Dear all,
I'm on Ubuntu with NM v0.9.8.8, and am trying to connect to a university
wireless network that uses PEAP MSCHAPv2 for authentication. The
instructions on their website is only for Windows and Mac, but it
suggests that the certificate for authentication is "pushed" from the
server side to the client, and that users need to click on "OK"
(Windows) or to accept the server.
On Ubuntu, I'm provided a choice between "Ignore" and "Choose CA
Certificate". If I click on "Ignore", it connects fine. If I choose
"Choose CA Certificate", nothing happens.
Using Wireshark, with the "eap" display filter, I checked out the
packets being exchanged. It seemed that the university is using a
certificate from GlobalSign (whose root certs are pre-installed in
Ubuntu). I don't have access to the university's certificate itself,
since I can't seem to figure out which IP address and port to point
"openssl s_client -connect" at. (I've tried the DHCP server's IP
address, the gateway's IP address, with the following ports: 1645, 1646,
443, and in each case I received a "connect:errno=111".)
If I go to Edit Connections > YaleSecure > Wi-Fi Security > CA
certificate, and choose a certificate at random from
/usr/share/ca-certificates/mozilla/, interesting things happen.
A. With a GlobalSign cert selected in the "CA certificate" field.
The connection succeeds.
B. With any other cert selected in the "CA certificate" field.
B1. With "Ask for this password each time" checked
B1a. After having disconnected from a successful connection,
changed the cert in the "Wi-Fi Security" tab, and reconnected.
The connection succeeds.
B1b. After having disconnected from a successful connection AND
having disabled & re-enabled networking via the nm-applet AND changed
the cert in the "Wi-Fi Security" tab, and reconnected.
The connection fails. ("Unknown CA" in the Wireshark logs)
B2. Having unchecked "Ask for this password each time"
The connection succeeds.
C. With no cert selected in the "CA certificate" field.
C1. The connection succeeds iff I enter the right password and click
on "Ignore".
C2. The connection doesn't do anything if I click on "Choose CA
certificate". It doesn't provide me a file selection window. It just
remains on the same "Wi-Fi Network Authentication Required" dialogue box.
It seems there is some kind of caching going on in situation B1, and in
situation B2 the certs just aren't being compared at all. Isn't this a
security bug? And C2 seems to be a UI bug.
If having the Wireshark dumps from each of these four situations would
help, I'd be glad to provide them. Please CC me in any response to this
mail, as I'm set not to receive updates from the mailing list itself.
NM version:
$ apt-cache policy network-manager
network-manager:
Installed: 0.9.8.8-0ubuntu1
Candidate: 0.9.8.8-0ubuntu1
Version table:
*** 0.9.8.8-0ubuntu1 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
$ apt-cache policy network-manager-gnome
network-manager-gnome:
Installed: 0.9.8.4-1ubuntu2
Candidate: 0.9.8.4-1ubuntu2
Version table:
*** 0.9.8.4-1ubuntu2 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
$ apt-cache policy network-manager-pptp
network-manager-pptp:
Installed: 0.9.8.2-1ubuntu2
Candidate: 0.9.8.2-1ubuntu2
Version table:
*** 0.9.8.2-1ubuntu2 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
Regards,
Pranesh
--
Pranesh Prakash
Access to Knowledge Fellow, Information Society Project, Yale Law School
M: +1 520 314 7147 | W: http://yaleisp.org
-------------------
Policy Director, Centre for Internet and Society
T: +91 80 40926283 | W: http://cis-india.org
PGP ID: 0x1D5C5F07 | Twitter: https://twitter.com/pranesh_prakash
Attachment:
signature.asc
Description: OpenPGP digital signature