search

bypassrg / att

Using Asuswrt-Merlin to bypass AT&T's residential gateway
MIT License
153 stars 36 forks source link

EAP authentication due to "unknown CA" error #10

Closed vpatil131 closed 4 years ago

vpatil131 commented 4 years ago

Hello,

I followed your guide to the T but I'm getting EAP authentication due to "unknown CA" error.

Hardware

Asus RT-68U Asuswrt-Merlin v384.19

Any idea what could be wrong?

Error log

# /opt/usr/sbin/wpa_supplicant -dd -Dwired -ieth0 -c/jffs/EAP/wpa_supplicant.conf
Successfully initialized wpa_supplicant
eth0: Associated with 01:80:c2:00:00:03
WMM AC: Missing IEs
eth0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
eth0: CTRL-EVENT-EAP-STARTED EAP authentication started
eth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
eth0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
eth0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='C=US, ST=Michigan, L=Southfield, O=ATT Services Inc, OU=OCATS, CN=aut02pltnca.pltnca.sbcglobal.net' hash=a1de433f731a03447a3187ffd3XXXXXX
eth0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='C=US, O=ATT Services Inc, CN=ATT Services Inc Enhanced Services CA' hash=e16e03391e5ef5dfe251d826c4644840725XXXXXXXXXX
eth0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=0 subject='C=US, ST=Michigan, L=Southfield, O=ATT Services Inc, OU=OCATS, CN=aut02pltnca.pltnca.sbcglobal.net' err='unknown CA'
eth0: CTRL-EVENT-EAP-FAILURE EAP authentication failed

My wpa config file:

# Generated by 802.1x Credential Extraction Tool
# Copyright (c) 2018-2019 devicelocksmith.com
# Version: 1.04 linux amd64
#
# Change file names to absolute paths
# Generated by 802.1x Credential Extraction Tool
# Copyright (c) 2018-2019 devicelocksmith.com
# Version: 1.04 linux amd64
#
# Change file names to absolute paths
eapol_version=1
ap_scan=0
fast_reauth=1
network={
        ca_cert="/jffs/EAP/CA_001E46-R91VJXXXXXX.pem"
        client_cert="/jffs/EAP/Client_001E46-R91VJXXXXXX.pem"
        eap=TLS
        eapol_flags=0
        identity="20:F3:75:XX:XX:XX" # Internet (ONT) interface MAC address must match this value
        key_mgmt=IEEE8021X
        phase1="allow_canned_success=1"
        private_key="/jffs/EAP/PrivateKey_PKCS1_001E46-R91VJXXXXXX.pem"
}
# WARNING! Missing AAA server root CA! Add AAA server root CA to CA_001E46-R91VJXXXXXX.pem
vpatil131 commented 4 years ago

Figured it out. # WARNING! Missing AAA server root CA! Add AAA server root CA to CA_001E46-R91VJXXXXXX.pem was the clue. I fixed the issue with certificates while decoding mfg and it worked.