wpa_supplicant + hostapd + RADIUS --> NO WPA/RSN IE
Andrea G Forte
andreaf
Mon Feb 6 16:21:20 PST 2006
Yes, it was indeed the firmware.
Now everything seems to work with RADIUS. However there seems to be a
small bug in the wpa_supplicant or perhaps it is done on purpose for
some reason.
The "error" I get is:
EAP: initialize selected EAP method (13, TLS)
TLS: Trusted root certificate(s) loaded
*OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER)
failed error:140CB07C:SSL routines:SSL_use_PrivateKey_file:bad ssl filetype*
*OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (PEM)
failed error:0906D06C:PEM routines:PEM_read_bio:no start line*
*OpenSSL: pending error: error:140CB009:SSL
routines:SSL_use_PrivateKey_file:PEM lib*
TLS: Successfully parsed PKCS12 file
'/root/wireless/radius/freeradius-1.0.0-pre2/scripts/cert-clt.p12'
TLS: Got certificate from PKCS12: subject='/C=US/ST=New
York/L=Brooklyn/O=Columbia/CN=andrea/emailAddress=andreaf at cs.columbia.edu'
TLS: Got private key from PKCS12
OpenSSL: Reading PKCS#12 file --> OK
SSL: Private key loaded successfully
CTRL-EVENT-EAP-METHOD EAP method 13 (TLS) selected
EAP: EAP entering state METHOD
SSL: Received packet(len=6) - Flags 0x20
EAP-TLS: Start
It seems that even though I have set cert-clt.p12 file in the wpa config
file, the application still says to openssl to look for .der and .pem
files and only *after* it looks in the correct file (p12). Shouldn't it
be the opposite? Shouldn't wpa_supplicant tell to check the p12 file
first as specified in the config file and if it does not find it then
look in the other files?
The relevant part of my config file is as follows:
# private_key: File path to client private key file (PEM/DER/PFX)
# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
# commented out. Both the private key and certificate will be read
from
# the PKCS#12 file in this case.
network={
ssid="test"
proto=RSN
key_mgmt=WPA-EAP
pairwise=CCMP
auth_alg=OPEN
eap=TLS
identity="andrea"
ca_cert="/root/wireless/radius/freeradius-1.0.0-pre2/scripts/demoCA/cacert.pem"
private_key="/root/wireless/radius/freeradius-1.0.0-pre2/scripts/cert-clt.p12"
private_key_passwd="whatever"
priority=5
}
Thank you,
Andrea
Jar wrote:
> Andrea G Forte wrote:
>
>> Any idea on what the problem might be? Do I need to update the firmware?
>
>
> Yes I think so, you will need at least station firmware 1.7.0. But
> good choice would be update to v1.1.1 (primary) and v1.7.4 (secondary).
>
More information about the Hostap
mailing list