現在只要再產生client端要使用的certificate並且把ROOTCA與ClientCA匯入到client端,就可以使用EAP-TLS了,整個步驟如下:
Step1: MAKING A CLIENT CERTIFICATE
Client certificates are used by EAP-TLS, and optionally by EAP-TTLS
and PEAP. The following steps outline how to create a client
certificate that is signed by the server certificate created above.
You will have to have the password for the server certificate in the
"input_password" and "output_password" fields of the server.cnf file.
$ vi client.cnf
Edit the "input_password" and "output_password" fields to be the
password for the client certificate. You will have to give these
passwords to the end user who will be using the certificates.
Edit the [client] section to have the correct values for your
country, state, etc. Be sure that the commonName field here is
the User-Name that will be used for logins!
$ make client.pem
The users certificate will be in "emailAddress.pem",
i.e. "user@example.com.pem".
To create another client certificate, just repeat the steps for
making a client certificate, being sure to enter a different login
name for "commonName", and a different password.
Step2: IMPORT ROOTCA, and Client Certificate/以Fedora16為例:
- 安全性: WPA&WPA2 EnterpriseNote: ca.pem and client.p12是產生ROOTCA與Client Certificate時所一併產生的,所在的目錄是/etc/raddb/certs/
- 驗證: TLS
- 識別: commonName
- CA: ca.pem
- 私密金鑰: client.p12
- 私密金鑰密碼: "input_password" and "output_password"
That's all.
1 comment:
an eap-tls example for wpa_supplicant.
network={
ssid="aweaptest"
key_mgmt=WPA-EAP
eap=TLS
pairwise=TKIP
identity="carlos"
ca_cert="/etc/ca.pem"
client_cert="/etc/client.pem"
private_key="/etc/client.pem"
private_key_passwd="whatever"
priority=1
}
Post a Comment