[Chilli] 802.1X - EAP/TLS Authentication using coova as Radius proxy [SOLVED]

HOUSSENBAY Adnane-Olivier houssenbay at et.esiea.fr
Tue Sep 9 14:33:13 UTC 2014

Hi everyone,

I solved the EAP-TLS authentication issue.

The length of packets sent by wpa_supplicant was too big (1408 bytes).

Indeed, when the radius client encapsulates EAP message in a radius packet (Access-Request), total length of radius packet was greater than 1500 bytes.

Thus coovaChilli dropped these packets.

To fix that, I just configure my supplicant to make fragments of 1024 bytes.

Here is my configuration of wpa_supplicant, maybe it can be useful to somebody :
# EAP-TLS wired authentication











Finally, I would like to thanks coovaChilli developers for their work. It's a great project and for me the best network access controller.

Best regards,

ALCASAR<http://www.alcasar.net/en> project member

De : HOUSSENBAY Adnane-Olivier
Envoyé : jeudi 4 septembre 2014 19:31
À : chilli at coova.org
Objet : 802.1X - EAP/TLS Authentication using coova as Radius proxy

Dear CoovaChilli users,

I'm trying to do 802.1X (wired/ and wireless with wpa) authentication using EAP-TLS method which involve mutual authentication with certificates (both sides client/server).

I already succeed to 802.1X EAP-PEAP authentication but I'm having trouble with EAP-TLS.

I configured chilli as proxy radius with the parameters below :





Here is my authentication chain link:

Supplicant wpa_supplicant <-> switch Alcatel <-> coovachilli <-> freeradius server

So, the dialog between the supplicant and freeradius is doing well until

freeradius ask for client certificate. At this moment the switch interrupt

the authentication process. ( I got the same with wireless authentication using

Alcatel omniaccess AP)

I checked with wireshark the frames between freeradius <->coova<-> switch :

the radius packet from freeradius (Access-challenge) containing certificate request is forwarded to

the switch properly.

Frames between supplicant <-> switch

When client certificate is requested the supplicant send the first eap fragment which contains

the client certificate but it's "dropped" by the switch and it displays "Radius server not reachable"

To resume the situation here is the radius packets exchange :

switch <-----------------------------------> freeradius

--------> Access-Request: identity

<-------- Access-Challenge : Start TLS

---------> Access-Request: Client Hello

<-------- Access-Challenge : Server Hello, Certificate Request

And then nothing happens :(

Please help me if anyone have suggestion or explanation about this strange behaviour.

Thanks for all the reply, all the best.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20140909/d7086187/attachment.html>

More information about the Chilli mailing list