Securing your WiFi – WPA2-Enterprise with EAP-TLS made easy with Open Source tools

June 9, 2012 13 Comments

Hello everyone,

Recently I’ve been playing a lot with WPA2-Enterprise EAP-TLS at work. I wanted to share my experience with you all.

First of all, a little explanation about WiFi security. Most of you are familiar with WEP/WPA1+2 from your home WiFi. You probably know that WEP has been “hacked” long time ago and isn’t considered secure. Also, there are publicly available rainbow tables for WPA2-PSK as well – although you need a combination of SSID+PSK for it to work (PSK authentication uses both the SSID name and the PSK to generate the secret with the access point. The publicly available rainbow table consists the top 1000 SSID names and a heavy load of passwords). WPA1/2-PSK is the method most widely used on WiFi networks. It uses a pre-shared key (password) to authenticate to the access point.

On large enterprises, PSK authentication simply does not fit. For example, consider a company with 1000 employees. One of the employees that knows the PSK password gets fired. The password is compromised and has to be replaced (not to mention that every employee with minor knowledge can extract the PSK from his/hers computer) – that is a big deal.

WPA enterprise introduces EAP (or IEEE 802.1x if you’d like) to the wireless world. Adopting the following EAP types (from Wikipedia):

  1. EAP-TLS
  2. EAP-TTLS/MSCHAPv2
  3. PEAPv0/EAP-MSCHAPv2
  4. PEAPv1/EAP-GTC
  5. PEAP-TLS
  6. EAP-SIM
  7. EAP-AKA
  8. EAP-FAST

This article will focus on deploying EAP-TLS with WPA2-Enterprise, although it might work with other IEEE 802.1x implementations (such as a Cisco layer 2 switch) with minor or no adjustments at all. As for other EAP authentication types, FreeRADIUS supports a lot of them. See FreeRADIUS documentation and google for some examples.

First of all, a few words about EAP-TLS. EAP-TLS implements TLS certificates authentication, where both the client (also called the supplicant) authenticates to the AP (the authenticator), which authenticates it with a RADIUS server, and the RADIUS server authenticates itself to the client. This means that only computers that posses your certificate will be able to connect to your network, also, these clients won’t be hijack-able.
If a computer is stolen or an employee is fired, that particular certificate can be revoked. For this to work properly, you’ll have to configure FreeRADIUS to validate the certificate against a CRL – something I won’t be covering on this post, however, it’s documented in the eap.conf file comments.

I won’t be elaborating on how certificates work and why it’s a trustworthy security mechanism. If it interests you, be sure to comment and ask for a post about it.

There’s a nice image that represents EAP authentication on Wikipedia IEEE 802.1x page:

In our case, the supplicant is the WiFi client, the authenticator is the WiFi Access Point, and the authentication server is the FreeRADIUS server – which we’ll be deploying throughout this post.
I’m not going to elaborate much on TLS authentication. If you’re interested, you can read about Transport Layer Security (TLS) on Wikipedia.

For implementing EAP-TLS, we need a CA (Certification Authority). Every client has a client certificate and the RADIUS server has a server certificate. I’m going to use easy-rsa, which is a package of scripts to deploy/manage a simple CA with OpenSSL.

Ok, so lets start deploying then. For this installation I’ll be using a Debian 6 64bits installation. I’m assuming you already have it installed and that you are at least a bit familiar with Linux. Any distribution that has FreeRADIUS packages (including the EAP, EAP-TLS modules) will be ok.

First step: Creating the CA (you can skip this step if you already have a CA, however, I do suggest you start by deploying with easy-rsa and replace it later with your own certificates)

  1. Download and extract the OpenVPN source code: 
    wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz
tar xvfz openvpn-2.2.2.tar.gz
  2. Enter the easy-rsa scripts directory, edit the configuration file using your favorite editor (I’ll be using VIM) 
    cd openvpn-2.2.2/easy-rsa/2.0
vim vars
  3. Fill in the vars file, change the vars and comment out “KEY_CN, KEY_NAME, KEY_OU”. Also, “KEY_EMAIL” is there twice, you can remove one.
    This is my file (without empty lines, comments):

    export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="IL"
export KEY_PROVINCE="IL"
export KEY_CITY="Netanya"
export KEY_ORG="Omri"
export KEY_EMAIL="omri@somedomain.tld"
#export KEY_CN=changeme
#export KEY_NAME=changeme
#export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
  4. Initialize the CA: 
    source ./vars
./clan-all
./pkitool --initca
  5. Generate a server certificate for our FreeRADIUS server: 
    ./pkitool --server radius
  6. Generate a client certificate for our client: 
    ./pkitool --client --pkcs12 omri

    You can leave the password empty. You’ll be requested for it when importing the key.
    The PKCS#12 format is supported on Android phones and on Windows machines, it depends on your supplicant.

