Re: Using wpasupplicant to connect to 802.1X certificate protected network. Xubuntu 14.04

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Feb 19, 2016 at 02:53:44PM +0100, gunnaroeh@xxxxxxxxx wrote:
> My admin now stated, that protocols must not be predefined but are
> negotiated between client and the server.
> After the certificate is verified (which is a must) the user
> identity must indeed also be checked.
> 
> Therefore he then suggested to use the following configuration:
> 
>         key_mgmt=IEEE8021X
>         eap=TLS
>         anonymous_identity="..."
>         ca_cert="/path to certificate.cer"
>         phase2="auth=peap"
>         private_key="path to privkey.pem"
>         identity="..."
>         password="..."
>         private_key_passwd="..."

This is not valid EAP configuration. Either this needs to use EAP-TLS
which does not use the password option or this is some kind of
combination of PEAP with client certificate and something in the inner
tunnel. I cannot really recommend any specific change here without more
details on what exactly the authentication server expects here.

phase2 parameter is not used with EAP-TLS (eap=TLS).

phase2 value "auth=peap" is not valid with any EAP method. With
eap=PEAP, phase2="auth=<name of inner method>" could be used to select
which inner method is used. Though, please note that the names of the
EAP methods are all in upper case.

> The private key and the certificate match each other (checked with
> openssl x509 and rsa). I guess the main Problem is now, that the key
> is not symlinked to the certificate:

If you have a client certificate in a separate file, you need to point
to that file with the client_cert parameter.

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux