Problems with EAP-TTLS/EAP-TLS - One Step further
Fri Oct 31 03:28:11 PDT 2008
Jouni Malinen wrote:
> On Thu, Oct 30, 2008 at 03:11:39PM +0100, Carolin Latze wrote:
>> meanwhile I tried several things and didn't succeed but I have an idea
>> what's going wrong. It seems that the wpa_supplicant only takes the
>> engine for the outer authentication. Is that possible?
> Yes, that is quite possible. I have not tested using OpenSSL engine in
> phase 2.
Ok... I will go on debugging when I got it running without engine. If
you have some hints where to start it, I would be happy (otherwise I
start grepping through the code). At the moment I am still working with
wpa_supplicant 0.5.9 since I integrated the TPM engine into that version
and 0.6 brought a lot of changes. Seems like I have to reimplement my
integration in version 0.6. So if there is not strong need to change the
version, I would prefer to postpone it.
>> Therefore my question: On the wpa_supplicant homepage I saw that
>> EAP-TTLS/EAP-TLS has been tested with FreeRADIUS. Is there a place where
>> to download the test configurations? That would be very helpful for me!
>> I want to try to use EAP-TTLS/EAP-TLS without engine for a first test
>> (take out the complexity in order to understand it :)). I tried it with:
> This worked when I lasted tested it, but I've only tested without an
> engine and EAP-TLS inside EAP-PEAP or -TTLS has previously been somewhat
> of a problem case, so you may need to update FreeRADIUS unless you are
> using the latest release.
Is that a problem of FreeRADIUS? As I wrote, I also do not use the
newest wpa_supplicant. But anyhow, I upgraded the FreeRADIUS to version
2.1.1. I also tried it with the latest version from git (2.1.2). But I
get still the same error. I attached the complete log to this mail.
> I would recommend including ca_cert2 here, too, so that wpa_supplicant
> will verify server certificate in phase2 should the server be using a
> different key in phase 1 and 2 (not really a very likely case, but
> anyway, it is good to validate certificates both in phase 1 and 2).
Ok, changed that.
Research Assistant ICT Engineer
Department of Computer Science Swisscom Strategy and Innovation
Boulevard de P?rolles 90 Ostermundigenstrasse 93
CH-1700 Fribourg CH-3006 Bern
phone: +41 26 300 83 30 +41 79 72 965 27
More information about the Hostap