[Chilli] 802.1X - EAP/TLS Authentication using coova as Radius proxy [SOLVED]

HOUSSENBAY Adnane-Olivier houssenbay at et.esiea.fr
Tue Sep 9 14:33:13 UTC 2014 

Hi everyone,

I solved the EAP-TLS authentication issue.

The length of packets sent by wpa_supplicant was too big (1408 bytes).

Indeed, when the radius client encapsulates EAP message in a radius packet (Access-Request), total length of radius packet was greater than 1500 bytes.

Thus coovaChilli dropped these packets.

To fix that, I just configure my supplicant to make fragments of 1024 bytes.

Here is my configuration of wpa_supplicant, maybe it can be useful to somebody :
# EAP-TLS wired authentication

    network={

            eapol_flags=0

            key_mgmt=WPA-EAP

            eap=TLS

            identity="yourID"

            ca_cert="path/to/ca_certificate
            client_cert="path/to/client_certificate"

            private_key="path/to/client_private_key

            private_key_passwd="yourPassword"

            fragment_size=1024

    }


Finally, I would like to thanks coovaChilli developers for their work. It's a great project and for me the best network access controller.

Best regards,


Olivier
ALCASAR<http://www.alcasar.net/en> project member




________________________________
De : HOUSSENBAY Adnane-Olivier
Envoyé : jeudi 4 septembre 2014 19:31
À : chilli at coova.org
Objet : 802.1X - EAP/TLS Authentication using coova as Radius proxy


Dear CoovaChilli users,


I'm trying to do 802.1X (wired/ and wireless with wpa) authentication using EAP-TLS method which involve mutual authentication with certificates (both sides client/server).


I already succeed to 802.1X EAP-PEAP authentication but I'm having trouble with EAP-TLS.


I configured chilli as proxy radius with the parameters below :

--proxylisten

--proxyport

--proxyclient

--proxysecret


Here is my authentication chain link:

Supplicant wpa_supplicant <-> switch Alcatel <-> coovachilli <-> freeradius server


So, the dialog between the supplicant and freeradius is doing well until

freeradius ask for client certificate. At this moment the switch interrupt

the authentication process. ( I got the same with wireless authentication using

Alcatel omniaccess AP)


I checked with wireshark the frames between freeradius <->coova<-> switch :

the radius packet from freeradius (Access-challenge) containing certificate request is forwarded to

the switch properly.


Frames between supplicant <-> switch

When client certificate is requested the supplicant send the first eap fragment which contains

the client certificate but it's "dropped" by the switch and it displays "Radius server not reachable"


To resume the situation here is the radius packets exchange :

switch <-----------------------------------> freeradius

--------> Access-Request: identity

<-------- Access-Challenge : Start TLS

---------> Access-Request: Client Hello

<-------- Access-Challenge : Server Hello, Certificate Request


And then nothing happens :(


Please help me if anyone have suggestion or explanation about this strange behaviour.


Thanks for all the reply, all the best.


Olivier






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20140909/d7086187/attachment.html>

More information about the Chilli mailing list