I would congratulate you but I am still annoyed by SC losing to Clemson this year! ;-)
Your instructions can be used for anyone connecting to a wireless access point using PEAP and WPA except for the certificate which needs to be changed to match what the back-end radius server offers. So thank you for posting this! I have an Aruba Controller in my lab this week so I have been playing with various EAP types in Network Manager and so far the following have worked: EAP-TLS with WPA+TKIP and WPA2+AES PEAP with WPA+TKIP and WPA2+AES I did not test WPA+AES or WPA2+TKIP since I don't think either are valid according to the WPA standard. If I am incorrect someone can let me know and I will test again. I also didn't bother testing Dynamic WEP but I probably could if there is an interest. I plan on testing EAP-TTLS soon. These tests were run using NM 6.5 and 6.6 with an Atheros based card on Ubuntu Gutsy and Hardy systems. Thanks! On Wed, Mar 19, 2008 at 3:06 PM, Bill Moss <[EMAIL PROTECTED]> wrote: > Today I did a further study of the certificate based authentication. I > discovered that my NetworkManager connections to tigernet yesterday were > ignoring certificate validiation so I went back and fixed that. > > > Tests run on a T61 running a fully updated Windows XP, fully updated > Fedora 8 with update kernel-2.6.24.3-34.fc8.x86_64, > NetworkManager-0.7.0-0.6.7.svn3370.fc8.x86_64, and > wpa_supplicant-0.5.7-21.fc8.x86_64. > > > > WPA Enterprise/PEAP/MSCHAPv2: PEAP is the second most widely supported > EAP after EAP-TLS. It is similar to EAP-TTLS, however, it requires only > a server-side CA certificate to create a secure tunnel to protect the > user authentication. PEAP/MSCHAPV2 uses MSCHAPV2 for authentication. > > The certificate which validates tigernet.clemson.edu is signed by an > Entrust.net Secure Server CA root certificate. Newer Windows XP machines > already have this root certificate and five others Entrust.net root > certificates installed. Older Windows XP machines, will have this root > certificate installed as soon as they login to the Clemson network. All > six Entrust.net root certificates can be installed on older Windows XP > machines by installing the optional package "Root Certificates Update" > from Windows Updates. > > The Windows XP configuration provided for TSPs works: > > Network name (SSID): WPA > Data encryption: AES > EAP type: Protect EAP (PEAP) > Check: Validate server certificate > Connect to these servers: tigernet.clemson.edu > Check two Entrust.net Secure Server Certificate Authority checkboxes > Uncheck: Automatically use my Windows login name and password. > > A scan on the second floor of Martin O showed 26 access points, six of > which were broadcasting the SSID tigernet. Here is the scan data for the > strongest one > > Cell 16 - Address: 00:0F:90:7B:32:D4 > ESSID:"tigernet" > Mode:Master > Frequency:2.462 GHz (Channel 11) > Channel:11 > Quality=77/100 Signal level=-57 dBm Noise level=-93 > dBm > Encryption key:on > IE: WPA Version 1 > Group Cipher : TKIP > Pairwise Ciphers (2) : TKIP CCMP > Authentication Suites (1) : 802.1x > IE: IEEE 802.11i/WPA2 Version 1 > Group Cipher : TKIP > Pairwise Ciphers (2) : TKIP CCMP > Authentication Suites (1) : 802.1x > Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s > 11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s > 48 Mb/s; 54 Mb/s > Extra:tsf=000001018bd13a0d > > On the Linux side, most users are going to be using wpa_supplicant or > NetworkManager/wpa_supplicant. wpa_supplicant uses the openssl libraries > and openssl has its own distribution specific certs directory for > storing certificate files. On Fedora 8, all six of the Entrust.net root > certificates are in the bundle /etc/pki/tls/certs/ca-bundle.crt. The > file /etc/pki/tls/cert.pem is symbolic link to this bundle. > > The Entrust Secure Server CA root certificate which validates the > tigernet certificate can also be downloaded from > > http://www.entrust.net/developer/index.cfm --> Download Root > Certificates --> Personal Use --> Download Certificates --> download > entrust_ssl_ca.der > > Convert to pem format > > # openssl x509 -inform der -in entrust_ssl_ca.der -out entrust_ssl_ca.pem > > Copy entrust_ssl_ca.pem to /etc/pki/tls/certs > > > In Fedora 8, I first tested using wpa_supplicant and found the following > wpa_supplicant.conf file works. This is a standard configuration file. I > only had to determine which peaplabel to use. > > > wpa_supplicant.conf > ctrl_interface=/var/run/wpa_supplicant > ap_scan=1 > > network={ > ssid="tigernet" > scan_ssid=1 > key_mgmt=WPA-EAP > eap=PEAP > identity="bmoss" > password="xxxxxxxx" > phase1="peaplabel=0" > phase2="auth=MSCHAPV2" > # ca_cert="/etc/pki/tls/certs/entrust_ssl_ca.pem" > > } > > I ran 'wpa_supplicant -Dwext -iwlan0 > -c/etc/wpa_supplicant/wpa_supplicant.conf -ddd' with the -ddd to see the > debug output. > > It works! > > Comments: > 1. phase1="peaplabel=1" does not work. > 2. wpa_supplicant connects with or without a cert file specified > 3. wpa_supplicant does not appear to use the bundle ca-bundle.crt by > default. If this file is removed, wpa_supplicant can still connects. > > > I then configured tigernet in NetworkManager: > > Network Name: tigernet > Wireless Security: WPA & WPA2 Enterprise > Authentication: Protected EAP (PEAP) > CA Certificate: /etc/pki/tls/certs/entrust_ssl_ca.pem > PEAP Version: 0 > Inner Authentication: MSCHAPv2 > User Name: bmoss > Password: xxxxxxxx > > It works! > > Comments: > 1. CA Certificate: /etc/pki/tls/cert.pem (symbolic link to > /etc/pki/tls/certs/ca-bundle.crt) <-- does not work > 2. CA Certificate: /etc/pki/tls/certs/ca-bundle.crt <-- does not work > > > > -- > Bill Moss > Alumni Distinguished Professor > Mathematical Sciences > Clemson University > > _______________________________________________ > NetworkManager-list mailing list > [email protected] > http://mail.gnome.org/mailman/listinfo/networkmanager-list > _______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
