Benutzer-Werkzeuge

Webseiten-Werkzeuge


dot1x-eap-tls-zertifikate-mit-omnivista

An diesem Artikel wird noch gearbeitet! -benny 01.06.2022

Notizen zum Client-Zertifikat

CSR

benny@Bennys-MacBook-Pro certificate % openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key1.pem > client-req.pem
Generating a 2048 bit RSA private key
................+++
.....+++
writing new private key to 'client-key1.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:DE
State or Province Name (full name) []:Hamburg
Locality Name (eg, city) []:Hamburg
Organization Name (eg, company) []:ALE
Organizational Unit Name (eg, section) []:ALE
Common Name (eg, fully qualified host name) []:pi.home
Email Address []:blablay@blabla.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:benny123

Zertifikat mit CA signieren TODO: private key needs passphrase TODO: check_ca

benny@Bennys-MacBook-Pro certificate % openssl x509 -req -in client-req.pem -days 1000 -CA default_ca.pem -set_serial 01 > client-cert1.pem
Signature ok
subject=/C=DE/ST=Hamburg/L=Hamburg/O=ALE/OU=ALE/CN=pi.home/emailAddress=blablay@blabla.com
Getting CA Private Key
Enter pass phrase for default_ca.pem:
benny@Bennys-MacBook-Pro certificate % ls
client-cert1.pem	default_ca.p12		default_server.pem
client-key1.pem		default_ca.pem
client-req.pem		default_client.p12

wpa_supplicant

TLS

pi@raspberrypi:~ $ sudo systemctl status wpa_supplicant-wired@eth0.service 
● wpa_supplicant-wired@eth0.service - WPA supplicant daemon (interface- and wired driver-specific version)
     Loaded: loaded (/lib/systemd/system/wpa_supplicant-wired@.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2022-06-01 15:54:45 CEST; 6min ago
   Main PID: 3877 (wpa_supplicant)
      Tasks: 1 (limit: 4915)
        CPU: 51ms
     CGroup: /system.slice/system-wpa_supplicant\x2dwired.slice/wpa_supplicant-wired@eth0.service
             └─3877 /sbin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-wired-eth0.conf -Dwired -ieth0

Jun 01 15:54:45 raspberrypi wpa_supplicant[3877]: eth0: Associated with 01:80:c2:00:00:03
Jun 01 15:54:45 raspberrypi wpa_supplicant[3877]: eth0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Jun 01 15:54:47 raspberrypi wpa_supplicant[3877]: eth0: CTRL-EVENT-EAP-STARTED EAP authentication started
Jun 01 15:54:47 raspberrypi wpa_supplicant[3877]: eth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
Jun 01 15:54:48 raspberrypi wpa_supplicant[3877]: eth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
Jun 01 15:54:48 raspberrypi wpa_supplicant[3877]: eth0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
Jun 01 15:54:49 raspberrypi wpa_supplicant[3877]: eth0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/L=Default City/O=ALUE/OU=ALUE/CN=OmniVista-C>
Jun 01 15:54:49 raspberrypi wpa_supplicant[3877]: eth0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=California/L=Calabasas/O=Alcatel-Lucent E>
Jun 01 15:54:50 raspberrypi wpa_supplicant[3877]: eth0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
Jun 01 15:54:50 raspberrypi wpa_supplicant[3877]: eth0: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed [id=0 id_str=]
pi@raspberrypi:~ $ 
pi@raspberrypi:~ $ 

PEAP

pi@raspberrypi:~ $ sudo systemctl status wpa_supplicant-wired@eth0.service 
● wpa_supplicant-wired@eth0.service - WPA supplicant daemon (interface- and wired driver-specific version)
     Loaded: loaded (/lib/systemd/system/wpa_supplicant-wired@.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2022-06-01 18:44:56 CEST; 59min ago
   Main PID: 4626 (wpa_supplicant)
      Tasks: 1 (limit: 4915)
        CPU: 88ms
     CGroup: /system.slice/system-wpa_supplicant\x2dwired.slice/wpa_supplicant-wired@eth0.service
             └─4626 /sbin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-wired-eth0.conf -Dwired -ieth0

