wpa_supplicant does not connect to MUDS-compatible hostapd network (EAP-TLS) with certificates

[Vafa-Andalibi]

Hello,

I know this issue is probably not completely related to this repository, but I'll just write as a question maybe someone can kindly help me with this.

In previous examples the MUDS was tested on a wired connection. I have spent a lot of time trying to setup a wireless network that deploys MUDS. After several different unsuccessful configuration, I ended up setting up the network using the technical documentation of MUDS v0.6 as well as the MUD-Manager repository guides/examples.

All of the entities are installed on the same machine, including MUDS fileserver, (patched) freeradius, and hostapd (hotspot).

Things that work:

• hostapd hotspot works fine with freeradius WPA2 Enterprise using PEAP. Test device can connect with the legitimate username and password that is added to the Freeradius.
• Freeradius communicates with MUD-Manager
• MUD-Manager communicates with MUD-Fileserver
• Kick_radius.sh exampe works correctly

Things that don't work

• wpa_supplicant does not connect to the WPA2 network using luminaire (self-signed) certificates (including CA certificate as well as device certificate and key). Note that I'm not using the certificates in the repository, instead I'm creating/signing them myself using the newly created CA, so that I have the CA cert as well. Still wpa_supplicant doesn't even send out the packets since Freeradius does not even show the receive of a packet. Wpa_supplicant shows the following error in its log:

Successfully initialized wpa_supplicant
wlp9s0: SME: Trying to authenticate with  [MAC] (SSID='MUDPI' freq=2442 MHz)
wlp9s0: Trying to associate with [MAC] (SSID='MUDPI' freq=2442 MHz)
wlp9s0: CTRL-EVENT-ASSOC-REJECT bssid= [MAC] status_code=40

This is the wpa_supplicant command that I use:

$ sudo wpa_supplicant -i wlan0 -c eap_tls.conf -d

This is the wpa_supplicant config that I'm using:

eapol_version=1

update_config=1
network={
    ssid="MUDPI"
    scan_ssid=1
    key_mgmt=IEEE8021X
    eap=TLS
    identity="ciscoC"
    ca_cert="cacert.pem"
    client_cert="DEVICE1_cert.pem"
    private_key="DEVICE1_key.pem"
    private_key_passwd="12349876"
}

and this is the hostapd configuration that I use to setup the wireless network:

interface=wlan0
driver=nl80211
ssid=MUDPI
hw_mode=g
channel=7
ieee8021x=1
auth_algs=1
eap_server=0
eapol_key_index_workaround=0 

wpa=2
wpa_key_mgmt=WPA-EAP
rsn_pairwise=CCMP
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123
acct_server_addr=127.0.0.1
acct_server_port=1813
acct_server_shared_secret=testing123

Again, I know this is probably not the best place to ask this question, but still I thought you might have some ideas about this issue and any help/hint would be highly appreciated.

[elear]

So just to be clear, the cert that came with the distribution is NOT a client cert, but rather a cert that validates the chain on the web site where the MUD URL is hosted. If you want to create an 802.1AR cert, we can do that together, but let's not do it in this issue. Just contact me at lear@cisco.com.

[Vafa-Andalibi]

Thank you very much for your prompt reply. I'll write you about this issue. I just opened this as a question but could not label it myself unfortunately. Closing it now.