Install the FreeRADIUS server and configure it

  1. Install the FreeRADIUS package (Debian): 
    apt-get install freeradius
  2. Prepare the certificates: 
    cd /etc/freeradius # this might differ on other distributions
cd certs
rm ca.pem server.key server.pem

# copy the CA certificate, RADIUS certificate and RADIUS private key to the FreeRADIUS certs dir
# the EASY_RSA environment variable is defined on easy-rsa vars file
cp ${EASY_RSA}/keys/{ca.crt,radius.crt,radius.key} .

chmod g+r radius.key
  3. Configure the RADIUS server – EAP.
    Edit /etc/freeradius/eap.confwith your favorite text editor.

    1. Change default_eap_type to “tls”
    2. Comment out (or delete) all the authentication methods sections except for tls (authentication method section looks like tls { … })
    3. Comment out “private_key_password” with #
    4. Change private_key_file to ${certdir}/radius.key
    5. Change certificate_file to ${certdir}/radius.crt
    6. Change CA_file to ${cadir}/ca.crt

    My eap.conf file (stripped out of comments):

    eap {
	default_eap_type = tls
	timer_expire     = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = 4096
	tls {
		certdir = ${confdir}/certs
		cadir = ${confdir}/certs
		private_key_file = ${certdir}/radius.key
		certificate_file = ${certdir}/radius.crt
		CA_file = ${cadir}/ca.crt
		dh_file = ${certdir}/dh
		random_file = /dev/urandom
		CA_path = ${cadir}
		cipher_list = "DEFAULT"
		make_cert_command = "${certdir}/bootstrap"
		cache {
		      enable = no
		      lifetime = 24 # hours
		      max_entries = 255
		}
		verify {
		}
	}
}
  4. Check your setup – rad_eap_test:
    1. Open another terminal, terminate your freeradius and execute it in debug mode: 
      /etc/init.d/freeradius stop
freeradius -X
    2. Download, extract rad_eap_test + eapol_test: 
      wget http://www.eduroam.cz/rad_eap_test/rad_eap_test-0.23.tar.bz2
tar xvfj rad_eap_test-0.23.tar.bz2
cd rad_eap_test-0.23
mkdir bin
wget -O bin/eapol_test http://www.eduroam.cz/rad_eap_test/eapol_test/eapol_test
chmod u+x bin/eapol_test
    3. Execute rad_eap_test to check your setup: 
      # the EASY_RSA environment variable is defined on easy-rsa vars file
./rad_eap_test -H 127.0.0.1 -P 1812 -S testing123 -u omri -m WPA-EAP -v -s omri -e TLS -M 00:00:00:00:00:00 -k ${EASY_RSA}/keys/omri.key -j ${EASY_RSA}/keys/omri.crt -a ${EASY_RSA}/keys/ca.crt
    4. Examine the output to make sure you got an access-accept reply (first line): 
      access-accept; 0
RADIUS message: code=2 (Access-Accept) identifier=6 length=166
Attribute 26 (Vendor-Specific) length=58
Value: 00 00 01 37 11 34 97 c2 b2 e1 ea cc 71 cf a0 84 fd 5e cc 26 de 54 1f 5f 52 96 8c 15 9a c1 6f 5d 72 b6 62 d4 02 b3 2f 59 03 cf bc 70 96 01 42 3f 58 bc 00 1e a0 09 f1 eb
Attribute 26 (Vendor-Specific) length=58
Value: 00 00 01 37 10 34 99 fd ee c1 10 eb c7 07 3e 5f 79 fc 18 ce e9 9e 77 83 81 8a 5e bd 14 a1 82 11 6e dc f5 04 c2 0c 84 59 f4 ad ef d6 45 f3 89 e0 97 f6 0a e0 fd 50 5e 44
Attribute 79 (EAP-Message) length=6
Value: 03 06 00 04
Attribute 80 (Message-Authenticator) length=18
Value: 7f f6 68 b5 1f f2 97 fb 04 ff 3e 51 f0 f0 bd e4
Attribute 1 (User-Name) length=6
Value: 'omri'

