Re: Check server name with or without wpa_supplicant.conf (WPA Enterprise)

From: "Darren Albers" <dalbers gmail com>
To: "Sergio Belkin" <sebelk gmail com>
Cc: networkmanager-list gnome org
Subject: Re: Check server name with or without wpa_supplicant.conf (WPA Enterprise)
Date: Thu, 1 Jan 2009 23:16:07 -0500

On Thu, Jan 1, 2009 at 9:45 PM, Sergio Belkin <sebelk gmail com> wrote:
> Hi,
>
> I want to connect to a
> wireless network either WPA(2) Enterprise TTLS/PAP or WPA(2)
> Enterprise(2) PEAP/MSCHAPv2. I could connect using NetworkManager. But
> AFAIK NetworkManager lacks the capability of check server radius name,
> so there is somewhat insecure. I'd like provide a workaround using
> wpa_supplicant.conf .(that it seems has such a capability) that  along works
> with NetworkManager, (in fact I have the maybe wrong impression that
> it is not aware of wpa_supplicant.conf) but I don't understand how
> modern distros like Fedora or Ubuntu make interact those software with
> each other.
>
> How can I make things work?
>
> Thanks in advance
>
>
> --
> --
> Open Kairos http://www.openkairos.com
> Watch More TV http://sebelk.blogspot.com
> Sergio Belkin -
> _______________________________________________
> NetworkManager-list mailing list
> NetworkManager-list gnome org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list
>

It does have the ability to validate that the cert used by the Radius
server was issued by Certificate Authority you trust so that helps
ensure that you don't send your credentials to any rogue AP.

Network-Manager calls wpa_supplicant over dbus so in theory any
feature wpa_supplicant supports Network Manager can support (It does
not have the ability to interact with a local wpa_supplicant.conf).
The questions is likely the benefit of the addition.   I personally
don't see much benefit to this, if someone wants to spoof your
connection and all you are relying on is the Radius server name to
validate the wireless network then as an attacker I am going to
connect to that AP and see what that radius server calls itself when
it passes me it's public key.  Then just mimic it so that your clients
will connect to me...   Unless I am missing something?

To secure your Wireless network always use a certificate signed by a
trusted authority and ensure that all clients validate that before
sending their credentials.

References:
- Check server name with or without wpa_supplicant.conf (WPA Enterprise)
  - From: Sergio Belkin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]