cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

563
Views
0
Helpful
1
Replies
Highlighted
VIP Advocate

Linux EAP-TLS Authentication

All,

 

I am trying to get EAP-TLS working on an Ubuntu Linux machine.  The system is controlled by Centrify and Centrify has pushed out a certificate, private key and chain file to the machine.  I am attempting to use the wpa_supplicant with the following configuration:

Capture.JPG.png

 

When we run the following command:

 

sudo -i wpa_supplicant -c /etc/wpa_supplicant.conf -D wired -i eno1

 

We see the following sequence of messages repeated.  I am trying to validate that the private key doesn't have a password.  I am also going to try with key_mgmt set to WPA-EAP.  I can see the request come into ISE but ISE is recording the client is rejecting the authentication protocol which maybe the WPA-EAP will fix.  Has anyone gotten wpa_supplicant to work correctly?

 

Successfully initialized wpa_supplicant
eno1: Associated with 01:80:c2:00:00:03
WMM AC: Missing IEs
eno1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
eno1: CTRL-EVENT-EAP-STARTED EAP authentication started
eno1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found
OpenSSL: tls_load_ca_der - Failed load CA in DER format error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
OpenSSL: pending error: error:0B06F00D:x509 certificate routines:X509_load_cert_file:ASN1 lib
TLS: Failed to set TLS connection parameters
EAP-TLS: Failed to initialize SSL.
eno1: EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)
eno1: CTRL-EVENT-EAP-FAILURE EAP authentication failed
eno1: CTRL-EVENT-EAP-STARTED EAP authentication started
eno1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found
OpenSSL: tls_load_ca_der - Failed load CA in DER format error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
OpenSSL: pending error: error:0B06F00D:x509 certificate routines:X509_load_cert_file:ASN1 lib
TLS: Failed to set TLS connection parameters
EAP-TLS: Failed to initialize SSL.

1 REPLY 1
Highlighted
Cisco Employee

I have successfully setup an Ubuntu machine to use EAP-TLS, but only from the x-windows UI. The UI requires you to specify the password used for the private key, so I suspect this is not optional. The procedure I used to set this up:

  • Used openssl to generate the private key and CSR; specified the optional password
  • Signed the CSR using my Windows ADCS and saved both the DER-formatted identity and Root CA certs to my ubuntu machine
  • Opened the Network tool (I believe provided by the NetworkManager package) and configured the required settings

Screen Shot 2020-07-14 at 10.21.43 am.png