      If something went wrong and you got an “access-reject” reply, make sure you ran the command correctly. You can also check the other terminal’s freeradius -X command.
      If you still don’t figure it out, paste the output here as a comment and I’ll do my best to help you.

    5. Terminate the “freeradius -X” instance, run it with init.d again: 
      killall freeradius # control+c on the other terminal will also do the trick
/etc/init.d/freeradius start
  5. Configring a RADIUS client (the access point).
    On the previous step we’ve checked the authentication from localhost. If you’d take a look on /etc/freeradius/clients.conf(the file that contains the allowed clients/NAS to authenticate with this RADIUS server), you’ll see that it is pre-configured for localhost with “testing123” shared secret:

    client localhost {
        ipaddr = 127.0.0.1
        secret          = testing123
        require_message_authenticator = no
        nastype     = other     # localhost isn't usually a NAS...
}

    We will be creating another NAS entry for our access point. For example, say our access point IP address is 10.0.0.1, we’ll have the following configured:

    client accesspoint {
ipaddr = 10.0.0.1
secret = prettygoodsharedsecret
nastype = other
}

    Don’t forget to restart FreeRADIUS (/etc/init.d/freeradius restart will do the trick) after the change.

  6. Configure your access point:
    This step varies between access points. You’ll have to find where you configure WPA1/2-Enterprise on yours. It’s usually on the same place where you define the pre-shared secret for your SSID.
    On some access points this is called RADIUS authentication.
    Configure it with the IP address of your FreeRADIUS server, and the pre-shared key we’ve just configured onclients.conf.
  7. Install the certificate on the client:
    On Windows, you just double-click the .p12 file and it automatically imports it to Window’s certificate store, on Android, you’ll have to put the .p12 file on the SD card and import the certificate (On Android 2.3.x it’s on the settings menu under “Location & security“, “Credential storage“, “Install from SD card“.

Hope this post was useful for you,
Omri.

Filed under Linux, Security Tagged with , , ,

13 Responses to Securing your WiFi – WPA2-Enterprise with EAP-TLS made easy with Open Source tools

  1. Eduardo Braga says:
    January 23, 2013 at 16:43

    Thanks by the tuto!

    Reply
  2. Matt says:
    February 5, 2013 at 19:00

    I am trying to set this up using CentOS 6.3. The step where you have to generate a client for the certificate is different and I’m trying to figure out what command I should. Thanks.

    Reply
    • omribahumi says:
      February 5, 2013 at 22:21

      Could you provide some more details please?
      What’s in your vars file? What are the exact commands you were running?
      Paste the output and I’ll do my best to help you.

      – Omri

      Reply
      • Matt says:
        February 5, 2013 at 22:42

        Creating a certificate is the least of my worries, I can’t even start the radius service anymore.

