Re: Clemson tigernet a success for NM with WPA Enterprise



On Wed, 2008-03-19 at 15:06 -0400, Bill Moss wrote:
> Today I did a further study of the certificate based authentication. I 
> discovered that my NetworkManager connections to tigernet yesterday were 
> ignoring certificate validiation so I went back and fixed that.
> 
> Tests run on a T61 running a fully updated Windows XP, fully updated 
> Fedora 8 with update kernel-2.6.24.3-34.fc8.x86_64,  
> NetworkManager-0.7.0-0.6.7.svn3370.fc8.x86_64, and 
> wpa_supplicant-0.5.7-21.fc8.x86_64.
> 
> WPA Enterprise/PEAP/MSCHAPv2: PEAP is the second most widely supported 
> EAP after EAP-TLS. It is similar to EAP-TTLS, however, it requires only 
> a server-side CA certificate to create a secure tunnel to protect the 
> user authentication. PEAP/MSCHAPV2 uses MSCHAPV2 for authentication.
> 
> The certificate which validates tigernet.clemson.edu is signed by an 
> Entrust.net Secure Server CA root certificate. Newer Windows XP machines 
> already have this root certificate and five others Entrust.net root 
> certificates installed. Older Windows XP machines, will have this root 
> certificate installed as soon as they login to the Clemson network. All 
> six Entrust.net root certificates can be installed on older Windows XP 
> machines by installing the optional package "Root Certificates Update" 
> from Windows Updates.
> 
> The Windows XP configuration provided for TSPs works:
> 
> Network name (SSID): WPA
> Data encryption: AES
> EAP type: Protect EAP (PEAP)
> Check: Validate server certificate
> Connect to these servers: tigernet.clemson.edu
> Check two Entrust.net Secure Server Certificate Authority checkboxes
> Uncheck: Automatically use my Windows login name and password.
> 
> A scan on the second floor of Martin O showed 26 access points, six of 
> which were broadcasting the SSID tigernet. Here is the scan data for the 
> strongest one
> 
> Cell 16 - Address: 00:0F:90:7B:32:D4
>                    ESSID:"tigernet"
>                    Mode:Master
>                    Frequency:2.462 GHz (Channel 11)
>                    Channel:11
>                    Quality=77/100  Signal level=-57 dBm  Noise level=-93 
> dBm
>                    Encryption key:on
>                    IE: WPA Version 1
>                        Group Cipher : TKIP
>                        Pairwise Ciphers (2) : TKIP CCMP
>                        Authentication Suites (1) : 802.1x
>                    IE: IEEE 802.11i/WPA2 Version 1
>                        Group Cipher : TKIP
>                        Pairwise Ciphers (2) : TKIP CCMP
>                        Authentication Suites (1) : 802.1x
>                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s
>                              11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
>                              48 Mb/s; 54 Mb/s
>                    Extra:tsf=000001018bd13a0d
> 
> On the Linux side, most users are going to be using wpa_supplicant or 
> NetworkManager/wpa_supplicant. wpa_supplicant uses the openssl libraries 
> and openssl has its own distribution specific certs directory for 
> storing certificate files. On Fedora 8, all six of the Entrust.net root 
> certificates are in the bundle /etc/pki/tls/certs/ca-bundle.crt. The 
> file /etc/pki/tls/cert.pem is symbolic link to this bundle.
> 
> The Entrust Secure Server CA root certificate which validates the 
> tigernet certificate can also be downloaded from
> 
> http://www.entrust.net/developer/index.cfm  --> Download Root 
> Certificates --> Personal Use --> Download Certificates --> download 
> entrust_ssl_ca.der
> 
> Convert to pem format
> 
> # openssl x509 -inform der -in entrust_ssl_ca.der -out entrust_ssl_ca.pem
> 
> Copy entrust_ssl_ca.pem to /etc/pki/tls/certs
> 
> In Fedora 8, I first tested using wpa_supplicant and found the following 
> wpa_supplicant.conf file works. This is a standard configuration file. I 
> only had to determine which peaplabel to use.
> 
> wpa_supplicant.conf
> ctrl_interface=/var/run/wpa_supplicant
> ap_scan=1
> 
> network={
>        ssid="tigernet"
>        scan_ssid=1
>        key_mgmt=WPA-EAP
>        eap=PEAP
>        identity="bmoss"
>        password="xxxxxxxx"
>        phase1="peaplabel=0"
>        phase2="auth=MSCHAPV2"
> #        ca_cert="/etc/pki/tls/certs/entrust_ssl_ca.pem"
> }
> 
> I ran 'wpa_supplicant -Dwext -iwlan0 
> -c/etc/wpa_supplicant/wpa_supplicant.conf -ddd' with the -ddd to see the 
> debug output.
> 
> It works!
> 
> Comments:
> 1. phase1="peaplabel=1" does not work.
> 2. wpa_supplicant connects with or without a cert file specified
> 3. wpa_supplicant does not appear to use the bundle ca-bundle.crt by 
> default. If this file is removed, wpa_supplicant can still connects.
> 
> I then configured tigernet in NetworkManager:
> 
> Network Name: tigernet
> Wireless Security: WPA & WPA2 Enterprise
> Authentication: Protected EAP (PEAP)
> CA Certificate: /etc/pki/tls/certs/entrust_ssl_ca.pem
> PEAP Version: 0
> Inner Authentication: MSCHAPv2
> User Name: bmoss
> Password: xxxxxxxx
> 
> It works!
> 
> Comments:
> 1. CA Certificate: /etc/pki/tls/cert.pem (symbolic link to 
> /etc/pki/tls/certs/ca-bundle.crt)  <-- does not work
> 2. CA Certificate: /etc/pki/tls/certs/ca-bundle.crt  <-- does not work

These last two probably don't work because the applet doesn't recognize
the .crt extension.  The applet requires that the certificate be in DER
or PEM format, but DER format certs can reliably be identified by their
immediate contents without implementing a full PKCS-8 parser in the
applet.  Eventually I'd like to punt this to a certificate store but
that's going to take a lot longer than I had thought.

I do need to figure out a way to support certificate bundles; right now
the applet only supports one certificate per file.

Dan




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]