working example of wpa_supplicant to hostapd setup that authenticates using WPA-EAP with EAP-TLS ???

John Lumby johnlumby at hotmail.com
Mon Oct 26 21:45:16 EDT 2009


I have been trying to establish a wireless connection between two laptops each running linux kernel 2.6.28 :
      General setup:
        one has a Prism2.5 radio at firmware level 1.7.4 and I run hostapd 0.6.9 with hostap kernel driver
        one has a iwl4965 (iwlagn) radio and I run  wpa_supplicant 0.6.9 with wext kernel driver
        All pieces individually do work, and in particular I have previously
        successfully established a connection using this hardware and software but with WPA-PSK .
      What I want to do:
        establish a wireless connection using WPA protocol with WPA-EAP, EAP-TLS, TKIP encryption
        I have openssl-0.9.8k at each end
        my wpa_supplicant.conf  :
 ( ???  indicates I don't know about these and have tried with them in and commented out )

update_config=1
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=2
ap_scan=1
fast_reauth=1

network={
        ssid="[**]"
        scan_ssid=1  
        key_mgmt= WPA-EAP IEEE8021X
        pairwise=TKIP
        group=TKIP
       eap=TLS
???     ca_cert="/etc/ssl/certs/wireless_cert.pem"
???     ca_path="/etc/ssl/certs"
???     client_cert="/etc/ssl/certs/wireless_cert.pem"
???       private_key="/etc/ssl/certs/privkey.pem"
???        private_key_passwd="[hidden]"
        phase2="auth=MSCHAPV2"
        identity="test"
        password="password"
        }

hostapd.conf too big to include but may be less critical but similar uncertainty over the ssl certificate parts

I generated my keys and certificates using a scheme like
openssl dsaparam -out /etc/ssl/certs/wireless.dsaparam 128
echo "${private_key_passwd}" | openssl gendsa -out /etc/ssl/certs/privkey.pem /etc/ssl/certs/wireless.dsaparam
openssl req -new -x509 -key /etc/ssl/certs/privkey.pem -out /etc/ssl/certs/wireless_cert.pem -days 1095



I have tried all kinds of variations but nothing works. 
   wpa_supplicant log shows an endless loop of
 DISCONNECTED -> SCANNING
 SCANNING -> ASSOCIATING
 ASSOCIATING -> ASSOCIATED
 ASSOCIATED -> DISCONNECTED
 DISCONNECTED -> SCANNING
     ...

and hostapd log shows everything going fine until all of a sudden it says
wlan0: STA 00:1d:e0:0c:48:59 IEEE 802.1X: unauthorizing port

I am sure the failure is caused by incorrect ssl / TLS setup but after reading
many documents and hints I am hopelessly confused as to :
 1.   what ssl certificate / key files are REQUIRED?  (at each end)
 2.   what correspondence (things that must match) is REQUIRED between the files at each end?
 3.   how should / could these files be generated?

NB   I do NOT want to have to send my certificates to some external CA authority  -  it has to work using all my own resources and code.      If it is impossible to do this using EAP-TLS, then please tell me that and is there some other EAP method I could use that still uses WPA-EAP protocol?


Could anyone please show me a working example of a pair of hostapd / wpa_supplicant setup including
wpa_supplicant.conf that authenticates to the hostapd using WPA-EAP with EAP-TLS (or if impossible as per previous paragraph - EAP-other ),
and if possible answer my questions 1-3?   I would be very grateful ...


John Lumby
 		 	   		  
_________________________________________________________________
CDN College or University student? Get Windows 7 for only $39.99 before Jan 3! Buy it now!
http://go.microsoft.com/?linkid=9691636
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20091026/5e4ad7e0/attachment.htm 


More information about the HostAP mailing list