wpa_supplicant using EAP-TTLS problem

Dan Williams dcbw
Tue Nov 13 07:18:42 PST 2007


On Tue, 2007-11-13 at 15:36 +0800, Yi-Yuan Wang wrote:
> Thanks for your teaching!
> I understand more and more about the keying.
>  
> I follow your guide last mail,
> combine server.pem and server.key to server-combined.pem,
> and then put it into /usr/local/etc/raddb/certs/.
> ca.pem also place to right side.

If you want a really, really easy way to correctly create certificates
without going through all the stupid OpenSSL crap, grab:

http://cvs.fedora.redhat.com/viewcvs/extras-buildsys/utils/certhelper.py?root=fedora&rev=1.5&view=markup

With it, you don't need to care about directories that OpenSSL forces
certs into, you don't really need to care about the openssl config
options, and you don't need to care about demoCA or whatever.

Use it like:

./certhelper.py ca --outdir=. --name=my-ca

then for the radius server:

./certhelper.py normal --outdir=. --name=radius --cadir=. --caname=my-ca

and for each client:

./certhelper.py normal --outdir=. --name=client1 --cadir=. --caname=my-ca


Compare that to all the FreeRadius examples that require you to have
CA.pl or any of the FreeRADIUS scripts and to have to modify passwords
and whatnot.

Note that this script will _not_ encrypt your private key, so if you
want encrypted private keys you'll need to do the following later:

openssl rsa -in radius.pem -out radius-key.pem -des3

Then replace the key part in radius.pem with the contents of
radius-key.pem.

IMHO, a lot simpler than screwing around with all the shellscripts that
everything else tells you to get and modify.  Plus it doesn't put stuff
in the default OpenSSL directory format.

Dan

> What I set in eap.conf is:
> tls {
>     private_key_password = whatever
>     private_key_file = ${raddbdir}/certs/server-combined.pem
>     certificate_file = ${raddbdir}/certs/server-combined.pem
>     CA_file = ${raddbdir}/certs/demoCA/ca.pem
>     dh_file = ${raddbdir}/certs/dh
>     random_file = /dev/urandom
>     fragment_size = 1024
> }
>  
> After setup, I start radius by "radiusd -f -X"
> but it can not work normally.
> The screen shows:
>  
> (above is eliminated)
> Module: Loaded eap
>  eap: default_eap_type = "ttls"
>  eap: timer_expire = 60
>  eap: ignore_unknown_eap_types = no
>  eap: cisco_accounting_username_bug = no
> rlm_eap: Loaded and initialized type md5 
> rlm_eap: Loaded and initialized type leap
>  gtc: challenge = "Password: "
>  gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
>  tls: rsa_key_exchange = no
>  tls: dh_key_exchange = yes 
>  tls: rsa_key_length = 512
>  tls: dh_key_length = 512
>  tls: verify_depth = 0
>  tls: CA_path = "(null)"
>  tls: pem_file_type = yes
>  tls: private_key_file = "/usr/local/etc/raddb/certs/server-
> combined.pem"
>  tls: certificate_file = "(null)"
>  tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/ca.pem"
>  tls: private_key_password = "whatever"
>  tls: dh_file = "/usr/local/etc/raddb/certs/dh" 
>  tls: random_file = "/dev/urandom"
>  tls: fragment_size = 1024
>  tls: include_length = yes
>  tls: check_crl = no
>  tls: check_cert_cn = "(null)"
>  tls: cipher_list = "(null)"
>  tls: check_cert_issuer = "(null)"
> rlm_eap_tls: Loading the certificate file as a chain
> rlm_eap: SSL error error:0200100E:system library:fopen:Bad address
> rlm_eap_tls: Error reading certificate file
> rlm_eap: Failed to initialize type tls
> radiusd.conf[10]: eap: Module instantiation failed.
> radiusd.conf[1960] Unknown module "eap".
> radiusd.conf[1907] Failed to parse authenticate section.
>  
> If I change the private_key_file and certificate_file back to original
> file "cert-srv.pem",
> it can work normally.
> For this reason, 
> is there something I have to replace but not yet?
> Or something I set is mismatch?
>  
>  
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap





More information about the Hostap mailing list