, I have been able to obtain a DHCP IP and was active on the network.  I have verified my client certificate and CA path using 'openssl verify -CAfile ca.pem user.pem'.  I know the APs all are working.  Windows XP/Vista clients can associate to our EAP-TLS ESSID using the Microsoft or Intel supplicants.  Using RHEL, I can associate to our open, non-secure Guest wireless ESSID without a problem, so I know the kmod is working.

Here is the debug from a failed association:  http://www.sifferle.net/EAP-TLS%20not%20associated.txt

Here is the debug from a successful association:  http://www.sifferle.net/EAP-TLS%20associated.txt

Here is my wpa_supplicant.conf:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel

network={
        ssid="SSID"
        proto=WPA RSN
        key_mgmt=WPA-EAP
        pairwise=CCMP TKIP
        group=CCMP TKIP
        eap=TLS
        identity="user at domain.com"
        ca_cert="/etc/cert/ca.pem"
        client_cert="/etc/cert/user.pem"
        private_key="/etc/cert/user.prv"
        private_key_passwd="password"
}

Any help would be greatly appreciated.

Thanks,

Jim Sifferle
Danaher T&M / Tektronix Network Services
Work: 503-627-5364
Mobile: 503-860-5558
Jim.sifferle at tektronix.com<mailto:Jim.sifferle at tektronix.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20090310/cb63ac39/attachment.htm 


More information about the HostAP mailing list