Re: Clemson tigernet a success for NM with WPA Enterprise

From: Bill Moss <bmoss CLEMSON EDU>
To: networkmanager list <networkmanager-list gnome org>
Subject: Re: Clemson tigernet a success for NM with WPA Enterprise
Date: Wed, 19 Mar 2008 15:06:19 -0400

Today I did a further study of the certificate based authentication. Idiscovered that my NetworkManager connections to tigernet yesterday wereignoring certificate validiation so I went back and fixed that.

Tests run on a T61 running a fully updated Windows XP, fully updatedFedora 8 with update kernel-2.6.24.3-34.fc8.x86_64,NetworkManager-0.7.0-0.6.7.svn3370.fc8.x86_64, andwpa_supplicant-0.5.7-21.fc8.x86_64.

WPA Enterprise/PEAP/MSCHAPv2: PEAP is the second most widely supportedEAP after EAP-TLS. It is similar to EAP-TTLS, however, it requires onlya server-side CA certificate to create a secure tunnel to protect theuser authentication. PEAP/MSCHAPV2 uses MSCHAPV2 for authentication.

The certificate which validates tigernet.clemson.edu is signed by anEntrust.net Secure Server CA root certificate. Newer Windows XP machinesalready have this root certificate and five others Entrust.net rootcertificates installed. Older Windows XP machines, will have this rootcertificate installed as soon as they login to the Clemson network. Allsix Entrust.net root certificates can be installed on older Windows XPmachines by installing the optional package "Root Certificates Update"from Windows Updates.


The Windows XP configuration provided for TSPs works:

Network name (SSID): WPA
Data encryption: AES
EAP type: Protect EAP (PEAP)
Check: Validate server certificate
Connect to these servers: tigernet.clemson.edu
Check two Entrust.net Secure Server Certificate Authority checkboxes
Uncheck: Automatically use my Windows login name and password.

A scan on the second floor of Martin O showed 26 access points, six ofwhich were broadcasting the SSID tigernet. Here is the scan data for thestrongest one


Cell 16 - Address: 00:0F:90:7B:32:D4
                  ESSID:"tigernet"
                  Mode:Master
                  Frequency:2.462 GHz (Channel 11)
                  Channel:11

Quality=77/100 Signal level=-57 dBm Noise level=-93dBm

                  Encryption key:on
                  IE: WPA Version 1
                      Group Cipher : TKIP
                      Pairwise Ciphers (2) : TKIP CCMP
                      Authentication Suites (1) : 802.1x
                  IE: IEEE 802.11i/WPA2 Version 1
                      Group Cipher : TKIP
                      Pairwise Ciphers (2) : TKIP CCMP
                      Authentication Suites (1) : 802.1x
                  Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s
                            11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
                            48 Mb/s; 54 Mb/s
                  Extra:tsf=000001018bd13a0d

On the Linux side, most users are going to be using wpa_supplicant orNetworkManager/wpa_supplicant. wpa_supplicant uses the openssl librariesand openssl has its own distribution specific certs directory forstoring certificate files. On Fedora 8, all six of the Entrust.net rootcertificates are in the bundle /etc/pki/tls/certs/ca-bundle.crt. Thefile /etc/pki/tls/cert.pem is symbolic link to this bundle.

The Entrust Secure Server CA root certificate which validates thetigernet certificate can also be downloaded from

http://www.entrust.net/developer/index.cfm --> Download RootCertificates --> Personal Use --> Download Certificates --> downloadentrust_ssl_ca.der


Convert to pem format

# openssl x509 -inform der -in entrust_ssl_ca.der -out entrust_ssl_ca.pem

Copy entrust_ssl_ca.pem to /etc/pki/tls/certs

In Fedora 8, I first tested using wpa_supplicant and found the followingwpa_supplicant.conf file works. This is a standard configuration file. Ionly had to determine which peaplabel to use.


wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
ap_scan=1

network={
      ssid="tigernet"
      scan_ssid=1
      key_mgmt=WPA-EAP
      eap=PEAP
      identity="bmoss"
      password="xxxxxxxx"
      phase1="peaplabel=0"
      phase2="auth=MSCHAPV2"
#        ca_cert="/etc/pki/tls/certs/entrust_ssl_ca.pem"
}

I ran 'wpa_supplicant -Dwext -iwlan0-c/etc/wpa_supplicant/wpa_supplicant.conf -ddd' with the -ddd to see thedebug output.


It works!

Comments:
1. phase1="peaplabel=1" does not work.
2. wpa_supplicant connects with or without a cert file specified

3. wpa_supplicant does not appear to use the bundle ca-bundle.crt bydefault. If this file is removed, wpa_supplicant can still connects.


I then configured tigernet in NetworkManager:

Network Name: tigernet
Wireless Security: WPA & WPA2 Enterprise
Authentication: Protected EAP (PEAP)
CA Certificate: /etc/pki/tls/certs/entrust_ssl_ca.pem
PEAP Version: 0
Inner Authentication: MSCHAPv2
User Name: bmoss
Password: xxxxxxxx

It works!

Comments:

1. CA Certificate: /etc/pki/tls/cert.pem (symbolic link to/etc/pki/tls/certs/ca-bundle.crt) <-- does not work

2. CA Certificate: /etc/pki/tls/certs/ca-bundle.crt  <-- does not work

--
Bill Moss
Alumni Distinguished Professor
Mathematical Sciences
Clemson University

Follow-Ups:
- Re: Clemson tigernet a success for NM with WPA Enterprise
  - From: Darren Albers
- Re: Clemson tigernet a success for NM with WPA Enterprise
  - From: Chase Urich
- Re: Clemson tigernet a success for NM with WPA Enterprise
  - From: Dan Williams

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]