Query: auth server bahaviour when presented with unknown user certs (EAP-TLS)
Soh Kam Yung
sohkamyung
Thu Nov 27 18:11:10 PST 2008
On Thu, Nov 27, 2008 at 9:31 PM, Jouni Malinen <j at w1.fi> wrote:
> On Thu, Nov 27, 2008 at 05:22:02PM +0800, Soh Kam Yung wrote:
>
>> Suppose I have a device with two or more user certificates which are
>> used to join two or more different EAP-TLS networks. When I am
>> requested to join a EAP-TLS network, I will try to join by passing the
>> user certificates one by one to the server using wpa_supplicant (i.e.
>> change the "private_key" and "private_key_password" parameters in each
>> join attempt) until it succeeds or until I run out of user
>> certificates.
>
> Ideally, this would be done be selecting the certificate based on which
> certificate server used and what the server asked for in
> CertificateRequest..
>
> [...]
Jouni,
Could you provide some more details on I can do this?
I have tried to join my test EAP-TLS network with the following configuration:
network={
ssid="example"
key_mgmt=WPA-EAP
proto=WPA
pairwise=TKIP
group=TKIP
eap=TLS
identity="me"
ca_cert="/etc/cert/ca.pem"
}
I left out:
private_key="/etc/cert/user.p12"
private_key_passwd="PKCS#12 passhrase"
When I enable it via wpa_cli, I keep getting:
[...]
<2>CTRL-EVENT-EAP-STARTED EAP authentication started
<2>EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)
<2>CTRL-EVENT-EAP-FAILURE EAP authentication failed
<2>CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
[...]
If I put the private_key and private_key_passwd into the
configuration, it succeeds.
How do I get wpa_supplicant to request for the user certificate via
the control interface?
Regards,
Kam-Yung
--
Soh Kam Yung
my Google Reader Shared links:
(http://www.google.com/reader/shared/16851815156817689753)
my Google Reader Shared SFAS links:
(http://www.google.com/reader/shared/user/16851815156817689753/label/sfas)
More information about the Hostap
mailing list