        This is the log file in /var/log/radius

        rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
        rlm_eap_tls: Error reading private key file /etc/raddb/certs/radius.key
        rlm_eap: Failed to initialize type tls
        /etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
        /etc/raddb/sites-enabled/default[310]: Failed to load module “eap”.
        /etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.
        Tue Feb 5 06:54:48 2013 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
        Tue Feb 5 06:54:48 2013 : Error: rlm_eap_tls: Error reading private key file /etc/raddb/certs/radius.key
        Tue Feb 5 06:54:48 2013 : Error: rlm_eap: Failed to initialize type tls
        Tue Feb 5 06:54:48 2013 : Error: /etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
        Tue Feb 5 06:54:48 2013 : Error: /etc/raddb/sites-enabled/default[310]: Failed to load module “eap”.
        Tue Feb 5 06:54:48 2013 : Error: /etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.
        Tue Feb 5 06:54:48 2013 : Error: Failed to load virtual server
        Tue Feb 5 06:55:00 2013 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
        Tue Feb 5 06:55:00 2013 : Error: rlm_eap_tls: Error reading private key file /etc/raddb/certs/radius.key
        Tue Feb 5 06:55:00 2013 : Error: rlm_eap: Failed to initialize type tls
        Tue Feb 5 06:55:00 2013 : Error: /etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
        Tue Feb 5 06:55:00 2013 : Error: /etc/raddb/sites-enabled/default[310]: Failed to load module “eap”.
        Tue Feb 5 06:55:00 2013 : Error: /etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.
        Tue Feb 5 06:55:00 2013 : Error: Failed to load virtual server
        Tue Feb 5 06:55:15 2013 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
        Tue Feb 5 06:55:15 2013 : Error: rlm_eap_tls: Error reading private key file /etc/raddb/certs/radius.key
        Tue Feb 5 06:55:15 2013 : Error: rlm_eap: Failed to initialize type tls
        Tue Feb 5 06:55:15 2013 : Error: /etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
        Tue Feb 5 06:55:15 2013 : Error: /etc/raddb/sites-enabled/default[310]: Failed to load module “eap”.
        Tue Feb 5 06:55:15 2013 : Error: /etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.
        Tue Feb 5 06:55:15 2013 : Error: Failed to load virtual server
        Tue Feb 5 06:55:36 2013 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
        Tue Feb 5 06:55:36 2013 : Error: rlm_eap_tls: Error reading private key file /etc/raddb/certs/radius.key
        Tue Feb 5 06:55:36 2013 : Error: rlm_eap: Failed to initialize type tls
        Tue Feb 5 06:55:36 2013 : Error: /etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
        Tue Feb 5 06:55:36 2013 : Error: /etc/raddb/sites-enabled/default[310]: Failed to load module “eap”.
        Tue Feb 5 06:55:36 2013 : Error: /etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.
        Tue Feb 5 06:55:36 2013 : Error: Failed to load virtual server
        Tue Feb 5 07:04:32 2013 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
        Tue Feb 5 07:04:32 2013 : Error: rlm_eap_tls: Error reading private key file /etc/raddb/certs/radius.key
        Tue Feb 5 07:04:32 2013 : Error: rlm_eap: Failed to initialize type tls
        Tue Feb 5 07:04:32 2013 : Error: /etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
        Tue Feb 5 07:04:32 2013 : Error: /etc/raddb/sites-enabled/default[310]: Failed to load module “eap”.
        Tue Feb 5 07:04:32 2013 : Error: /etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.
        Tue Feb 5 07:04:32 2013 : Error: Failed to load virtual server
        rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
        rlm_eap_tls: Error reading private key file /etc/raddb/certs/radius.key
        rlm_eap: Failed to initialize type tls
        /etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
        /etc/raddb/sites-enabled/default[310]: Failed to load module “eap”.
        /etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.
        Tue Feb 5 07:05:53 2013 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
        Tue Feb 5 07:05:53 2013 : Error: rlm_eap_tls: Error reading private key file /etc/raddb/certs/radius.key