Jun 01 18:44:59 raspberrypi wpa_supplicant[4626]: eth0: CTRL-EVENT-EAP-STARTED EAP authentication started
Jun 01 18:45:00 raspberrypi wpa_supplicant[4626]: eth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
Jun 01 18:45:00 raspberrypi wpa_supplicant[4626]: eth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Jun 01 18:45:00 raspberrypi wpa_supplicant[4626]: eth0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Jun 01 18:45:01 raspberrypi wpa_supplicant[4626]: eth0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/L=Default City/O=ALUE/OU=ALUE/CN=OmniVista-C>
Jun 01 18:45:01 raspberrypi wpa_supplicant[4626]: eth0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=California/L=Calabasas/O=Alcatel-Lucent E>
Jun 01 18:45:03 raspberrypi wpa_supplicant[4626]: EAP-MSCHAPV2: Authentication succeeded
Jun 01 18:45:03 raspberrypi wpa_supplicant[4626]: EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
Jun 01 18:45:03 raspberrypi wpa_supplicant[4626]: eth0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
Jun 01 18:45:03 raspberrypi wpa_supplicant[4626]: eth0: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed [id=0 id_str=]
pi@raspberrypi:~ $ 

Notizen


sudo systemctl enable wpa_supplicant-wired@eth0.service

sudo systemctl restart wpa_supplicant-wired@eth0.service

pi@raspberrypi:~ $ cat /etc/wpa_supplicant/wpa_supplicant-wired-eth0.conf 
ap_scan=0
eapol_version=2

network={
	#ssid="dot1X"
	key_mgmt=IEEE8021X
	eap=PEAP
	#anonymous_identity="anonymous@pi.home"
	identity="pi@benny.home"
	#ca_cert=""
	password="vollsicheresPasswort!"
#	password="wrongwrong"
	phase2="auth=MSCHAPV2"
}

pi@raspberrypi:~ $ sudo systemctl status wpa_supplicant-wired@eth0.service 
● wpa_supplicant-wired@eth0.service - WPA supplicant daemon (interface- and wired driver-specific version)
     Loaded: loaded (/lib/systemd/system/wpa_supplicant-wired@.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2022-05-30 21:39:15 CEST; 4min 34s ago
   Main PID: 1730 (wpa_supplicant)
      Tasks: 1 (limit: 4915)
        CPU: 40ms
     CGroup: /system.slice/system-wpa_supplicant\x2dwired.slice/wpa_supplicant-wired@eth0.service
             └─1730 /sbin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-wired-eth0.conf -Dwired -ieth0

May 30 21:39:17 raspberrypi wpa_supplicant[1730]: eth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
May 30 21:39:18 raspberrypi wpa_supplicant[1730]: eth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
May 30 21:39:18 raspberrypi wpa_supplicant[1730]: eth0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
May 30 21:39:19 raspberrypi wpa_supplicant[1730]: eth0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/L=Default City/>
May 30 21:39:19 raspberrypi wpa_supplicant[1730]: eth0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/L=Default City/>
May 30 21:39:19 raspberrypi wpa_supplicant[1730]: eth0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=California/L>
May 30 21:39:21 raspberrypi wpa_supplicant[1730]: EAP-MSCHAPV2: Authentication succeeded
May 30 21:39:21 raspberrypi wpa_supplicant[1730]: EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
May 30 21:39:21 raspberrypi wpa_supplicant[1730]: eth0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
May 30 21:39:21 raspberrypi wpa_supplicant[1730]: eth0: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 complete>
lines 1-19/19 (END)

pi@raspberrypi:~ $ sudo systemctl restart wpa_supplicant-wired@eth0.service 

pi@raspberrypi:~ $ sudo systemctl restart dhcpcd.service 

pi@raspberrypi:~ $ tail -F /var/log/syslog | grep wpa_supplicant

PEAP

pi@raspberrypi:~ $ cat /etc/wpa_supplicant/wpa_supplicant-wired-eth0.conf 
ctrl_interface=/run/wpa_supplicant

ap_scan=0
eapol_version=2

network={
	key_mgmt=IEEE8021X
	eap=PEAP
	ca_cert="/home/pi/ovcert.pem"
	identity="pi@benny.home"
	password="VollSicheresPasswort"
#	password="FalschesPasswortfuerTests"
	phase2="auth=MSCHAPV2"
}

TLS TODO: private key mit passphrase

pi@raspberrypi:~ $ cat /etc/wpa_supplicant/wpa_supplicant-wired-eth0.conf 
ctrl_interface=/run/wpa_supplicant

ap_scan=0
eapol_version=2

network={
	key_mgmt=IEEE8021X
	eap=TLS
	ca_cert="/home/pi/ovcert.pem"
	identity="pitls@benny.home"
	client_cert="/home/pi/client-cert1.pem"
	private_key="/home/pi/client-key1.pem"
}
dot1x-eap-tls-zertifikate-mit-omnivista.txt · Zuletzt geändert: 2022/06/01 19:52 von benny