Hi,
thanks for the hint on -D wired.
Why would this use PEAP if you are using certificates instead of
username/password? Wouldn't it be EAP-TLS which is used with private
key
and certificate? Or maybe this is PEAP with EAP-TLS in Phase 2?
Without knowing what the authentication server expects, it is difficult
to provide more guidance on how to configure wpa_supplicant for that.
In
any case, the configuration here is invalid, i.e., PEAP with MSCHAPv2
requires a user name and password.
My admin now stated, that protocols must not be predefined but are
negotiated between client and the server.
After the certificate is verified (which is a must) the user identity
must indeed also be checked.
Therefore he then suggested to use the following configuration:
key_mgmt=IEEE8021X
eap=TLS
anonymous_identity="..."
ca_cert="/path to certificate.cer"
phase2="auth=peap"
private_key="path to privkey.pem"
identity="..."
password="..."
private_key_passwd="..."
The private key and the certificate match each other (checked with
openssl x509 and rsa). I guess the main Problem is now, that the key is
not symlinked to the certificate:
OpenSSL: tls_connection_private_key - Private key failed verification
error:140A30B1:SSL routines:SSL_check_private_key:no certificate
assigned
TLS: Failed to load private key '/home/administrator/privkey.pem'
sudo wpa_supplicant -c /etc/wpa_supplicant.conf -dd -D wired -i eth0
wpa_supplicant v2.1
random: Trying to read entropy from /dev/random
Successfully initialized wpa_supplicant
Initializing interface 'eth0' conf '/etc/wpa_supplicant.conf' driver
'wired' ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/etc/wpa_supplicant.conf' ->
'/etc/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group='0'
eapol_version=2
ap_scan=0
Line: 15 - start of a new network block
key_mgmt: 0x8
eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00
00 00
anonymous_identity - hexdump_ascii(len=6):
62 69 6f 65 35 36 some
anonymous_identity
ca_cert - hexdump_ascii(len=40):
2f 68 6f 6d 65 2f 61 64 6d 69 6e 69 73 74 72 61 certificate.cer
74 6f 72 2f 44 6f 77 6e 6c 6f 61 64 73 2f 62 61
73 65 36 34 2e 63 65 72
phase2 - hexdump_ascii(len=9):
61 75 74 68 3d 70 65 61 70 auth=peap
private_key - hexdump_ascii(len=32):
2f 68 6f 6d 65 2f 61 64 6d 69 6e 69 73 74 72 61
74 6f 72 2f 70 72 69 76 6b 65 79 32 2e 70 65 6d privkey.pem
identity - hexdump_ascii(len=8):
6f 65 68 6d 69 63 68 65 some identity
password - hexdump_ascii(len=12): [REMOVED]
private_key_passwd - hexdump_ascii(len=8): [REMOVED]
Priority group 0
id=0 ssid=''
wpa_driver_wired_init: Added multicast membership with packet socket
Add interface eth0 to a new radio N/A
eth0: Own MAC address: b8:6b:23:25:70:c2
eth0: RSN: flushing PMKID list in the driver
eth0: Setting scan request: 0.100000 sec
eth0: WPS: UUID based on MAC address:
de9a2a09-f7f0-57d6-82f9-8278b5c064b5
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: Supplicant port status: Unauthorized
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
Using existing control interface directory.
ctrl_interface_group=0
eth0: Added interface eth0
eth0: State: DISCONNECTED -> DISCONNECTED
random: Got 20/20 bytes from /dev/random
EAPOL: External notification - EAP success=0
EAPOL: External notification - EAP fail=0
EAPOL: External notification - portControl=Auto
eth0: Already associated with a configured network - generating
associated event
eth0: Event ASSOC (0) received
eth0: Association info event
FT: Stored MDIE and FTIE from (Re)Association Response - hexdump(len=0):
eth0: State: DISCONNECTED -> ASSOCIATED
eth0: Associated to a new BSS: BSSID=01:80:c2:00:00:03
eth0: Select network based on association information
eth0: Network configuration found for the current AP
eth0: WPA: clearing AP WPA IE
eth0: WPA: clearing AP RSN IE
eth0: WPA: clearing own WPA/RSN IE
eth0: Failed to get scan results
EAPOL: External notification - EAP success=0
EAPOL: External notification - EAP fail=0
EAPOL: External notification - portControl=Auto
eth0: Associated with 01:80:c2:00:00:03
eth0: WPA: Association event - clear replay counter
eth0: WPA: Clear old PTK
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
eth0: Cancelling scan request
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=4): 02 01 00 00
eth0: RX EAPOL from 18:ef:63:f4:e5:01
RX EAPOL - hexdump(len=46): 03 00 00 05 01 01 00 05 01 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=1 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
eth0: CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: Status notification: started (param=)
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using anonymous identity - hexdump_ascii(len=6):
62 69 6f 65 35 36 some
anonymous_identity
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=15): 02 00 00 0b 02 01 00 0b 01 62 69 6f 65 35 36
EAPOL: SUPP_BE entering state RECEIVE
eth0: RX EAPOL from 18:ef:63:f4:e5:01
RX EAPOL - hexdump(len=46): 03 00 00 06 01 02 00 06 0d 20 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=2 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
eth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
EAP: Status notification: accept proposed method (param=TLS)
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
TLS: using phase1 config options
TLS: Trusted root certificate(s) loaded
OpenSSL: SSL_use_PrivateKey_File (PEM) --> OK
OpenSSL: tls_connection_private_key - Private key failed verification
error:140A30B1:SSL routines:SSL_check_private_key:no certificate
assigned
TLS: Failed to load private key '... privkey.pem'
TLS: Failed to set TLS connection parameters
ENGINE: engine deinit
EAP-TLS: Failed to initialize SSL.
eth0: EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)
EAP: Building EAP-Nak (requested type 13 vendor=0 method=0 not allowed)
EAP: allowed methods - hexdump(len=0):
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=10): 02 00 00 06 02 02 00 06 03 00
EAPOL: SUPP_BE entering state RECEIVE
eth0: RX EAPOL from 18:ef:63:f4:e5:01
RX EAPOL - hexdump(len=46): 03 00 00 04 04 02 00 04 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: Status notification: completion (param=failure)
EAP: EAP entering state FAILURE
eth0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state HELD
EAPOL: Supplicant port status: Unauthorized
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_BE entering state IDLE
EAPOL authentication completed - result=FAILURE
^Ceth0: Removing interface eth0
eth0: Request to deauthenticate - bssid=01:80:c2:00:00:03
pending_bssid=00:00:00:00:00:00 reason=3 state=ASSOCIATED
eth0: Event DEAUTH (12) received
eth0: Deauthentication notification
eth0: * reason 3 (locally generated)
Deauthentication frame IE(s) - hexdump(len=0): [NULL]
eth0: CTRL-EVENT-DISCONNECTED bssid=01:80:c2:00:00:03 reason=3
locally_generated=1
eth0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="" auth_failures=1
duration=10
eth0: Auto connect disabled: do not try to re-connect
eth0: Ignore connection failure indication since interface has been put
into disconnected state
eth0: Disconnect event - remove keys
eth0: State: ASSOCIATED -> DISCONNECTED
EAPOL: External notification - portEnabled=0
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: Supplicant port status: Unauthorized
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
eth0: State: DISCONNECTED -> DISCONNECTED
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
eth0: Cancelling scan request
eth0: Cancelling authentication timeout
Remove interface eth0 from radio
Remove radio
eth0: CTRL-EVENT-TERMINATING
Control interface directory not empty - leaving it behind
Thank you very much,
Gunnar
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap