working example of wpa_supplicant to hostapd setup thatauthenticates using WPA-EAP with EAP-TLS ???

Chuck Tuffli Chuck.Tuffli at dspg.com
Tue Oct 27 12:29:29 EDT 2009


On Mon 10/26/2009 6:45 PM, John Lumby wrote:
> I have been trying to establish a wireless connection between two
> laptops each running linux kernel 2.6.28 :
...
> Could anyone please show me a working example of a pair of hostapd /
> wpa_supplicant setup including wpa_supplicant.conf that authenticates to
> the hostapd using WPA-EAP with EAP-TLS (or if impossible as per previous
> paragraph - EAP-other ), and if possible answer my questions 1-3?   I
> would be very grateful ...

I don't have a hostapd.conf for you to see (we use an off-the-shelf AP),
but the following is what I use for EAP-TLS testing on the STA side

[335] cat wpa_supplicant.conf.wpa2e
ctrl_interface=/var/run/wpa_supplicant
update_config=1

network={
        ssid="***"

        # 802.1X
        key_mgmt=WPA-EAP
        proto=RSN
        eap=TLS
        ca_cert="/certs/wifi_ca_cert.pem"
        client_cert="/certs/client_keycert.pem"
        private_key="/certs/client_keycert.pem"
        private_key_passwd="whatever"

        identity="root"
}

If you are using FreeRADIUS, the private_key_passwd is the same value you
need in the eap.conf file for the variable of the same name. The identity
goes in the users file IIRC.

The part that tripped me up the most was creating the certificates. There
seem to be a large number of different ways to do this, but the one that
worked for me was a script called certhelper.py from the Fedora project.

The directions I wrote up for QA look something like:

# ./certhelper.py ca --outdir=/etc/freeradius/certs --name=wifi
# ./certhelper.py normal --outdir=/etc/freeradius/certs --name=server --cadir=/etc/freeradius/certs --caname=wifi
# mv /etc/freeradius/certs/server_key{_and_,}cert.pem
# ./certhelper.py normal --outdir=/etc/freeradius/certs --name=client --cadir=/etc/freeradius/certs --caname=wifi
# mv /etc/freeradius/certs/client_key{_and_,}cert.pem

HTH

---chuck

______________________________________________________________________
DSP Group, Inc. automatically scans all emails and attachments using MessageLabs Email Security System.
_____________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20091027/d4b4c53d/attachment.htm 


More information about the HostAP mailing list