Cannot get hostapd radius to authenticate OSEN connection.

Ben Greear greearb
Fri Mar 20 10:24:56 PDT 2015 

I re-built my keys using a combination of these two pages:

http://pigeonsnest.co.uk/stuff/eap-tls.html
http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html

I verified that 'openssl verify' return OK:

[root at ben-ota-2 lanforge]# openssl verify -CAfile local/hs20/AS/Key-OSEN/ca.pem local/hs20/AS/Key-OSEN/server-cert.pem local/hs20/AS/Key-OSEN/client-cert.pem
local/hs20/AS/Key-OSEN/server-cert.pem: OK
local/hs20/AS/Key-OSEN/client-cert.pem: C = US, ST = WA, L = Ferndale, O = Candela Technologies Inc., emailAddress = support at candelatech.com, CN = Candela - CLIENT
error 18 at 0 depth lookup:self signed certificate
OK
[root at ben-ota-2 lanforge]# echo $?
0


It still did not work.

Then, after grubbing around in open-ssl document, I realized it was the OCSP
logic that was failing.

I removed the 'ocsp=2' from the wpa_supplicant config file and then
it connected!

I am wondering if OCSP is even supposed to work with self-signed certs?  Or maybe
that warning/error about the client cert is a real issue?

Thanks,
Ben


On 03/20/2015 08:00 AM, Ben Greear wrote:
> On 03/20/2015 05:51 AM, Jouni Malinen wrote:
>> On Thu, Mar 19, 2015 at 05:58:21PM -0700, Ben Greear wrote:
>>> I cannot seem to get a hostapd radius server to authenticate an OSEN connection.
>>> I think it might be some issue with the hostapd-radius server, but not sure why.
>>>
>>> I have enabled CONFIG_EAP_UNAUTH_TLS=y in the wpa_supplicant and hostapd config files.
>>> (This config option should be mentioned in the defconfig files?).
>>
>> That vendor specific EAP method is not really described anywhere and I'm
>> not sure whether I'd really want to promote it much at this point in
>> time. Anyway, CONFIG_EAP_UNAUTH_TLS=y is not used with OSEN. The version
>> of client-unauthenticated TLS for OSEN is selected for the build with
>> CONFIG_HS20=y.
>>
>>> "osen at lanforge.com"      WFA-UNAUTH-TLS
>>
>> This is the EAP method from CONFIG_HS2=y (the unrelated
>> CONFIG_EAP_UNAUTH_TLS=y is "UNAUTH-TLS").
>>
>>> Here is log.  Maybe the important bit is about not being able to find ssl ctxt?
>>
>>> 1426812366.390087: RADIUS SRV: [0x0 127.0.0.1] EAP: EAP-Response/Identity 'osen at lanforge.com'
>>> 1426812366.390101: EAP: getNextMethod: vendor 40808 type 13
>>> 1426812366.390108: TLS context not initialized - cannot use TLS-based EAP method
>>> 1426812366.390112: EAP-TLS: Failed to initialize SSL.
>>> 1426812366.390118: EAP: Failed to initialize EAP method 254
>>
>> Yes, this is the part that is failing.. It looks like you have not
>> configured the server certificate in hostapd configuration file and
>> that leaves TLS uninitialized. For any TLS-based EAP methods, the server
>> will need to have its private key, server certificate, and CA
>> certificate(s) configured.
> 
> 
> Ok, I updated the hostapd-radius config file to look like this:
> 
> 
> interface=eth0#0
> driver=wired
> logger_syslog=-1
> logger_syslog_level=2
> logger_stdout=-1
> logger_stdout_level=2
> ctrl_interface=/var/run/hostapd
> ctrl_interface_group=0
> #ieee8021x=1
> eapol_key_index_workaround=0
> eap_server=1
> eap_user_file=/etc/hostapd.eap_user
> server_id=ota-2.lanforge.com
> eap_sim_db=unix:/tmp/hlr_auc_gw.sock
> radius_server_auth_port=1811
> radius_server_clients=/etc/hostapd.radius_clients
> 
> ca_cert=/etc/raddb/certs/ca.pem
> server_cert=/etc/raddb/certs/server.pem
> private_key=/etc/raddb/certs/server.key
> private_key_passwd=lanforge
> 
> 
> I am generating those certs with this logic:
> 
>       # Build the new .pem files.
>       my $rbase = "/etc/raddb/";
>       do_cmd("cd $rbase/certs; make; cd -", 1);
> 
>       # Build client files.
>       do_cmd("cd $rbase/certs; openssl req -new -config client.cnf -keyout client_key.pem -out client_req.pem; cd -");
>       do_cmd("cd $rbase/certs; openssl ca -config ca.cnf -in client_req.pem -key lanforge -batch -out client_cert.pem; cd -");
