WPA2-EAP Client can't parse client.key

reeett · May 23, 2023, 12:18pm

Hello Community,

I would like to configure an 8devices Lima device with OpenWrt 22.03.5 as a client that connects to a WPA2-EAP network via EAP-TLS. In the next step, an access point should run on the device in order to build an EAP-TLS repeater. I am using freeradius 3.0.26 running on a Ubuntu desktop machine and a another device running openwrt as accesspoint. I have already been able to successfully connect a Windows PC to the accesspoint, so I assume that the RADIUS server and the accesspoint are set correctly. When I now try to connect the OpenWRT client to the accesspoint, there are the following error messages.

wpa_supplicant[6322]: PKCS #5: Invalid PS octet 0xa1
wpa_supplicant[6322]: TLSv1: Failed to parse private key
wpa_supplicant[6322]: TLS: Failed to load private key
wpa_supplicant[6322]: TLS: Failed to set TLS connection parameters
wpa_supplicant[6322]: EAP-TLS: Failed to initialize SSL.
wpa_supplicant[6322]: wlan0: EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)

I am currently assuming that the key cannot be released with the password. I opened the key once in XCA and was then able to look at it there with the password. I created the certificates and keys using the included tools from freeradius. Do I have to pay attention to something special in order to be able to use the certificates and keys in OpenWrt.

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/qca953x_wmac'
        option htmode 'HT20'
        option channel 'auto'
        option log_level '1'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option ssid 'RADIUS-AP'
        option encryption 'wpa2'
        option client_cert '/etc/ssl/private/client.crt'
        option ca_cert '/etc/ssl/private/ca.pem'
        option eap_type 'tls'
        option mode 'sta'
        option priv_key '/etc/ssl/private/client.key'
        option network 'wwan'
        option identity 'first.accesspoint@user.com'
        option priv_key_pwd '<password>'
        option disabled '1'

wpad and openssl-util are installed.

lleachii · May 23, 2023, 12:22pm

What's the output of:

ubus call system board

Can you provide the [official] OpenWrt device link?

Another user just asked bout this same board in another thread.

Thanks.

reeett · May 23, 2023, 12:44pm

Hello @lleachii,
the output is

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.10.176",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA9533 ver 2 rev 0",
        "model": "8devices Lima",
        "board_name": "8dev,lima",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "ath79/generic",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}

reeett · May 25, 2023, 1:48pm

So i managed to solve my problem.

Just choosing the right packages has solved the problem in this case.

In case anyone else is interested in building an eap-tls repeater i share my configuration.

Packages that need to be installed

wpad-openssl (remove default wpad package)
relayd
luci-proto-relay (for GUI configuration)
ca-bundle (optional)
ca-certificats (optional)

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2e:565d:b1ea::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.175'
        option gateway '192.168.0.222'
        list dns '192.168.0.222'

config interface 'wwan'
        option proto 'dhcp'

config interface 'relaybridge'
        option proto 'relay'
        option ipaddr '192.168.0.175'
        list network 'lan'
        list network 'wwan'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'sta'
        option network 'wwan'
        option encryption 'wpa2'
        option eap_type 'tls'
        option ca_cert '/etc/ssl/repeater/ca.pem'
        option client_cert '/etc/ssl/repeater/client.crt'
        option priv_key '/etc/ssl/repeater/client.key'
        option priv_key_pwd '<client.key password>'
        option identity '<user.accesspoint@repeater.com>'
        option ssid 'RADIUS-AP'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'RADIUS-REPEATER-ACCESSPOINT'
        option network 'lan'
        option encryption 'wpa2'
        option auth_server '192.168.0.63'
        option auth_secret '<clients.conf password>'

system · June 4, 2023, 1:49pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.