QUESTION: How to do a COMPUTER NAME (not user name) 802.1x (RADIUS) authentication with wpa_supplicant in Ubuntu 12.04?

Dan Williams dcbw at redhat.com
Thu Mar 28 10:34:13 EDT 2013


On Thu, 2013-03-28 at 20:27 +0800, McArthor Lee wrote:
> Hi all,
> 
> 
> 
> In my corporation, NPS policy does not use AD username/password authentication, for it's too much less secure.
> 
> 
> 
> 
> For some laptops and PCs, Ubuntu 12.04 x86 desktop edition is deployed. I found that Ubuntu Network Manager only supports username/password for 802.1x authentication. After some googling, I found wpa_supplicant works at the background of Network Manager.
> 
> 
> 
> 
> I checked some guides which stated how to authenticate with domain computer name using wpa_supplicant, but it does not work. The guides are somewhat old, for Ubuntu 8.x version.
> 
> 
> 
> 
> Below is the detailed test process and error result. Please help to check what's wrong and what to do.
> 
> 
> 
> 
> Setup a test lab with DC/DHCP/NPS servers on Hyper-V, as well as a Cisco 2960G switch. Connect the Hyper-V host to port 17 of the switch. After some configurations, a Windows 7 client can authenticate with domain computer name, through port 16 of the Cisco switch. So the lab environment is OK now. Note: I created a domain user "testadmin" belonging to "Domain Admins" group, and login with this user for all DHCP/NPS/IE-browser logins.
> 
> Fresh install an Ubuntu 12.04 x86 desktop edition to a test client. After installation, do no system updates, nor modifications to system settings.
> 
> Install likewise, and join the test client to the test domain. Of course, this process is done when the test client is connected to a default-authorized port of the Cisco switch, say port 14.
> 
> Generate proper certificates:
> 
> sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout privcert.pem -out privcert.pem
> 
> sudo openssl req -new -newkey rsa:1024 -nodes -keyout privkey.pem -out certreq.pem
> 
> Copy certreq.pem to DC. Open IE and type http://127.0.0.1/certsrv. Then click in turn: "Request a Certificate", "Advanced Certificate Request", "Submit a certificate request by using a base-64-encoded CMC or ......" (a very long option). Copy certreq.pem content to the "Base-64-encoded certificate request" text box, and select "Administrator" template, and then click "Submit", and then download the "Base 64 encoded" certificate. The certificate filename is certnew.cer. Copy the file certnew.cer back to the Ubuntu test client.
> 
> Copy certnew.cer to /etc/ssl/certs/ubuntu.domain.pem.
> 
> Copy privkey.pem to /etc/ssl/private/.
> 
> Edit /etc/wpa_supplicant/wpa_supplicant.conf, and below it's its content:
> 
>     ctrl_interface=/var/run/wpa_supplicant
>     ctrl_interface_group=0
>     eapol_version=1
>     ap_scan=0
>     network={
>         ssid="domaintest"
>         key_mgmt=IEEE8021X
>         eap=PEAP
>         phase2="auth=MSCHAPV2" # whether or not using this option leads the same error.
>         identity="nps.test/computers/ubuntu" # "nps.test" is FQAN of the test domain. "ubuntu" is the hostname of the test client.
>         client_cert="/etc/ssl/certs/ubuntu.domain.pem"
>         private_key="/etc/ssl/private/privkey.pem"
>     }

With NetworkManager, the 'identity' field is populated directly from the
Username widget.  The only thing that's missing here for NM is the
client-cert/private-key property usage with PEAP, which if this is
valid, could be added to NM fairly easily.

Dan

> 
> Connect the test client to port 16 (refer to section 1.) of the switch.
> 
> Type the following command, and get the follow error:
> 
> ubuntu at ubuntu:~$ sudo wpa_supplicant -ieth0 -Dwired -c/etc/wpa_supplicant/wpa_supplicant.conf
> 
> Associated with 01:80:c2:00:00:03
> CTRL-EVENT-EAP-STARTED EAP authentication started
> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
> OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
> OpenSSL: pending error: error:140C800D:SSL routines:SSL_use_certificate_file:ASN1 lib
> OpenSSL: pending error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
> OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
> OpenSSL: pending error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
> OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
> OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib
> CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
> CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=NPS-DC.nps.itc'
> CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=NPS-DC.nps.itc'
> CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=NPS-DC.nps.itc'
> SSL: SSL3 alert: read (remote end reported an error):fatal:access denied
> OpenSSL: openssl_handshake - SSL_connect error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
> CTRL-EVENT-EAP-FAILURE EAP authentication failed
> 
> 
> At NPS server, a error event log is respective to the above command:
> 
> Network Policy Server denied access to a user.
> Contact the Network Policy Server administrator for more information.
> User:
>     Security ID:                    NULL SID
>     Account Name:                   nps.test/computers/ubuntu
>     Account Domain:                 NPS
>     Fully Qualified Account Name:   NPS\UBUNTU$
> Client Machine:
>     Security ID:                    NULL SID
>     Account Name:                   -
>     Fully Qualified Account Name:   -
>     OS-Version:                     -
>     Called Station Identifier:      00-1D-A1-94-55-90
>     Calling Station Identifier:     00-E0-4C-68-04-1D
> NAS:
>     NAS IPv4 Address:               192.168.1.66
>     NAS IPv6 Address:               -
>     NAS Identifier:                 -
>     NAS Port-Type:                  Ethernet
>     NAS Port:                       50016
> RADIUS Client:
>     Client Friendly Name:           switch
>     Client IP Address:              192.168.1.66
> Authentication Details:
>     Connection Request Policy Name: NAP 802.1X (Wired)
>     Network Policy Name:            -
>     Authentication Provider:        Windows
>     Authentication Server:          NPS-DC.nps.test
>     Authentication Type:            PEAP
>     EAP Type:                       -
>     Account Session Identifier:     -
>     Logging Results:                Accounting information was written to the local log file.
>     Reason Code:                    16
>     Reason:                         Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap




More information about the HostAP mailing list