topic Re: Linux EAP-TLS Authentication in Network Access Control

Linux EAP-TLS Authentication

paul — Mon, 13 Jul 2020 16:49:27 GMT

All,

I am trying to get EAP-TLS working on an Ubuntu Linux machine. The system is controlled by Centrify and Centrify has pushed out a certificate, private key and chain file to the machine. I am attempting to use the wpa_supplicant with the following configuration:

When we run the following command:

sudo -i wpa_supplicant -c /etc/wpa_supplicant.conf -D wired -i eno1

We see the following sequence of messages repeated. I am trying to validate that the private key doesn't have a password. I am also going to try with key_mgmt set to WPA-EAP. I can see the request come into ISE but ISE is recording the client is rejecting the authentication protocol which maybe the WPA-EAP will fix. Has anyone gotten wpa_supplicant to work correctly?

Successfully initialized wpa_supplicant
eno1: Associated with 01:80:c2:00:00:03
WMM AC: Missing IEs
eno1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
eno1: CTRL-EVENT-EAP-STARTED EAP authentication started
eno1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found
OpenSSL: tls_load_ca_der - Failed load CA in DER format error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
OpenSSL: pending error: error:0B06F00D:x509 certificate routines:X509_load_cert_file:ASN1 lib
TLS: Failed to set TLS connection parameters
EAP-TLS: Failed to initialize SSL.
eno1: EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)
eno1: CTRL-EVENT-EAP-FAILURE EAP authentication failed
eno1: CTRL-EVENT-EAP-STARTED EAP authentication started
eno1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found
OpenSSL: tls_load_ca_der - Failed load CA in DER format error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
OpenSSL: pending error: error:0B06F00D:x509 certificate routines:X509_load_cert_file:ASN1 lib
TLS: Failed to set TLS connection parameters
EAP-TLS: Failed to initialize SSL.

Re: Linux EAP-TLS Authentication

Greg Gibbs — Tue, 14 Jul 2020 00:36:13 GMT

I have successfully setup an Ubuntu machine to use EAP-TLS, but only from the x-windows UI. The UI requires you to specify the password used for the private key, so I suspect this is not optional. The procedure I used to set this up:

Used openssl to generate the private key and CSR; specified the optional password
Signed the CSR using my Windows ADCS and saved both the DER-formatted identity and Root CA certs to my ubuntu machine
Opened the Network tool (I believe provided by the NetworkManager package) and configured the required settings

Re: Linux EAP-TLS Authentication

fernando.aguiar — Fri, 29 Mar 2024 18:16:16 GMT

Hi Greg.

Could you share the process to generate the user certificate and private key on linux?

Here is my configuration, but I think I did something wrong during the process to generate the user certificate and key.

Could you please clarify the steps?

Thanks

Re: Linux EAP-TLS Authentication

Greg Gibbs — Mon, 01 Apr 2024 23:33:24 GMT

I used openssl to create an RSA key and CSR using a similar process as the following document. You need to ensure that you define a passphrase for private key.

https://www.ssl.com/how-to/manually-generate-a-certificate-signing-request-csr-using-openssl/

Re: Linux EAP-TLS Authentication

amoon — Tue, 16 Sep 2025 11:52:25 GMT

Hi Greg,

We have around 2,000 Ubuntu machines, and we're working on enrolling user certificates across all of them. However, despite our efforts over the past few weeks, the certificates are still not enrolling successfully.

Do you have any documentation or recommendations for configuring this at scale? Any guidance would be greatly appreciated.

Thank you!

Re: Linux EAP-TLS Authentication

Greg Gibbs — Tue, 16 Sep 2025 23:01:29 GMT

I'm not aware of any tool or documentation with specific examples on how you would accomplish this. If it's possible, it would likely involve Ansible, but I'm not sure if there are Ansible modules for all operations such as enrolling the certificates and configuring the Ubuntu supplicant.

Re: Linux EAP-TLS Authentication

amoon — Sat, 27 Sep 2025 09:59:45 GMT

Hi greg i tried your method with document you have provided but when i signed CSR from my enterprise CA and try to connect its giving logs of administrator and not the current logged-in user

Re: Linux EAP-TLS Authentication

Greg Gibbs — Wed, 01 Oct 2025 22:56:26 GMT

That sounds like an issue on the CA where the certificate template is using the admin account used to sign the certificate as the identity instead of using the values you're defining in the CSR. You would need to look at the certificate template settings and potentially create a new template for this usage.