Hello All, First post ever. What brought me to this group is that I have been trying to get Yubikey's working as a PIV Smart Card for accessing a WiFi SSID using EAP-TLS. Quick background: I have been using the Yubikeys to login to Windows and Linux clients joined to a Windows Active Directory Domain successfully. I have them working to authenticate SSH access. For these modes I am using the Yubikey's PIV capabilities with Certificates issued from the Certificate Authority on the Windows domain controllers. I have tried multiple methods to attempt to get this to work but the last attempt is most enlightening. I will hold back some of the details for brevity as the end results are informative. The Problem: On one of my Windows AD servers which is also a Certificate Authority server, I created a template and issued a Certificate which was exported as a .pfx file. The Private Key was included and had a password. Then I separately extracted the public certificate to one .pem file and the password protected private key to another .pem file. I then used the same .pfx file to import the certificate into PIV slot 9a of the Yubikey. On a Windows 10 client, when I choose the WiFi SSID that is configured for EAP-TLS using the Windows Network Policy Server (NPS) I can login just fine. It asks me to select a certificate off of the Yubikey and then asks for the PIN. I then get logged in and everything works just fine. Easy on Windows. But on Linux both Ubuntu 22.04 LTS and Debian 12 this does not work. Both had wpa_supplicant v2.10 and I have compiled my own version of 2.11 with appropriate config options such as CONFIG_SMARTCARD = y but both versions have the same results. In both Ubuntu and Debian, using the Network Manager, I can make an EAP-TLS connection by specifying a copy of the CA Root Server Certificate in .pem format that was exported from the Windows server and copied to the Linux client, from the local system. Then for the User Cert, specify the .pem file on the local file system extracted from the .pfx file. And finally the Private Key in a .pem file on the local file system extracted from the .pfx file with the password. Then I can specify the password in the Network Manager. This works. I get connected. So using Certificates and key from the local File System it works. But If I attempt to do the same but rather than using the User Cert and Private Key from the .pem files on the file system, use the Cert and Private Key from the Yubikey, it does not work. It keeps asking for the private key password. I give it the password and it does not work. Additionally, it is not asking for the PIN for the Yubikey and it should. When doing this in Windows it challenges me for the PIN as I expect. We want to make EAP-TLS connections using MFA so the Yubikey working as a PIV Authentication card does this as it works for logging into the Windows and Linux Clients. Our users will already have Yubikeys for logins so why not use them for WiFi Authentication. I have been working on this for a couple of weeks and hit a wall. There are others on the Internet/Reddit asking for the same. Any help or suggestions would be welcome. Thank you, Eric -- Eric Reiss Information Technology Manager ereiss@xxxxxxxxxxxxxxxxxx Athena Sciences Corporation 320 Adams Street, Suite L01 Fairmont, WV 26554 CONFIDENTIALITY NOTICE: The information contained in this email and any attachments are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential or subject to protection from disclosure under federal or state law. If you are not an intended recipient, you are hereby notified that any distribution or copying of this information is strictly prohibited. If you have received this email in error, please notify the sender by reply email and delete this message and any attachments immediately and you should not retain copy or use this email or any attachment for any purpose, nor disclose all or any part of the contents to any other person. Thank you. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
