802.1x auth with wpa_supp?

[Jouni Malinen]

On Fri, Sep 17, 2004 at 08:43:09PM +1200, Morgan Read wrote:

> But, I'm getting stuck with my private key?  I've included what
> seemed to be one cycle of the debug below, plus a couple of extra
> error examples which are a little different (first).
> 
> Here's the command I used to generate the private key; the instructions 
> I followed are from a v basic howto for xsupplicant at my uni:
> <http://www.ece.auckland.ac.nz/%7Etcol036/wireless/wireless.html> -

Those instructions are very confusing.. The configuration seems to be
using EAP-PEAP and the instructions talk about "optional key". If you
want to use a client key with EAP-PEAP (or well, TLS in general) you
will need to generate a certificate request and get the public key
signed by a CA. However, the instructions did not mention anything about
getting CA to sign a client certificate.

There is not much point in generating client keys without having some
kind of PKI in place so that the server could actually verify the key.

> EAP-PEAP: Phase2 type: MSCHAPV2
> SSL: Trusted root certificate(s) loaded
> SSL: Private key failed verification: error:140CB07C:SSL
> routines:SSL_use_PrivateKey_file:bad ssl filetype
> SSL - SSL error: error:140A30B1:SSL routines:SSL_check_private_key:no
> certificate assigned

wpa_supplicant requires both the private key and certificate. However,
one does not normally use client key/certificate at all with EAP-PEAP.
The client side credentials are verified in the inner phase 2
authentication, e.g., EAP-MSGCHAPv2 username&password in this case.

In other words, the normal EAP-PEAP/MSCHAPv2 configuration includes
following items:

eap=PEAP
identity="your username"
password="your password"
ca_cert="path to trusted CA certificate"
phase2="auth=MSCHAPV2"

Following items are usually _not_ used for EAP-PEAP/MSCHAPv2:

client_cert
private_key
private_key_passwd

-- 
Jouni Malinen                                            PGP id EFC895FA