Smart Cards (PIV / Yubikey) not working

[Eric Reiss]

Hello All,

First post ever.

What brought me to this group is that I have been trying to get
Yubikey's working as a PIV Smart Card for accessing a WiFi SSID using
EAP-TLS.

Quick background:
I have been using the Yubikeys to login to Windows and Linux clients
joined to a Windows Active Directory Domain successfully.  I have them
working to authenticate SSH access.  For these modes I am using the
Yubikey's PIV capabilities with Certificates issued from the
Certificate Authority on the Windows domain controllers.

I have tried multiple methods to attempt to get this to work but the
last attempt is most enlightening.  I will hold back some of the
details for brevity as the end results are informative.


The Problem:
On one of my Windows AD servers which is also a Certificate Authority
server, I created a template and issued a Certificate which was
exported as a .pfx file.  The Private Key was included and had a
password.

Then I separately extracted the public certificate to one .pem file
and the password protected private key to another .pem file.

I then used the same .pfx file to import the certificate into PIV slot
9a of the Yubikey.

On a Windows 10 client, when I choose the WiFi SSID that is configured
for EAP-TLS using the Windows Network Policy Server (NPS) I can login
just fine.

It asks me to select a certificate off of the Yubikey and then asks
for the PIN.   I then get logged in and everything works just fine.
Easy on Windows.

But on Linux both Ubuntu 22.04 LTS and Debian 12 this does not work.
Both had wpa_supplicant v2.10 and I have compiled my own version of
2.11 with appropriate config options such as CONFIG_SMARTCARD = y  but
both versions have the same results.

In both Ubuntu and Debian, using the Network Manager, I can make an
EAP-TLS connection by specifying a copy of the CA Root Server
Certificate in .pem format that was exported from the Windows server
and copied to the Linux client, from the local system.  Then for the
User Cert, specify the .pem file on the local file system extracted
from the .pfx file.  And finally the Private Key in a .pem file on the
local file system extracted from the .pfx file with the password.
Then I can specify the password in the Network Manager.

This works.  I get connected.  So using Certificates and key from the
local File System it works.

But If I attempt to do the same but rather than using the User Cert
and Private Key from the .pem files on the file system, use the Cert
and Private Key from the Yubikey, it does not work.

It keeps asking for the private key password.

I give it the password and it does not work.

Additionally, it is not asking for the PIN for the Yubikey and it should.

When doing this in Windows it challenges me for the PIN as I expect.

We want to make EAP-TLS connections using MFA so the Yubikey working
as a PIV Authentication card does this as it works for logging into
the Windows and Linux Clients.

Our users will already have Yubikeys for logins so why not use them
for WiFi Authentication.

I have been working on this for a couple of weeks and hit a wall.

There are others on the Internet/Reddit asking for the same.

Any help or suggestions would be welcome.

Thank you,

Eric


-- 
Eric Reiss
Information Technology Manager
ereiss at athenasciences.com

Athena Sciences Corporation
320 Adams Street, Suite L01
Fairmont, WV 26554

CONFIDENTIALITY NOTICE: The information contained in this email and
any attachments are intended only for the use of the individual or
entity to which it is addressed and may contain information that is
privileged, confidential or subject to protection from disclosure
under federal or state law. If you are not an intended recipient, you
are hereby notified that any distribution or copying of this
information is strictly prohibited. If you have received this email in
error, please notify the sender by reply email and delete this message
and any attachments immediately and you should not retain copy or use
this email or any attachment for any purpose, nor disclose all or any
part of the contents to any other person. Thank you.