Cannot get hostapd radius to authenticate OSEN connection.

Ben Greear greearb at candelatech.com
Fri Mar 20 11:00:00 EDT 2015 

On 03/20/2015 05:51 AM, Jouni Malinen wrote:
> On Thu, Mar 19, 2015 at 05:58:21PM -0700, Ben Greear wrote:
>> I cannot seem to get a hostapd radius server to authenticate an OSEN connection.
>> I think it might be some issue with the hostapd-radius server, but not sure why.
>>
>> I have enabled CONFIG_EAP_UNAUTH_TLS=y in the wpa_supplicant and hostapd config files.
>> (This config option should be mentioned in the defconfig files?).
> 
> That vendor specific EAP method is not really described anywhere and I'm
> not sure whether I'd really want to promote it much at this point in
> time. Anyway, CONFIG_EAP_UNAUTH_TLS=y is not used with OSEN. The version
> of client-unauthenticated TLS for OSEN is selected for the build with
> CONFIG_HS20=y.
> 
>> "osen at lanforge.com"      WFA-UNAUTH-TLS
> 
> This is the EAP method from CONFIG_HS2=y (the unrelated
> CONFIG_EAP_UNAUTH_TLS=y is "UNAUTH-TLS").
> 
>> Here is log.  Maybe the important bit is about not being able to find ssl ctxt?
> 
>> 1426812366.390087: RADIUS SRV: [0x0 127.0.0.1] EAP: EAP-Response/Identity 'osen at lanforge.com'
>> 1426812366.390101: EAP: getNextMethod: vendor 40808 type 13
>> 1426812366.390108: TLS context not initialized - cannot use TLS-based EAP method
>> 1426812366.390112: EAP-TLS: Failed to initialize SSL.
>> 1426812366.390118: EAP: Failed to initialize EAP method 254
> 
> Yes, this is the part that is failing.. It looks like you have not
> configured the server certificate in hostapd configuration file and
> that leaves TLS uninitialized. For any TLS-based EAP methods, the server
> will need to have its private key, server certificate, and CA
> certificate(s) configured.


Ok, I updated the hostapd-radius config file to look like this:


interface=eth0#0
driver=wired
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
#ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=/etc/hostapd.eap_user
server_id=ota-2.lanforge.com
eap_sim_db=unix:/tmp/hlr_auc_gw.sock
radius_server_auth_port=1811
radius_server_clients=/etc/hostapd.radius_clients

ca_cert=/etc/raddb/certs/ca.pem
server_cert=/etc/raddb/certs/server.pem
private_key=/etc/raddb/certs/server.key
private_key_passwd=lanforge


I am generating those certs with this logic:

      # Build the new .pem files.
      my $rbase = "/etc/raddb/";
      do_cmd("cd $rbase/certs; make; cd -", 1);

      # Build client files.
      do_cmd("cd $rbase/certs; openssl req -new -config client.cnf -keyout client_key.pem -out client_req.pem; cd -");
      do_cmd("cd $rbase/certs; openssl ca -config ca.cnf -in client_req.pem -key lanforge -batch -out client_cert.pem; cd -");
      do_cmd("cd $rbase/certs; openssl pkcs12 -export -clcerts -in client_cert.pem -inkey client_key.pem -out client.p12 -passin pass:lanforge -passout
pass:lanforge; cd -");

      # Copy client files to $home
      do_cmd("cd $rbase/certs; cp ca.pem client.p12 $home; cd -");


I have placed the /etc/raddb/certs/ca.pem from the hostapd-radius machine on the
supplicant station machine and I am using that file for the 'ca_cert' entry
in the wpa_supplicant config file.


It still does not work, but it gets farther and complains about the cert file from what
I can tell.  I assume I must be either generating keys incorrectly or using them incorrectly:

# From hostapd-radius logs:

.....
1426862605.113491: RADIUS SRV: Request for session 0x1
1426862605.113499: RADIUS SRV: Received EAP data - hexdump(len=20): 02 ab 00 14 fe 00 9f 68 00 00 00 0d 00 15 03 03 00 02 02 71
1426862605.113512: EAP: EAP entering state RECEIVED
1426862605.113518: EAP: parseEapResp: rxResp=1 rxInitiate=0 respId=171 respMethod=254 respVendor=40808 respVendorMethod=13
1426862605.113526: EAP: EAP entering state INTEGRITY_CHECK
1426862605.113532: EAP: EAP entering state METHOD_RESPONSE
1426862605.113538: SSL: Received packet(len=20) - Flags 0x00
1426862605.113544: SSL: Received packet: Flags 0x0 Message Length 0
1426862605.113559: OpenSSL: RX ver=0x303 content_type=21
1426862605.113569: OpenSSL: Message - hexdump(len=2): [REMOVED]
1426862605.113577: SSL: (where=0x4004 ret=0x271)
1426862605.113584: SSL: SSL3 alert: read (remote end reported an error):fatal:bad certificate status response
1426862605.113595: SSL: (where=0x2002 ret=0x0)
1426862605.113602: SSL: SSL_accept:failed in SSLv3 read client certificate A
1426862605.113615: OpenSSL: openssl_handshake - SSL_connect error:14094459:SSL routines:SSL3_READ_BYTES:tlsv1 bad certificate status response
1426862605.113626: SSL: 0 bytes pending from ssl_out
1426862605.113634: SSL: Failed - tls_out available to report error
1426862605.113640: EAP-TLS: CONTINUE -> FAILURE

More information about the HostAP mailing list