        Tue Feb 5 07:05:53 2013 : Error: rlm_eap: Failed to initialize type tls
        Tue Feb 5 07:05:53 2013 : Error: /etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
        Tue Feb 5 07:05:53 2013 : Error: /etc/raddb/sites-enabled/default[310]: Failed to load module “eap”.
        Tue Feb 5 07:05:53 2013 : Error: /etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.
        Tue Feb 5 07:05:53 2013 : Error: Failed to load virtual server
        Tue Feb 5 07:25:55 2013 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
        Tue Feb 5 07:25:55 2013 : Error: rlm_eap_tls: Error reading private key file /etc/raddb/certs/radius.key
        Tue Feb 5 07:25:55 2013 : Error: rlm_eap: Failed to initialize type tls
        Tue Feb 5 07:25:55 2013 : Error: /etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
        Tue Feb 5 07:25:55 2013 : Error: /etc/raddb/sites-enabled/default[310]: Failed to load module “eap”.
        Tue Feb 5 07:25:55 2013 : Error: /etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.
        Tue Feb 5 07:25:55 2013 : Error: Failed to load virtual server
        Tue Feb 5 07:27:53 2013 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
        Tue Feb 5 07:27:53 2013 : Error: rlm_eap_tls: Error reading private key file /etc/raddb/certs/radius.key
        Tue Feb 5 07:27:53 2013 : Error: rlm_eap: Failed to initialize type tls
        Tue Feb 5 07:27:53 2013 : Error: /etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
        Tue Feb 5 07:27:53 2013 : Error: /etc/raddb/sites-enabled/default[310]: Failed to load module “eap”.
        Tue Feb 5 07:27:53 2013 : Error: /etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.
        Tue Feb 5 07:27:53 2013 : Error: Failed to load virtual server
        Tue Feb 5 07:30:26 2013 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
        Tue Feb 5 07:30:26 2013 : Error: rlm_eap_tls: Error reading private key file /etc/raddb/certs/radius.key
        Tue Feb 5 07:30:26 2013 : Error: rlm_eap: Failed to initialize type tls
        Tue Feb 5 07:30:26 2013 : Error: /etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
        Tue Feb 5 07:30:26 2013 : Error: /etc/raddb/sites-enabled/default[310]: Failed to load module “eap”.
        Tue Feb 5 07:30:26 2013 : Error: /etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.
        Tue Feb 5 07:30:26 2013 : Error: Failed to load virtual server
        Tue Feb 5 07:35:01 2013 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
        Tue Feb 5 07:35:01 2013 : Error: rlm_eap_tls: Error reading private key file /etc/raddb/certs/radius.key
        Tue Feb 5 07:35:01 2013 : Error: rlm_eap: Failed to initialize type tls
        Tue Feb 5 07:35:01 2013 : Error: /etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
        Tue Feb 5 07:35:01 2013 : Error: /etc/raddb/sites-enabled/default[310]: Failed to load module “eap”.
        Tue Feb 5 07:35:01 2013 : Error: /etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.
        Tue Feb 5 07:35:01 2013 : Error: Failed to load virtual server
        Tue Feb 5 07:37:52 2013 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
        Tue Feb 5 07:37:52 2013 : Error: rlm_eap_tls: Error reading private key file /etc/raddb/certs/radius.key
        Tue Feb 5 07:37:52 2013 : Error: rlm_eap: Failed to initialize type tls
        Tue Feb 5 07:37:52 2013 : Error: /etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
        Tue Feb 5 07:37:52 2013 : Error: /etc/raddb/sites-enabled/default[310]: Failed to load module “eap”.
        Tue Feb 5 07:37:52 2013 : Error: /etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.
        Tue Feb 5 07:37:52 2013 : Error: Failed to load virtual server
        Tue Feb 5 10:37:43 2013 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
        Tue Feb 5 10:37:43 2013 : Error: rlm_eap_tls: Error reading private key file /etc/raddb/certs/radius.key
        Tue Feb 5 10:37:43 2013 : Error: rlm_eap: Failed to initialize type tls
        Tue Feb 5 10:37:43 2013 : Error: /etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
        Tue Feb 5 10:37:43 2013 : Error: /etc/raddb/sites-enabled/default[310]: Failed to load module “eap”.
        Tue Feb 5 10:37:43 2013 : Error: /etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.
        Tue Feb 5 10:37:43 2013 : Error: Failed to load virtual server

