EAP-TLS problems with RHEL 5.3

Dan Williams dcbw
Tue Mar 10 14:44:31 PDT 2009 

On Tue, 2009-03-10 at 10:10 -0700, jim.sifferle at tektronix.com wrote:
> Hello,
> 
>  
> 
> I am having problems getting Redhat Enterprise Linux 5.3 working using
> our EAP-TLS corporate WLAN.  I am using the following:
> 
>  
> 
> - RHEL 5.3, default ?2.6.18-128.el5? kernel, rtl8187 kernel module (RH
> backported rtl8187+mac80211 from 2.6.25 / 2.6.26)
> 
> - Netgear WG111 v2 USB wireless adapter
> 
> - wpa_supplicant 0.5.10-8 (default RHEL 5.3 package)
> 
> - dhclient 3.0.5 (default RHEL 5.3 package)
> 
>  
> 
> - Cisco 1240AG A/B/G access points, IOS 12.3(8)JEA
> 
>    - x3 active ESSIDs (LEAP+CKIP-CMIC, EAP-TLS+TKIP/AES_CCM, Open,
> non-encrypted)
> 
> - MS Windows Server 2K3 / IAS RADIUS server
> 
>  
> 
> I cannot reliably associate to our APs.  I have successfully
> associated 3-4 times, however most of the time wpa_supplicant cycles
> from SCANNING to ASSOCIATING to DISCONNECTED.  The few times I have 

This mostly sounds like a driver problem.  If you don't even get to
ASSOCIATED, then you won't get anywhere near the EAP-TLS part of the
process.  You can file a bugzilla against the kernel package for your
bug, and please include the output of a wpa_supplicant run with "-dddt"
logging options.  If you have a support contract with Red Hat, you can
also contact your support representative who will push the issue up the
chain as well.  More noise == good.

Dan

> successfully associated, I have been able to obtain a DHCP IP and was
> active on the network.  I have verified my client certificate and CA
> path using ?openssl verify ?CAfile ca.pem user.pem?.  I know the APs
> all are working.  Windows XP/Vista clients can associate to our
> EAP-TLS ESSID using the Microsoft or Intel supplicants.  Using RHEL, I
> can associate to our open, non-secure Guest wireless ESSID without a
> problem, so I know the kmod is working.
> 
>  
> 
> Here is the debug from a failed association:
> http://www.sifferle.net/EAP-TLS%20not%20associated.txt
> 
>  
> 
> Here is the debug from a successful association:
> http://www.sifferle.net/EAP-TLS%20associated.txt
> 
>  
> 
> Here is my wpa_supplicant.conf:
> 
>  
> 
> ctrl_interface=/var/run/wpa_supplicant
> 
> ctrl_interface_group=wheel
> 
>  
> 
> network={
> 
>         ssid="SSID"
> 
>         proto=WPA RSN
> 
>         key_mgmt=WPA-EAP
> 
>         pairwise=CCMP TKIP
> 
>         group=CCMP TKIP
> 
>         eap=TLS
> 
>         identity="user at domain.com"
> 
>         ca_cert="/etc/cert/ca.pem"
> 
>         client_cert="/etc/cert/user.pem"
> 
>         private_key="/etc/cert/user.prv"
> 
>         private_key_passwd="password"
> 
> }
> 
>  
> 
> Any help would be greatly appreciated.
> 
>  
> 
> Thanks,
> 
>  
> 
> Jim Sifferle
> 
> Danaher T&M / Tektronix Network Services
> 
> Work: 503-627-5364
> 
> Mobile: 503-860-5558
> 
> Jim.sifferle at tektronix.com
> 
>  
> 
>  
> 
> 
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap

More information about the Hostap mailing list