Clemson tigernet a success for NM with WPA Enterprise

Notes: Testing tigernet 3-18-08. Bill Moss

Tests run on a T61 running a fully updated Windows XP, fully updated Fedora 8 with update kernel-, and NetworkManager-0.7.0-0.6.7.svn3370.fc8.x86_64.

WPA Enterprise/PEAP/MSCHAPv2: PEAP is the second most widely supported EAP after EAP-TLS. It is similar to EAP-TTLS, however, it requires only a server-side CA certificate to create a secure tunnel to protect the user authentication. PEAP/MSCHAPV2 uses MSCHAPV2 for authentication.

The certificate which validates is signed by an Secure Server CA root certificate. Newer Windows XP machines already have this root certificate and five others root certificates installed. Older Windows XP machines, will have this root certificate installed as soon as they login to the Clemson network. All six root certificates can be installed on older Windows XP machines by installing the optional package "Root Certificates Update" from Windows Updates.

The Windows XP configuration provided for TSPs works:

Network name (SSID): WPA
Data encryption: AES
EAP type: Protect EAP (PEAP)
Check: Validate server certificate
Connect to these servers:
Check two Secure Server Certificate Authority checkboxes
Uncheck: Automatically use my Windows login name and password.

A scan on the second floor of Martin O showed 26 access points, six of which were broadcasting the SSID tigernet. Here is the scan data for the strongest one

Cell 16 - Address: 00:0F:90:7B:32:D4
                   Frequency:2.462 GHz (Channel 11)
Quality=77/100 Signal level=-57 dBm Noise level=-93 dBm
                   Encryption key:on
                   IE: WPA Version 1
                       Group Cipher : TKIP
                       Pairwise Ciphers (2) : TKIP CCMP
                       Authentication Suites (1) : 802.1x
                   IE: IEEE 802.11i/WPA2 Version 1
                       Group Cipher : TKIP
                       Pairwise Ciphers (2) : TKIP CCMP
                       Authentication Suites (1) : 802.1x
                   Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s
                             11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
                             48 Mb/s; 54 Mb/s

On the Linux side, most users are going to be using wpa_supplicant or NetworkManager/wpa_supplicant. wpa_supplicant uses the openssl libraries and openssl has its own distribution specific certs directory for storing certificate files. On Fedora 8, all six of the root certificates are in the directory /etc/pki/tls/certs bundled in a CRT file along with many other certificates. The filename cert.pem appearing in wpa_supplicant.conf below is a symbolic link to this bundle.

In Fedora 8, I first tested using wpa_supplicant and found the following wpa_supplicant.conf file works. This is a standard configuration file. I only had to determine with peaplabel to use.



phase1="peaplabel=1" does not work.

I ran 'wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf -ddd' with the -ddd to see the debug output.

It works!

I then configured tigernet in NetworkManager:

Network Name: tigernet
Wireless Security: WPA Enterprise
EAP Method: PEAP
Identity: bmoss
Password: xxxxxxxx
CA Certificate: /etc/pki/tls/cert.pem

It works!

Bill Moss
Alumni Distinguished Professor
Mathematical Sciences
Clemson University

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]