Re: Phase2 patch

From: Grant Williamson <traxtopel gmail com>
To: networkmanager-list gnome org
Subject: Re: Phase2 patch
Date: Sat, 27 Jan 2007 12:13:37 +0100

I like this approach also, is it not necessary to add a phase2 for GTC
i.e. so

phase2="auth=GTC" is also an option

Volker Braun wrote:

Dear List,

Here is a patch against 0.6.4 to configure the most common phase2
options. Almost all of it was written by Stefan Schmidt <stefan at
datenfreihafen.org>, i just fixed some remaining bugs:

http://carrot.hep.upenn.edu/~vbraun/phase2.patch

(Actually, it is a patch against what is in the FC6 srpm, which apparently
is some cvs version from August and patches. Sorry for that, but I promise
to rediff it if requested)

Now I know that adding another option to the WPA Enterprise dialog is
not going to yield any praises, but on the other hand side it makes it
useful for me (Dynamic WEP + phase2 PAP). I know that the whole
dialog has to become smarter, but some phase2 options ought to
stay.

This patch is my main reason for posting this, but while I'm on it here
are two more topics:


==== 1) WPA Enterprise passwords not saved to keyring ====

There are two "secrets" in the WPA Enterprise dialog: The password and
the passphrase for the private key. Only the latter is stored in the
gnome-keyring.

Whats really broken is, of course, the dialog: you either have a
password or a private key. A dirty hack would be to at least store the
password in the gnome-keyring and disable the private key
passphrase (who uses that? %-) for now.


==== 2) Ramblings on how the dialog ought to be ====

Finally, some ideas on how the network dialog should be. This is
completely fiction and really an invitation for discussion:

"Dynamic WEP" under "WPA Enterprise" is confusing. The "Wireless
Security" combobox should be like this:

  None
  WEP 128-bit Passphrase
  WEP 64/128-bit Hex
  WEP 64/128-bit ASCII
  Dynamic WEP
  WPA Personal
  WPA Enterprise
  WPA2 Personal
  WPA2 Enterprise

The "WPAx Enterprise" should allow for the EAP types that are included
in the wifi certification, they are bound to show up in actual
installations. So the "EAP Method" combobox should be

  EAP-TLS
  EAP-TTLS/MSCHAPv2
  PEAPv0/EAP-MSCHAPv2
  PEAPv1/EAP-GTC
  EAP-SIM
  EAP-LEAP

When choosing "EAP-TTLS/MSCHAPv2", for example, then automatically
phase2="auth=MSCHAPv2" is passed, and no extra phase2 box is
needed. Likewise, only the authentification that makes sense for the
given EAP type appears in the dialog. So if one selects "EAP-TLS" the
remaining dialog asks for the private certificate, whereas if one
selects "EAP-TTLS/MSCHAPv2" then the remaining dialog is
anon_identity, identity, password only.

The ca_cert and ca2_cert is automatically set to be the usual root
certificate (which ought to be already in the distro
somewhere, FC6: /etc/pki/tls/cert.pem). Distro packages depend on this
file (FC6: depends already on openssl which owns the cert.pem).

Thanks for reading my ramblings :-)
Volker

_______________________________________________
NetworkManager-list mailing list
NetworkManager-list gnome org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

References:
- Phase2 patch
  - From: Volker Braun

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]