On Tue, 2014-02-25 at 09:55 +0100, Jürgen Benjamin Ronshausen wrote: > Hi, > > regarding NetworkManger connecting to an EAP-TLS secured 802.1X network > that uses client server certificates. > > I cannot find information on wether it or not it is possible to > authenticate as as supplicant against and authentication server without > knowing the shared date and time.
At the moment, this is not possible with NetworkManager. wpa_supplicant does support this option (tls_disable_time_checks=1), however, so we could potentially add it to NetworkManager and pass it down to the supplicant. > I have seen an implementation from which i am pretty sure doesn't > provide the supplicant with the current date and time. (This board has > no battery for an RTC). > > In my current setup if the supplicant doesn't know the shared date and > time authentication fails because the Authentication server rejects the > client certificate as invalid or expired. > > Are there any means in 802.1X to supply the supplicant with the current > time before it tries to authenicate against the authentication server ? This is pretty much impossible unless you have a 3G radio onboard. If not, then you just have to disable the time checks, accept that security is reduced, and then do something like NTP once you've connected to get the correct time. Then possibly terminate the connection if the server's certificate has expired. Dan _______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
