Using wpasupplicant to connect to 802.1X certificate protected network. Xubuntu 14.04
Jouni Malinen
j at w1.fi
Fri Feb 19 07:14:09 PST 2016
On Fri, Feb 19, 2016 at 02:53:44PM +0100, gunnaroeh at posteo.de wrote:
> My admin now stated, that protocols must not be predefined but are
> negotiated between client and the server.
> After the certificate is verified (which is a must) the user
> identity must indeed also be checked.
>
> Therefore he then suggested to use the following configuration:
>
> key_mgmt=IEEE8021X
> eap=TLS
> anonymous_identity="..."
> ca_cert="/path to certificate.cer"
> phase2="auth=peap"
> private_key="path to privkey.pem"
> identity="..."
> password="..."
> private_key_passwd="..."
This is not valid EAP configuration. Either this needs to use EAP-TLS
which does not use the password option or this is some kind of
combination of PEAP with client certificate and something in the inner
tunnel. I cannot really recommend any specific change here without more
details on what exactly the authentication server expects here.
phase2 parameter is not used with EAP-TLS (eap=TLS).
phase2 value "auth=peap" is not valid with any EAP method. With
eap=PEAP, phase2="auth=<name of inner method>" could be used to select
which inner method is used. Though, please note that the names of the
EAP methods are all in upper case.
> The private key and the certificate match each other (checked with
> openssl x509 and rsa). I guess the main Problem is now, that the key
> is not symlinked to the certificate:
If you have a client certificate in a separate file, you need to point
to that file with the client_cert parameter.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list