<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
--></style>
</head>
<body class='hmmessage'>
I have been trying to establish a wireless connection between two laptops each running linux kernel 2.6.28 :<br> General setup:<br> one has a Prism2.5 radio at firmware level 1.7.4 and I run hostapd 0.6.9 with hostap kernel driver<br> one has a iwl4965 (iwlagn) radio and I run wpa_supplicant 0.6.9 with wext kernel driver<br> All pieces individually do work, and in particular I have previously<br> successfully established a connection using this hardware and software but with WPA-PSK .<br> What I want to do:<br> establish a wireless connection using WPA protocol with WPA-EAP, EAP-TLS, TKIP encryption<br> I have openssl-0.9.8k at each end<br> my wpa_supplicant.conf :<br> ( ??? indicates I don't know about these and have tried with them in and commented out )<br><br>update_config=1<br>ctrl_interface=/var/run/wpa_supplicant<br>ctrl_interface_group=0<br>eapol_version=2<br>ap_scan=1<br>fast_reauth=1<br><br>network={<br> ssid="[**]"<br> scan_ssid=1 <br> key_mgmt= WPA-EAP IEEE8021X<br> pairwise=TKIP<br> group=TKIP<br> eap=TLS<br>??? ca_cert="/etc/ssl/certs/wireless_cert.pem"<br>??? ca_path="/etc/ssl/certs"<br>??? client_cert="/etc/ssl/certs/wireless_cert.pem"<br>??? private_key="/etc/ssl/certs/privkey.pem"<br>??? private_key_passwd="[hidden]"<br> phase2="auth=MSCHAPV2"<br> identity="test"<br> password="password"<br> }<br><br>hostapd.conf too big to include but may be less critical but similar uncertainty over the ssl certificate parts<br><br>I generated my keys and certificates using a scheme like<br>openssl dsaparam -out /etc/ssl/certs/wireless.dsaparam 128<br>echo "${private_key_passwd}" | openssl gendsa -out /etc/ssl/certs/privkey.pem /etc/ssl/certs/wireless.dsaparam<br>openssl req -new -x509 -key /etc/ssl/certs/privkey.pem -out /etc/ssl/certs/wireless_cert.pem -days 1095<br><br><br><br>I have tried all kinds of variations but nothing works. <br> wpa_supplicant log shows an endless loop of<br> DISCONNECTED -> SCANNING<br> SCANNING -> ASSOCIATING<br> ASSOCIATING -> ASSOCIATED<br> ASSOCIATED -> DISCONNECTED<br> DISCONNECTED -> SCANNING<br> ...<br><br>and hostapd log shows everything going fine until all of a sudden it says<br>wlan0: STA 00:1d:e0:0c:48:59 IEEE 802.1X: unauthorizing port<br><br>I am sure the failure is caused by incorrect ssl / TLS setup but after reading<br>many documents and hints I am hopelessly confused as to :<br> 1. what ssl certificate / key files are REQUIRED? (at each end)<br> 2. what correspondence (things that must match) is REQUIRED between the files at each end?<br> 3. how should / could these files be generated?<br><br>NB I do NOT want to have to send my certificates to some external CA authority - it has to work using all my own resources and code. If it is impossible to do this using EAP-TLS, then please tell me that and is there some other EAP method I could use that still uses WPA-EAP protocol?<br><br><br>Could anyone please show me a working example of a pair of hostapd / wpa_supplicant setup including<br>wpa_supplicant.conf that authenticates to the hostapd using WPA-EAP with EAP-TLS (or if impossible as per previous paragraph - EAP-other ),<br>and if possible answer my questions 1-3? I would be very grateful ...<br><br><br>John Lumby<br> <br /><hr />Save up to 84% on Windows 7 until Jan 3-eligible CDN College or University students only. <a href='http://go.microsoft.com/?linkid=9691631' target='_new'>Hurry-buy it now for $39.99!</a></body>
</html>