      • omribahumi says:
        February 6, 2013 at 21:59

        Tue Feb 5 06:55:36 2013 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
        Tue Feb 5 06:55:36 2013 : Error: rlm_eap_tls: Error reading private key file /etc/raddb/certs/radius.key

        Read the error message, you have filesystem permission issues…
        Execute “chown -R freerad:freerad /etc/raddb/certs”
        Note that the “freerad” username and group are Debian specific, it might be different in your distribution.

        I suggest you check who’s the owner of /etc/raddb (by running “ls -ld /etc/raddb”) and change to that.

  3. monnef says:
    February 18, 2013 at 14:27

    Hello,

    I followed your tutorial to the point when it’s being tested. I have (probably) problem with certificates (but generation went ok, all certificate files were created).

    command used to test:
    ./rad_eap_test -H 127.0.0.1 -P 1812 -S testing123 -u moen-mobil -m WPA-EAP -v -e TLS -M 00:00:00:00:00:00 -k ${EASY_RSA}/keys/moen-mobil.key -j ${EASY_RSA}/keys/moen-mobil.crt -a ${EASY_RSA}/keys/ca.crt -s moen-mobil
    returns:
    access-reject; 1

    —————————————————————-
    [tls] Done initial handshake
    [tls] <<< TLS 1.0 Alert [length 0002], fatal decrypt_error
    TLS Alert read:fatal:decrypt error
    TLS_accept: failed in SSLv3 read client certificate A
    rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
    SSL: SSL_read failed inside of TLS (-1), TLS session fails.
    TLS receive handshake failed during operation
    [tls] eaptls_process returned 4
    [eap] Handler failed in EAP/tls
    [eap] Failed in EAP select
    —————————————————————-

    I'm running it on debian squeeze, full log is there – http://pastebin.com/9ZW8c6GS.

    Reply
    • omribahumi says:
      February 18, 2013 at 22:00

      What’s the output of these two commands:
      openssl verify -verbose -CAfile /etc/freeradius/certs/ca.crt -purpose sslserver /etc/freeradius/certs/radius.crt
      openssl verify -verbose -CAfile /etc/freeradius/certs/ca.crt -purpose sslclient ${EASY_RSA}/keys/moen-mobil.crt

      Also, what’s the “openssl version” output? see this thread: http://forums.freebsd.org/showthread.php?t=29675

      Reply
      • monnef says:
        February 19, 2013 at 12:42

        root@server:~# openssl verify -verbose -CAfile /etc/freeradius/certs/ca.crt -purpose sslserver /etc/freeradius/certs/radius.crt
        /etc/freeradius/certs/radius.crt: OK

        root@server:~# openssl verify -verbose -CAfile /etc/freeradius/certs/ca.crt -purpose sslclient ${EASY_RSA}/keys/moen-mobil.crt
        /**long path to easy-rsa**/keys/moen-mobil.crt: OK

        root@server:~# openssl version
        OpenSSL 0.9.8o 01 Jun 2010

        root@server:~# freeradius -v
        freeradius: FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Sep 11 2012 at 17:39:04

        How can I find out against which version of openssl it is compiled? (freeradius and openssl are installed from debian’s repo)

        Thank you for your time 🙂

      • omribahumi says:
        February 23, 2013 at 14:32

        I would like to take a deeper look at it, please send me an email and we’ll go on from there. omri __dot il __at gmail dot com

      • monnef says:
        February 23, 2013 at 17:23

        I just ignored the test (and after some adventures with converting certificates to android-friendly format) and setting up the hostapd daemon – It works 😀 (with same certificates and failing test). Thanks for the guide :).

  4. g2-7de37fde6341f6e5766eb651efb24a00 says:
    March 13, 2013 at 08:20

    Would you please give some more clarification please? I have followed your tutorial but have some additional questions. So what happened to username and password now? OK, Radius authenticates users (or computers, depending where the certificate have been stored and what kind of 802.1x authorization have been used). But how do I do some accounting? I would like to be able to use username and password also. Is this possible using EAP-TLS? It would be easy to just use single client certificate (with private key not exportable) and username/password. The idea is to use password inside the EAP-TLS tunnel. If the username/password pair is not matched, the Access-Reject would bi issued. What do you think?

    Reply
    • omribahumi says:
      March 14, 2013 at 09:39

      You are mixing EAP-TTLS with EAP-TLS. The former tunnels other authentication mechanisms inside a TLS tunnel (hence the name TTLS).
      The EAP-TLS method (the one this post is about) relies solely on certificates. Both ends (the authenticator and the supplicant) authenticate each other with the certificate.

      Do some reading about CAs and TLS/SSL. Keep in mind that the common SSL installations do not implement client authentication, but only server (EAP-TTLS as way IIRC).

      As for your accounting question: each client is allocated a unique client certificate, with a certain CN (common name). My guess is you can get this common name inside the accounting packets, although it might be implemented differently on different APs.

      What I would also recommend as further reading is CRL (certificate revocation list)

      Good luck.

      Reply
  5. tarun says:
    January 30, 2014 at 21:07

    Do you have any suggestions for distributing the certificates to say 100/1000 users?

    Reply

Leave a comment