Re: Clemson tigernet a success for NM with WPA Enterprise

Today I did a further study of the certificate based authentication. I discovered that my NetworkManager connections to tigernet yesterday were ignoring certificate validiation so I went back and fixed that.

Tests run on a T61 running a fully updated Windows XP, fully updated Fedora 8 with update kernel-, NetworkManager-0.7.0-0.6.7.svn3370.fc8.x86_64, and wpa_supplicant-0.5.7-21.fc8.x86_64.

WPA Enterprise/PEAP/MSCHAPv2: PEAP is the second most widely supported EAP after EAP-TLS. It is similar to EAP-TTLS, however, it requires only a server-side CA certificate to create a secure tunnel to protect the user authentication. PEAP/MSCHAPV2 uses MSCHAPV2 for authentication.

The certificate which validates is signed by an Secure Server CA root certificate. Newer Windows XP machines already have this root certificate and five others root certificates installed. Older Windows XP machines, will have this root certificate installed as soon as they login to the Clemson network. All six root certificates can be installed on older Windows XP machines by installing the optional package "Root Certificates Update" from Windows Updates.

The Windows XP configuration provided for TSPs works:

Network name (SSID): WPA
Data encryption: AES
EAP type: Protect EAP (PEAP)
Check: Validate server certificate
Connect to these servers:
Check two Secure Server Certificate Authority checkboxes
Uncheck: Automatically use my Windows login name and password.

A scan on the second floor of Martin O showed 26 access points, six of which were broadcasting the SSID tigernet. Here is the scan data for the strongest one

Cell 16 - Address: 00:0F:90:7B:32:D4
                  Frequency:2.462 GHz (Channel 11)
Quality=77/100 Signal level=-57 dBm Noise level=-93 dBm
                  Encryption key:on
                  IE: WPA Version 1
                      Group Cipher : TKIP
                      Pairwise Ciphers (2) : TKIP CCMP
                      Authentication Suites (1) : 802.1x
                  IE: IEEE 802.11i/WPA2 Version 1
                      Group Cipher : TKIP
                      Pairwise Ciphers (2) : TKIP CCMP
                      Authentication Suites (1) : 802.1x
                  Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s
                            11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
                            48 Mb/s; 54 Mb/s

On the Linux side, most users are going to be using wpa_supplicant or NetworkManager/wpa_supplicant. wpa_supplicant uses the openssl libraries and openssl has its own distribution specific certs directory for storing certificate files. On Fedora 8, all six of the root certificates are in the bundle /etc/pki/tls/certs/ca-bundle.crt. The file /etc/pki/tls/cert.pem is symbolic link to this bundle.

The Entrust Secure Server CA root certificate which validates the tigernet certificate can also be downloaded from --> Download Root Certificates --> Personal Use --> Download Certificates --> download entrust_ssl_ca.der

Convert to pem format

# openssl x509 -inform der -in entrust_ssl_ca.der -out entrust_ssl_ca.pem

Copy entrust_ssl_ca.pem to /etc/pki/tls/certs

In Fedora 8, I first tested using wpa_supplicant and found the following wpa_supplicant.conf file works. This is a standard configuration file. I only had to determine which peaplabel to use.


#        ca_cert="/etc/pki/tls/certs/entrust_ssl_ca.pem"

I ran 'wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf -ddd' with the -ddd to see the debug output.

It works!

1. phase1="peaplabel=1" does not work.
2. wpa_supplicant connects with or without a cert file specified
3. wpa_supplicant does not appear to use the bundle ca-bundle.crt by default. If this file is removed, wpa_supplicant can still connects.

I then configured tigernet in NetworkManager:

Network Name: tigernet
Wireless Security: WPA & WPA2 Enterprise
Authentication: Protected EAP (PEAP)
CA Certificate: /etc/pki/tls/certs/entrust_ssl_ca.pem
PEAP Version: 0
Inner Authentication: MSCHAPv2
User Name: bmoss
Password: xxxxxxxx

It works!

1. CA Certificate: /etc/pki/tls/cert.pem (symbolic link to /etc/pki/tls/certs/ca-bundle.crt) <-- does not work
2. CA Certificate: /etc/pki/tls/certs/ca-bundle.crt  <-- does not work

Bill Moss
Alumni Distinguished Professor
Mathematical Sciences
Clemson University

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]