QUESTION: How to do a COMPUTER NAME (not user name) 802.1x (RADIUS) authentication with wpa_supplicant in Ubuntu 12.04?

McArthor Lee macarthorzhuce at 126.com
Thu Mar 28 08:27:21 EDT 2013


Hi all,



In my corporation, NPS policy does not use AD username/password authentication, for it's too much less secure.




For some laptops and PCs, Ubuntu 12.04 x86 desktop edition is deployed. I found that Ubuntu Network Manager only supports username/password for 802.1x authentication. After some googling, I found wpa_supplicant works at the background of Network Manager.




I checked some guides which stated how to authenticate with domain computer name using wpa_supplicant, but it does not work. The guides are somewhat old, for Ubuntu 8.x version.




Below is the detailed test process and error result. Please help to check what's wrong and what to do.




Setup a test lab with DC/DHCP/NPS servers on Hyper-V, as well as a Cisco 2960G switch. Connect the Hyper-V host to port 17 of the switch. After some configurations, a Windows 7 client can authenticate with domain computer name, through port 16 of the Cisco switch. So the lab environment is OK now. Note: I created a domain user "testadmin" belonging to "Domain Admins" group, and login with this user for all DHCP/NPS/IE-browser logins.

Fresh install an Ubuntu 12.04 x86 desktop edition to a test client. After installation, do no system updates, nor modifications to system settings.

Install likewise, and join the test client to the test domain. Of course, this process is done when the test client is connected to a default-authorized port of the Cisco switch, say port 14.

Generate proper certificates:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout privcert.pem -out privcert.pem

sudo openssl req -new -newkey rsa:1024 -nodes -keyout privkey.pem -out certreq.pem

Copy certreq.pem to DC. Open IE and type http://127.0.0.1/certsrv. Then click in turn: "Request a Certificate", "Advanced Certificate Request", "Submit a certificate request by using a base-64-encoded CMC or ......" (a very long option). Copy certreq.pem content to the "Base-64-encoded certificate request" text box, and select "Administrator" template, and then click "Submit", and then download the "Base 64 encoded" certificate. The certificate filename is certnew.cer. Copy the file certnew.cer back to the Ubuntu test client.

Copy certnew.cer to /etc/ssl/certs/ubuntu.domain.pem.

Copy privkey.pem to /etc/ssl/private/.

Edit /etc/wpa_supplicant/wpa_supplicant.conf, and below it's its content:

    ctrl_interface=/var/run/wpa_supplicant
    ctrl_interface_group=0
    eapol_version=1
    ap_scan=0
    network={
        ssid="domaintest"
        key_mgmt=IEEE8021X
        eap=PEAP
        phase2="auth=MSCHAPV2" # whether or not using this option leads the same error.
        identity="nps.test/computers/ubuntu" # "nps.test" is FQAN of the test domain. "ubuntu" is the hostname of the test client.
        client_cert="/etc/ssl/certs/ubuntu.domain.pem"
        private_key="/etc/ssl/private/privkey.pem"
    }


Connect the test client to port 16 (refer to section 1.) of the switch.

Type the following command, and get the follow error:

ubuntu at ubuntu:~$ sudo wpa_supplicant -ieth0 -Dwired -c/etc/wpa_supplicant/wpa_supplicant.conf

Associated with 01:80:c2:00:00:03
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: pending error: error:140C800D:SSL routines:SSL_use_certificate_file:ASN1 lib
OpenSSL: pending error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: pending error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=NPS-DC.nps.itc'
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=NPS-DC.nps.itc'
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=NPS-DC.nps.itc'
SSL: SSL3 alert: read (remote end reported an error):fatal:access denied
OpenSSL: openssl_handshake - SSL_connect error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
CTRL-EVENT-EAP-FAILURE EAP authentication failed


At NPS server, a error event log is respective to the above command:

Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
    Security ID:                    NULL SID
    Account Name:                   nps.test/computers/ubuntu
    Account Domain:                 NPS
    Fully Qualified Account Name:   NPS\UBUNTU$
Client Machine:
    Security ID:                    NULL SID
    Account Name:                   -
    Fully Qualified Account Name:   -
    OS-Version:                     -
    Called Station Identifier:      00-1D-A1-94-55-90
    Calling Station Identifier:     00-E0-4C-68-04-1D
NAS:
    NAS IPv4 Address:               192.168.1.66
    NAS IPv6 Address:               -
    NAS Identifier:                 -
    NAS Port-Type:                  Ethernet
    NAS Port:                       50016
RADIUS Client:
    Client Friendly Name:           switch
    Client IP Address:              192.168.1.66
Authentication Details:
    Connection Request Policy Name: NAP 802.1X (Wired)
    Network Policy Name:            -
    Authentication Provider:        Windows
    Authentication Server:          NPS-DC.nps.test
    Authentication Type:            PEAP
    EAP Type:                       -
    Account Session Identifier:     -
    Logging Results:                Accounting information was written to the local log file.
    Reason Code:                    16
    Reason:                         Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20130328/0c3eba55/attachment.htm 


More information about the HostAP mailing list