[Chilli] 802.1X - EAP/TLS Authentication using coova as Radius proxy

HOUSSENBAY Adnane-Olivier houssenbay at et.esiea.fr
Thu Sep 4 17:31:11 UTC 2014

Dear CoovaChilli users,

I'm trying to do 802.1X (wired/ and wireless with wpa) authentication using EAP-TLS method which involve mutual authentication with certificates (both sides client/server).

I already succeed to 802.1X EAP-PEAP authentication but I'm having trouble with EAP-TLS.

I configured chilli as proxy radius with the parameters below :





Here is my authentication chain link:

Supplicant wpa_supplicant <-> switch Alcatel <-> coovachilli <-> freeradius server

So, the dialog between the supplicant and freeradius is doing well until

freeradius ask for client certificate. At this moment the switch interrupt

the authentication process. ( I got the same with wireless authentication using

Alcatel omniaccess AP)

I checked with wireshark the frames between freeradius <->coova<-> switch :

the radius packet from freeradius (Access-challenge) containing certificate request is forwarded to

the switch properly.

Frames between supplicant <-> switch

When client certificate is requested the supplicant send the first eap fragment which contains

the client certificate but it's "dropped" by the switch and it displays "Radius server not reachable"

To resume the situation here is the radius packets exchange :

switch <-----------------------------------> freeradius

--------> Access-Request: identity

<-------- Access-Challenge : Start TLS

---------> Access-Request: Client Hello

<-------- Access-Challenge : Server Hello, Certificate Request

And then nothing happens :(

Please help me if anyone have suggestion or explanation about this strange behaviour.

Thanks for all the reply, all the best.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20140904/34762870/attachment.html>

More information about the Chilli mailing list