Dan, Dermot, thanks for your answers an sorry for the delay to answer you..
Indeed, finding a way to use "only" EAP-MSCHAPv2 as my CPE do would be just fine to me. I do not have a site certificate on the lab since I did not expect Intel cards to be so demanding on this point. Do you think this is a firmware feature or I have a chance to bypass it at driver level ? @Dermot: - In linux there are a coupleof certs: cacert.pem, supplicant_cert.pem. Isn't cacert.pem the root certificate you mention ? - The configuration files are WiMAX_DEF.bin and WiMAX_DB.bin. Actually modifying the DB seems to be sufficient to configure the stack. I could modify it so that TTLS is used (but fails due to invalid server certificate apparently) - I do not get why using TTLS would obviate the need of a server certificate. In my understanding, with TTLS there is an authentication of the server made by the device. Am I wrong ? Regards Eric ----- Mail original ----- De: "Dermot Williams" <[email protected]> À: "Dan Williams" <[email protected]>, [email protected] Cc: [email protected] Envoyé: Vendredi 2 Mars 2012 11:33:18 Objet: RE: Authentication configuration > -----Original Message----- > From: [email protected] [mailto:wimax- > [email protected]] On Behalf Of Dan Williams > Sent: 01 March 2012 15:20 > To: [email protected] > Cc: [email protected] > Subject: Re: Authentication configuration > > On Thu, 2012-03-01 at 01:18 +0100, [email protected] wrote: > > Hi, > > > > we're making trials of various authentication levels on our WiMax > infrastructure. With the CPEs we have, it's possible just to > authenticate the client on the AAA using a user/passwd. Is it possible > to have the same very basic level with linux WiMAx stack and an Intel > 6250 ? If yes, what does the auhentication section of the .bin file > should look like ? > > > > In case we want to implement EAP-TLS or EAP-TTLS, what certificate > should we install on the AAA (Freeradius) with respect to those present > on the linux wimax client side (cacert.pem ...). On this client what > should be the configuration (DEVICE, CA...) of the CERT section of the > EAP node ? > > Everything I've heard about the Intel cards indicates they require EAP > authentication. What EAP *methods* they support is something Inaky > would have to say, but I've only heard of people using EAP-TLS and EAP- > TTLS in deployments so far. I assume if you're using user/pass only > you'd be using EAP-MD5 or EAP-MSCHAPV2 ? > [Dermot Williams] As far as I know, they only support EAP-TLS, at least on Windows. You'll also need to get a server certificate that's been signed by Verisign/Symantec, who are the acting CA for the Wimax Forum. They're not cheap either since you need to sign up for their Enterpire MPKI service as well. Now, that mightn't apply to Linux - it's a while since I've played with the stack on Linux. It might be possible to edit the entries for your NSP in the two XML files (one of which is WiMax_def.xml, I can't remember the other) on the client so that they use EAP-TTLS instead. That *should* obviate the need for a server certificate but you'll still need a copy of the Wimax Forum's root CA cert for devices. Dermot _______________________________________________ wimax mailing list [email protected] http://lists.linuxwimax.org/listinfo/wimax
