Problems with EAP-TTLS/EAP-TLS - One Step further

Carolin Latze carolin.latze
Thu Oct 30 07:11:39 PDT 2008


Hi everybody,

meanwhile I tried several things and didn't succeed but I have an idea 
what's going wrong. It seems that the wpa_supplicant only takes the 
engine for the outer authentication. Is that possible?

Why do I think that?
Well:
1) If I use the client_cert2 variable, OpenSSL claims, that it does not 
find the matching certificate.
2) If I use client_cert, it will read the certificate out of the engine 
in the EAP-TTLS authentication and claim that there is no engine ID when 
starting with EAP-TLS and from the logs it seems, that it is reading the 
engine in the outer authentication.

Therefore my question: On the wpa_supplicant homepage I saw that 
EAP-TTLS/EAP-TLS has been tested with FreeRADIUS. Is there a place where 
to download the test configurations? That would be very helpful for me! 
I want to try to use EAP-TTLS/EAP-TLS without engine for a first test 
(take out the complexity in order to understand it :)). I tried it with:

network={
        ssid="dd-wrt"
        scan_ssid=0
        mode=0
        proto=WPA
        key_mgmt=WPA-EAP
        pairwise=TKIP
        group=TKIP
        eap=TTLS

        phase2="autheap=TLS"

        identity="10.1.1.5"
        ca_cert="/home/latze/cert/cacert.pem"
        client_cert2="/home/latze/cert/basisk_cert.pem"
        private_key2="/home/latze/cert/basisk_key.pem"
        private_key2_passwd="PW"
}

Using those certificates in normal EAP-TLS works. But in 
EAP-TTLS/EAP-TLS, I get

1225375899.974397: EAP-TTLS: AVP - EAP Message
1225375899.974402: EAP-TTLS: AVP: code=79 flags=0x40 length=261
1225375899.974406: EAP-TTLS: AVP overflow (len=261, left=213) - dropped
1225375899.974411: EAP: method process -> ignore=FALSE methodState=DONE 
decision=FAIL

When doing the inner authentication and I don't know why.

Regards
Carolin


Carolin Latze wrote:
> Sjors Gielen wrote:
>   
>> Carolin Latze wrote:
>>   
>>     
>>> That gives more or less the same error. But I think that cannot be the
>>> solution anyway since EAP-TTLS should not require client authentication
>>> from what I know about EAP-TTLS, but I might be wrong. But I also think
>>> the problem lies in the order of the statements.
>>>
>>> I have another more general question: Does the EAP-TTLS module call the
>>> EAP-TLS module? I mean it seems, that it works like that since I see my
>>> old debug messages but is that really correct?
>>>     
>>>       
>> Oops, missed this. According to this line in your wpa_supplicant.conf:
>>         phase2="autheap=TLS"
>> It does ;) Change that to
>>         phase2="autheap=MD5"
>> or
>>         phase2="autheap=MSCHAPV2"
>> (or something similar) and it will probably work :)
>>   
>>     
>
> Tried that and still get
>
> OpenSSL: tls_connection_engine_private_key - Private key failed 
> verification error:140A30B1:SSL routines:SSL_check_private_key:no 
> certificate assigned
>
> :) But anyway, I really would like to have EAP-TTLS/EAP-TLS, which means 
> to have mutual authentication inside a tunnel established with server 
> authentication. Do you think that is possible?
>
> Regards and Thanks for all those hints!
> Carolin
>
>   

-- 
Carolin Latze
Research Assistant			ICT Engineer

Department of Computer Science		Swisscom Strategy and Innovation
Boulevard de P?rolles 90		Ostermundigenstrasse 93
CH-1700 Fribourg      			CH-3006 Bern
	
phone: +41 26 300 83 30			+41 79 72 965 27
homepage: http://diuf.unifr.ch/people/latzec





More information about the Hostap mailing list