working example of wpa_supplicant to hostapd setup that authenticates using WPA-EAP with EAP-TLS ???
John Lumby
johnlumby
Mon Oct 26 18:45:16 PDT 2009
I have been trying to establish a wireless connection between two laptops each running linux kernel 2.6.28 :
General setup:
one has a Prism2.5 radio at firmware level 1.7.4 and I run hostapd 0.6.9 with hostap kernel driver
one has a iwl4965 (iwlagn) radio and I run wpa_supplicant 0.6.9 with wext kernel driver
All pieces individually do work, and in particular I have previously
successfully established a connection using this hardware and software but with WPA-PSK .
What I want to do:
establish a wireless connection using WPA protocol with WPA-EAP, EAP-TLS, TKIP encryption
I have openssl-0.9.8k at each end
my wpa_supplicant.conf :
( ??? indicates I don't know about these and have tried with them in and commented out )
update_config=1
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=2
ap_scan=1
fast_reauth=1
network={
ssid="[**]"
scan_ssid=1
key_mgmt= WPA-EAP IEEE8021X
pairwise=TKIP
group=TKIP
eap=TLS
??? ca_cert="/etc/ssl/certs/wireless_cert.pem"
??? ca_path="/etc/ssl/certs"
??? client_cert="/etc/ssl/certs/wireless_cert.pem"
??? private_key="/etc/ssl/certs/privkey.pem"
??? private_key_passwd="[hidden]"
phase2="auth=MSCHAPV2"
identity="test"
password="password"
}
hostapd.conf too big to include but may be less critical but similar uncertainty over the ssl certificate parts
I generated my keys and certificates using a scheme like
openssl dsaparam -out /etc/ssl/certs/wireless.dsaparam 128
echo "${private_key_passwd}" | openssl gendsa -out /etc/ssl/certs/privkey.pem /etc/ssl/certs/wireless.dsaparam
openssl req -new -x509 -key /etc/ssl/certs/privkey.pem -out /etc/ssl/certs/wireless_cert.pem -days 1095
I have tried all kinds of variations but nothing works.
wpa_supplicant log shows an endless loop of
DISCONNECTED -> SCANNING
SCANNING -> ASSOCIATING
ASSOCIATING -> ASSOCIATED
ASSOCIATED -> DISCONNECTED
DISCONNECTED -> SCANNING
...
and hostapd log shows everything going fine until all of a sudden it says
wlan0: STA 00:1d:e0:0c:48:59 IEEE 802.1X: unauthorizing port
I am sure the failure is caused by incorrect ssl / TLS setup but after reading
many documents and hints I am hopelessly confused as to :
1. what ssl certificate / key files are REQUIRED? (at each end)
2. what correspondence (things that must match) is REQUIRED between the files at each end?
3. how should / could these files be generated?
NB I do NOT want to have to send my certificates to some external CA authority - it has to work using all my own resources and code. If it is impossible to do this using EAP-TLS, then please tell me that and is there some other EAP method I could use that still uses WPA-EAP protocol?
Could anyone please show me a working example of a pair of hostapd / wpa_supplicant setup including
wpa_supplicant.conf that authenticates to the hostapd using WPA-EAP with EAP-TLS (or if impossible as per previous paragraph - EAP-other ),
and if possible answer my questions 1-3? I would be very grateful ...
John Lumby
_________________________________________________________________
CDN College or University student? Get Windows 7 for only $39.99 before Jan 3! Buy it now!
http://go.microsoft.com/?linkid=9691636
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20091026/5e4ad7e0/attachment.htm
More information about the Hostap
mailing list