Notes: Testing tigernet 3-18-08. Bill Moss
Tests run on a T61 running a fully updated Windows XP, fully updated
Fedora 8 with update kernel-2.6.24.3-34.fc8.x86_64, and
NetworkManager-0.7.0-0.6.7.svn3370.fc8.x86_64.
WPA Enterprise/PEAP/MSCHAPv2: PEAP is the second most widely supported
EAP after EAP-TLS. It is similar to EAP-TTLS, however, it requires only
a server-side CA certificate to create a secure tunnel to protect the
user authentication. PEAP/MSCHAPV2 uses MSCHAPV2 for authentication.
The certificate which validates tigernet.clemson.edu is signed by an
Entrust.net Secure Server CA root certificate. Newer Windows XP machines
already have this root certificate and five others Entrust.net root
certificates installed. Older Windows XP machines, will have this root
certificate installed as soon as they login to the Clemson network. All
six Entrust.net root certificates can be installed on older Windows XP
machines by installing the optional package "Root Certificates Update"
from Windows Updates.
The Windows XP configuration provided for TSPs works:
Network name (SSID): WPA
Data encryption: AES
EAP type: Protect EAP (PEAP)
Check: Validate server certificate
Connect to these servers: tigernet.clemson.edu
Check two Entrust.net Secure Server Certificate Authority checkboxes
Uncheck: Automatically use my Windows login name and password.
A scan on the second floor of Martin O showed 26 access points, six of
which were broadcasting the SSID tigernet. Here is the scan data for the
strongest one
Cell 16 - Address: 00:0F:90:7B:32:D4
ESSID:"tigernet"
Mode:Master
Frequency:2.462 GHz (Channel 11)
Channel:11
Quality=77/100 Signal level=-57 dBm Noise
level=-93 dBm
Encryption key:on
IE: WPA Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : TKIP CCMP
Authentication Suites (1) : 802.1x
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : TKIP CCMP
Authentication Suites (1) : 802.1x
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s
11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
48 Mb/s; 54 Mb/s
Extra:tsf=000001018bd13a0d
On the Linux side, most users are going to be using wpa_supplicant or
NetworkManager/wpa_supplicant. wpa_supplicant uses the openssl libraries
and openssl has its own distribution specific certs directory for
storing certificate files. On Fedora 8, all six of the Entrust.net root
certificates are in the directory /etc/pki/tls/certs bundled in a CRT
file along with many other certificates. The filename cert.pem appearing
in wpa_supplicant.conf below is a symbolic link to this bundle.
In Fedora 8, I first tested using wpa_supplicant and found the following
wpa_supplicant.conf file works. This is a standard configuration file. I
only had to determine with peaplabel to use.
wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
ap_scan=1
network={
ssid="tigernet"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="bmoss"
password="xxxxxxxx"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
ca_cert="/etc/pki/tls/cert.pem"
}
phase1="peaplabel=1" does not work.
I ran 'wpa_supplicant -Dwext -iwlan0
-c/etc/wpa_supplicant/wpa_supplicant.conf -ddd' with the -ddd to see the
debug output.
It works!
I then configured tigernet in NetworkManager:
Network Name: tigernet
Wireless Security: WPA Enterprise
EAP Method: PEAP
Identity: bmoss
Password: xxxxxxxx
CA Certificate: /etc/pki/tls/cert.pem
It works!
--
Bill Moss
Alumni Distinguished Professor
Mathematical Sciences
Clemson University
_______________________________________________
NetworkManager-list mailing list
[email protected]
http://mail.gnome.org/mailman/listinfo/networkmanager-list
