[HowTO] WPA2 Enterprise EAP-TTLS,PAP

[sinshiva]

Wait, what do you mean ? The Intel driver also works for broadcom devices, etc its just universal created by intel.
I'm using it for an packerd bell tk81 (windows 7) which has an broadcom bcm43227.

my 5ghz card is a linksys wusb600n

Go to a wired PC run the radius server in debug mode -XX reconnect check,post log.

http://pastebin.com/29d11MxW

the first two attempts that are host/passionfruit i assume we're automatic attempts and the user=anonymous is the attempt where i actually input the user/pass

the server is running on an n66w in AP mode, .2

[edit1] i disabled the anonymous mode and i get the correct username in the logs, like when my phone authenticates, but still no go.

http://pastebin.com/8yduXWhC [/edit1]

[edit2/] lots of this in the radius log file;

Sat Aug  9 12:13:41 2014 : Error: TLS Alert write:fatal:handshake failure
Sat Aug  9 12:13:41 2014 : Error:     TLS_accept: error in SSLv3 read client hello C
Sat Aug  9 12:13:41 2014 : Error: rlm_eap: SSL error error:1408A0C1:lib(20):func(138):reason(193)
Sat Aug  9 12:13:41 2014 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails.

Perhaps it would be better to use TLS-DHE instead of ECDHE ?

 

[krabs]

What is the expected output? I am prompted for import password, displays CERTIFICATE. Then prompted for PEM pass phrase and it displays ENCRYPTED PRIVATE KEY.

Well this should be good.
You can use the -nodes option to compare the .p12 privatekey with the privatekey file (ec-cakey.pem) but not necessary, the privatekey should be good.
Honestly I don't know why we get this message with the .p12 certificate.
I do know that it works with android.
I was just searching on the net and found out that DER certifcates also should be supported.
Try that one instead.

openssl x509 -outform DER -in <pem cert> -out ec-cacert.der

What about the .p12 on Windows 7 ?
Worked out just fine ?

 

[krabs]

I'm am 100% sure that it has to do with the shirtty integrated EAP-TTLS solution from microsoft. I'm currently not using Windows 8 but I do know it for certain. That's why it does work on your phone. What you can do is to download the intel software I linked on the wiki. intel software I linked on the wiki.
Click on the wifi.msi -> use custom installation (this will only install the intel EAP-TTLS software no drivers). Use this one instead for all your TTLS connections

[edit1] i disabled the anonymous mode and i get the correct username in the logs, like when my phone authenticates, but still no go.

This has nothing to do with it as it just an extra layer of security to prevent using the "real" names which you should see on your phone only in the inner-tunnel adrian

Sat Aug  9 12:13:41 2014 : Error: TLS Alert write:fatal:handshake failure
Sat Aug  9 12:13:41 2014 : Error:     TLS_accept: error in SSLv3 read client hello C
Sat Aug  9 12:13:41 2014 : Error: rlm_eap: SSL error error:1408A0C1:lib(20):func(138):reason(193)
Sat Aug  9 12:13:41 2014 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails.

I've had plenty of this when I was using the free SecureW2 version with EC certificates. It does however worked with rsa keys. That should be also the case with you also except with the microsoft TTLS software.

Perhaps it would be better to use TLS-DHE instead of ECDHE ?

You're right it should be better supported and does work with the standard EAP-TTLS windows 8 software and SecureW2 software.
I will add RSA keys as an option to the wiki as it doesn't require extra software for windows 8.

 

[dumdedumda]

root@XXXXXX:/opt/etc/freeradius2/certs# openssl ecparam -name secp521r1 -genke
y -noout | openssl ec -aes256 -out CA/private/ec-cakey.pem
openssl:Error: 'ecparam' is an invalid command.

Standard commands
enc req rsa x509

Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc
aes-256-ecb bf-cbc bf-ecb

openssl:Error: 'ec' is an invalid command.

Standard commands
enc req rsa x509

Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc
aes-256-ecb bf-cbc bf-ecb


Any ideas?

 

[mirage22]

Is it possible to run WPA2-Enterprise for normal router users and WPA2-Personal for guests at the same time?

 

[sfx2000]

Is it possible to run WPA2-Enterprise for normal router users and WPA2-Personal for guests at the same time?

Best to create a userprofile for guests, or let them run free in a policy controlled sandbox - don't even try to split the supplicants, at the WLAN level, but one can drive a network based policy for guests

 

[mirage22]

Best to create a userprofile for guests, or let them run free in a policy controlled sandbox - don't even try to split the supplicants, at the WLAN level, but one can drive a network based policy for guests

Is this possible on an Asus router? or are we talking of additional / different hardware?

 

[sfx2000]

Is this possible on an Asus router? or are we talking of additional / different hardware?

If you have deployed WPA2-Enterprise, you already have an external Radius - whether it's Active Directory (which can play that role) or something else.

The Auth itself is aligned by SSID, so you should be able actually to do this - just set the PSK for WPA2-Personal there.

 

[tiko]

Why in the first post he said he preferred TTLS because no client cert was going to be used, but at the end he still had to install device by device the client cert? It makes no sense