Re: EAP-TTLS/PAP & dynamic WEP

[Dan Williams <dcbw redhat com>]

On Thu, 2006-10-26 at 14:24 +0200, Stefan Schmidt wrote:
> Hello.
> 
> On Wed, 2006-10-25 at 22:59, Tim wrote:
> > I've been connecting to my school's wireless network--it uses EAP-TTLS
> > with phase2 PAP authentication and dynamic WEP--via wpa_supplicant.
> 
> Exactly the same setup we use here. We, Thomas and me, just have
> decided to see if we can make this setup work with nm, too. :)

Great!  Let me know if you need any help or guidance to the bits that
need changing.

> > Works well. I would like to start using network-manager. In doing some
> > google research, I got conflicting information on whether
> > network-manager supports PAP phase2 auth and dynamic WEP, and was
> > wondering if I could get a definitive answer?
> 
> Thomas Liebetraut had a short look at this and it seems nm did not
> give an attribut for phase2 to wpa_supplicant. That's our plan to get
> this working:

The lame argument for this was that there were so many phase2 auth
options that it's really hard to get a workable UI on top of them.  But
that's only tenable for so long.

What is the breadth of options here?  How many phase2 auth methods are
there and what secondary options do the phase2 auth options need?
Unfortunately wpa_supplicant stuffs them all into the one config option.

> 1. Add phase2 attribut and make sure it arrives at wpa_supplicant.
> 2. Make it fix to PAP and see if it's working.
> 3. If this is all we need, make the phase2 value chooseable in the
> "Connect to other network" dialog. Just like the other option there.

This is, in actuality, the hard part.  We need to get the list of
options and then figure out how they look, but at first we need to see
what the scope of it is.

> Of course we would prefer to make this working automagically, but see
> no way for this now. Suggestions?

You can't.  At least not for phase2, since that stuff is managed by the
authentication server _behind_ the access point, not by the access point
itself, and therefore doesn't show up in the broadcast packets AFAIK.
That's fine, we just need some UI bits for it as described above.

> > click on the SSID to connect, I am prompted for authentication via key
> > or passphrase. My options are WEP 64/128-bit ASCII, WEP 64/128-bit
> > Hex, or WEP 128-bit Passphrase. I don't have a key to give; again, its
> > a EAP-TTLS/PAP auth with dynamic WEP encryption scheme so they keys
> > should be obtained automatically after the authentication.
> 
> This happens due the AP only reports WEP encryption. I _guess_ there
> is no way to advertise the dynamic WEP key handling. Such
> advertisement is only posible with the IE from WPA. If I'm wrong here
> please correct me.

Right.  What we need here is to figure out whether we need to stick in
another item for Dynamic WEP that includes all the phase2 auth stuff
too, which may be a workable solution for 0.6.x.  For 0.7 we have to
redesign the UI bits of this and make it sane.  I've got a few ideas for
that, but it doesn't help us here.

Dan

> > network={
> >         ssid="AirPennNet"
> >         key_mgmt=IEEE8021X
> >         eap=TTLS
> >         phase2="auth=PAP"
> >         identity="me"
> >         password="andmypassword"
> > }
> 
> You don't need this?
> 
> eapol_flags=3
> anonymous_identity="anonymous"
> 
> regards
> Stefan Schmidt
> _______________________________________________
> NetworkManager-list mailing list
> NetworkManager-list gnome org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list