Cannot get hostapd radius to authenticate OSEN connection.
Fri Mar 20 08:00:00 PDT 2015
On 03/20/2015 05:51 AM, Jouni Malinen wrote:
> On Thu, Mar 19, 2015 at 05:58:21PM -0700, Ben Greear wrote:
>> I cannot seem to get a hostapd radius server to authenticate an OSEN connection.
>> I think it might be some issue with the hostapd-radius server, but not sure why.
>> I have enabled CONFIG_EAP_UNAUTH_TLS=y in the wpa_supplicant and hostapd config files.
>> (This config option should be mentioned in the defconfig files?).
> That vendor specific EAP method is not really described anywhere and I'm
> not sure whether I'd really want to promote it much at this point in
> time. Anyway, CONFIG_EAP_UNAUTH_TLS=y is not used with OSEN. The version
> of client-unauthenticated TLS for OSEN is selected for the build with
>> "osen at lanforge.com" WFA-UNAUTH-TLS
> This is the EAP method from CONFIG_HS2=y (the unrelated
> CONFIG_EAP_UNAUTH_TLS=y is "UNAUTH-TLS").
>> Here is log. Maybe the important bit is about not being able to find ssl ctxt?
>> 1426812366.390087: RADIUS SRV: [0x0 127.0.0.1] EAP: EAP-Response/Identity 'osen at lanforge.com'
>> 1426812366.390101: EAP: getNextMethod: vendor 40808 type 13
>> 1426812366.390108: TLS context not initialized - cannot use TLS-based EAP method
>> 1426812366.390112: EAP-TLS: Failed to initialize SSL.
>> 1426812366.390118: EAP: Failed to initialize EAP method 254
> Yes, this is the part that is failing.. It looks like you have not
> configured the server certificate in hostapd configuration file and
> that leaves TLS uninitialized. For any TLS-based EAP methods, the server
> will need to have its private key, server certificate, and CA
> certificate(s) configured.
Ok, I updated the hostapd-radius config file to look like this:
I am generating those certs with this logic:
# Build the new .pem files.
my $rbase = "/etc/raddb/";
do_cmd("cd $rbase/certs; make; cd -", 1);
# Build client files.
do_cmd("cd $rbase/certs; openssl req -new -config client.cnf -keyout client_key.pem -out client_req.pem; cd -");
do_cmd("cd $rbase/certs; openssl ca -config ca.cnf -in client_req.pem -key lanforge -batch -out client_cert.pem; cd -");
do_cmd("cd $rbase/certs; openssl pkcs12 -export -clcerts -in client_cert.pem -inkey client_key.pem -out client.p12 -passin pass:lanforge -passout
pass:lanforge; cd -");
# Copy client files to $home
do_cmd("cd $rbase/certs; cp ca.pem client.p12 $home; cd -");
I have placed the /etc/raddb/certs/ca.pem from the hostapd-radius machine on the
supplicant station machine and I am using that file for the 'ca_cert' entry
in the wpa_supplicant config file.
It still does not work, but it gets farther and complains about the cert file from what
I can tell. I assume I must be either generating keys incorrectly or using them incorrectly:
# From hostapd-radius logs:
1426862605.113491: RADIUS SRV: Request for session 0x1
1426862605.113499: RADIUS SRV: Received EAP data - hexdump(len=20): 02 ab 00 14 fe 00 9f 68 00 00 00 0d 00 15 03 03 00 02 02 71
1426862605.113512: EAP: EAP entering state RECEIVED
1426862605.113518: EAP: parseEapResp: rxResp=1 rxInitiate=0 respId=171 respMethod=254 respVendor=40808 respVendorMethod=13
1426862605.113526: EAP: EAP entering state INTEGRITY_CHECK
1426862605.113532: EAP: EAP entering state METHOD_RESPONSE
1426862605.113538: SSL: Received packet(len=20) - Flags 0x00
1426862605.113544: SSL: Received packet: Flags 0x0 Message Length 0
1426862605.113559: OpenSSL: RX ver=0x303 content_type=21
1426862605.113569: OpenSSL: Message - hexdump(len=2): [REMOVED]
1426862605.113577: SSL: (where=0x4004 ret=0x271)
1426862605.113584: SSL: SSL3 alert: read (remote end reported an error):fatal:bad certificate status response
1426862605.113595: SSL: (where=0x2002 ret=0x0)
1426862605.113602: SSL: SSL_accept:failed in SSLv3 read client certificate A
1426862605.113615: OpenSSL: openssl_handshake - SSL_connect error:14094459:SSL routines:SSL3_READ_BYTES:tlsv1 bad certificate status response
1426862605.113626: SSL: 0 bytes pending from ssl_out
1426862605.113634: SSL: Failed - tls_out available to report error
1426862605.113640: EAP-TLS: CONTINUE -> FAILURE
More information about the Hostap