>       do_cmd("cd $rbase/certs; openssl pkcs12 -export -clcerts -in client_cert.pem -inkey client_key.pem -out client.p12 -passin pass:lanforge -passout
> pass:lanforge; cd -");
> 
>       # Copy client files to $home
>       do_cmd("cd $rbase/certs; cp ca.pem client.p12 $home; cd -");
> 
> 
> I have placed the /etc/raddb/certs/ca.pem from the hostapd-radius machine on the
> supplicant station machine and I am using that file for the 'ca_cert' entry
> in the wpa_supplicant config file.
> 
> 
> It still does not work, but it gets farther and complains about the cert file from what
> I can tell.  I assume I must be either generating keys incorrectly or using them incorrectly:
> 
> # From hostapd-radius logs:
> 
> .....
> 1426862605.113491: RADIUS SRV: Request for session 0x1
> 1426862605.113499: RADIUS SRV: Received EAP data - hexdump(len=20): 02 ab 00 14 fe 00 9f 68 00 00 00 0d 00 15 03 03 00 02 02 71
> 1426862605.113512: EAP: EAP entering state RECEIVED
> 1426862605.113518: EAP: parseEapResp: rxResp=1 rxInitiate=0 respId=171 respMethod=254 respVendor=40808 respVendorMethod=13
> 1426862605.113526: EAP: EAP entering state INTEGRITY_CHECK
> 1426862605.113532: EAP: EAP entering state METHOD_RESPONSE
> 1426862605.113538: SSL: Received packet(len=20) - Flags 0x00
> 1426862605.113544: SSL: Received packet: Flags 0x0 Message Length 0
> 1426862605.113559: OpenSSL: RX ver=0x303 content_type=21
> 1426862605.113569: OpenSSL: Message - hexdump(len=2): [REMOVED]
> 1426862605.113577: SSL: (where=0x4004 ret=0x271)
> 1426862605.113584: SSL: SSL3 alert: read (remote end reported an error):fatal:bad certificate status response
> 1426862605.113595: SSL: (where=0x2002 ret=0x0)
> 1426862605.113602: SSL: SSL_accept:failed in SSLv3 read client certificate A
> 1426862605.113615: OpenSSL: openssl_handshake - SSL_connect error:14094459:SSL routines:SSL3_READ_BYTES:tlsv1 bad certificate status response
> 1426862605.113626: SSL: 0 bytes pending from ssl_out
> 1426862605.113634: SSL: Failed - tls_out available to report error
> 1426862605.113640: EAP-TLS: CONTINUE -> FAILURE
> 
> 
> From station's wpa-supplicant logs:
> 1426861931.857045: wlan1: CTRL-EVENT-SSID-REENABLED id=0 ssid="ota-9k-osen"
> 1426861931.857403: wlan1: WPA: Driver used disabled key management 0x0 (mask 0x8000) - reject
> 1426861931.857446: wlan1: SME: Trying to authenticate with 00:0e:8e:2b:e5:96 (SSID='ota-9k-osen' freq=2412 MHz)
> 1426861931.874613: wlan1: Trying to associate with 00:0e:8e:2b:e5:96 (SSID='ota-9k-osen' freq=2412 MHz)
> 1426861931.883762: wlan1: Associated with 00:0e:8e:2b:e5:96
> 1426861931.891084: wlan1: CTRL-EVENT-EAP-STARTED EAP authentication started
> 1426861931.898734: wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=40808 method=13
> 1426861931.899029: wlan1: CTRL-EVENT-EAP-METHOD EAP vendor 40808 method 13 (WFA-UNAUTH-TLS) selected
> 1426861931.917345: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:bad certificate status response
> 1426861931.917380: OpenSSL: openssl_handshake - SSL_connect error:14092113:SSL routines:SSL3_GET_SERVER_HELLO:serverhello tlsext
> 1426861931.922043: wlan1: CTRL-EVENT-EAP-FAILURE EAP authentication failed
> 1426861931.941605: wlan1: CTRL-EVENT-DISCONNECTED bssid=00:0e:8e:2b:e5:96 reason=23
> 1426861931.941637: wlan1: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="ota-9k-osen" auth_failures=3 duration=59 reason=AUTH_FAILED
> 1426861931.944220: wlan1: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
> 1426861931.946726: wlan1: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=US
> 
> 
> Any hints as to what I might be doing wrong?
> 
> 
> I promise to write this all up and publish it somewhere when I have it working
> so that the next person to try this will hopefully have an easier time :)
> 
> 
> Thanks,
> Ben
> 


-- 
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

More information about the Hostap mailing list