Query: auth server bahaviour when presented with unknown user certs (EAP-TLS)

Soh Kam Yung sohkamyung
Thu Nov 27 18:11:10 PST 2008


On Thu, Nov 27, 2008 at 9:31 PM, Jouni Malinen <j at w1.fi> wrote:
> On Thu, Nov 27, 2008 at 05:22:02PM +0800, Soh Kam Yung wrote:
>
>> Suppose I have a device with two or more user certificates which are
>> used to join two or more different EAP-TLS networks.  When I am
>> requested to join a EAP-TLS network, I will try to join by passing the
>> user certificates one by one to the server using wpa_supplicant (i.e.
>> change the "private_key" and "private_key_password" parameters in each
>> join attempt) until it succeeds or until I run out of user
>> certificates.
>
> Ideally, this would be done be selecting the certificate based on which
> certificate server used and what the server asked for in
> CertificateRequest..
>
> [...]

Jouni,

Could you provide some more details on I can do this?

I have tried to join my test EAP-TLS network with the following configuration:

network={
	ssid="example"
	key_mgmt=WPA-EAP
	proto=WPA
	pairwise=TKIP
	group=TKIP
	eap=TLS
	identity="me"
	ca_cert="/etc/cert/ca.pem"
}

I left out:

	private_key="/etc/cert/user.p12"
	private_key_passwd="PKCS#12 passhrase"

When I enable it via wpa_cli, I keep getting:

[...]
<2>CTRL-EVENT-EAP-STARTED EAP authentication started
<2>EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)
<2>CTRL-EVENT-EAP-FAILURE EAP authentication failed
<2>CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
[...]

If I put the private_key and private_key_passwd into the
configuration, it succeeds.

How do I get wpa_supplicant to request for the user certificate via
the control interface?

Regards,
Kam-Yung
-- 
Soh Kam Yung
my Google Reader Shared links:
(http://www.google.com/reader/shared/16851815156817689753)
my Google Reader Shared SFAS links:
(http://www.google.com/reader/shared/user/16851815156817689753/label/sfas)



More information about the Hostap mailing list