Re: WPA/WPA2 Enterprise details



On Mon, 14 Sep 2015 13:23:14 +0200
Jan Grulich <jgrulich redhat com> wrote:

On Monday 14 of September 2015 12:51:01 Jirka Klimes wrote:
On Mon, 14 Sep 2015 10:36:59 +0200

Jan Grulich <jgrulich redhat com> wrote:
Hi,

I'm trying to improve our WPA/WPA2 Enterprise support in KDE and I
have few questions regarding 802-11x security setting.

1) When phase2-foo properties should be used instead of just foo
properties (e.g phase2-private-key/private-key) ? In
implementation of gnome-applet I see they are used when phase2
property is set to true, but it's always set to false as I can
see.

phase2-foo properties are used for EAP methods that have 2 phases.
In the first phase a tunnel is established, and then, in phase 2,
the authentication is done inside the tunnel using the inner method
that uses the phase2 properties.
NM uses that for PEAP, TTLS and FAST EAP methods for which you can
specify inner methods.

I am not aware of gnome-shell applet implementation. You can look at
nm-applet/nm-connection-editor code here:
https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-securi
ty/eap-method.c
https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-secur
ity/eap-method-peap.c

I actually meant nm-applet and not gnome-applet.

I see only phase2_auth property used in PEAP, FAST PEAP and TTLS, but
in TLS there are other phase2-foo properties used only when
parent->phase2 is true. I just don't understand why this property is
always set to false in
https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-security/wireless-security.c[1]
by passing false as third parameter to eap_method_tls_new (line 428).

Is there any place where this property gets changed?

As I said, phase 2 is only used for some of the methods, that have
an inner authentication. Those are PEAP, TTLS and FAST.
TLS if used by itself does not have phase 2, so the phase2 properties
are not used.
I think that the phase2 parameter in the eap_method_tls_new() is there
just for the case EAP-TLS is used as an inner authentication method.
However, nm-connection-editor does not support this configuration. And
I am not sure if it is a common setup.

http://www.opus1.com/www/whitepapers/8021xinnerauthmethods.pdf

Jirka

2) Are subjectMatch/altSubjectMatch properties still valid and
used? I don't see this implemented in gnome-applet, but we had
this implemented in the old KDE networkmanagement applet. I'm
asking because we got a bug report about missing implementation
of these properties for the new applet and I would like to be
sure how this should be implemented.

https://developer.gnome.org/NetworkManager/1.0/ref-settings.html

Yes, the properties are valid and used for matching the
certificates. They are passed to wpa_supplicant that performs the
certificates matching.
http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/supplican
t-manager/nm-supplicant-config.c#n971

It seems that nm-connection-editor/nn-applet did not handle the
properties. But they can be set via nmcli.

Jirka


Regards,
Jan


--------
[1]
https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-security/wireless-security.c


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]