Testing EAP-TLS

Table of contents

---

A quick way of testing your connection is to use the eapol_test client.

You can download the latest version of the wpa_supplicant source from their website.

curl http://w1.fi/releases/wpa_supplicant-2.10.tar.gz -o wpa_supplicant.tar.gz

Untar it

tar -xvf wpa_supplicant.tar.gz 

You then have to configure it to build the eapol_test client

cd wpa_supplicant-2.10/wpa_supplicant/
cp defconfig .config

Open the .config file with your preferred editor

Find the line containing

#CONFIG_EAPOL_TEST=y

and uncomment it

CONFIG_EAPOL_TEST=y

If you don’t have a compiler, install it.

In my case I did

apt install build-essential

Install the required libraries (the compiler will fail and point out missing pieces).

In my case I had to install the following, but your system may have different requirements:

apt install libssl-dev libnl1 libnl-dev libnl-3-dev libdbus-1-dev libnl-genl-3-dev libnl-route-3-dev

When you’re ready to compile, run:

make eapol_test

If everything goes as expected, you will find the compiled binary in the wpa_subbplicant/ folder.

Copy it to /usr/local/bin/ to have the command available system wide

cp eapol_test /usr/local/bin/

Now, in order to test the EAP-TLS connection, you have to create a configuration file.

Create an eapol_test.conf file and open it with your preferred editor and add the following.

network={
    ssid="DoesNotMatterForThisTest"
    key_mgmt=WPA-EAP
    eap=TLS
    identity="youridentity"
    ca_cert="/etc/freeradius/certs/ca.pem"
    client_cert="~/client.pem"
    private_key="~/client.key"
    private_key_passwd="whatever"
    eapol_flags=3
}

Adjust the paths to your CA cert and client cert/key (I’m running this from the same freeradius machine, so i picked the CA certificate from the freeradius directory), then run the following command:

eapol_test -c eapol_test.conf -s <radiussecret>

This will help you A LOT to debug any issues, together with freeradius debug output.