NetworkManager and wpa_supplicant (it was Re: EAP-TTLS +PAP tunning)
Mon Jan 5 12:25:57 PST 2009
On Thu, 2009-01-01 at 22:04 -0200, Sergio Belkin wrote:
> 2008/5/7 Sergio Belkin <sebelk at gmail.com>:
> > 2008/5/7 Jouni Malinen <j at w1.fi>:
> >> On Tue, May 06, 2008 at 10:56:54AM -0300, Sergio Belkin wrote:
> >> > I have a freeradius server that is working well in university. We use
> >> > EAP-TTLS and PAP protocols.
> >> > the nm-applet for setting the connection up. But I'd want to find a
> >> > way to automatize it, that it finds the TTLS certificate and verifies
> >> > the server name (I didn't see this feature in Linux). Could you help
> >> > me to do this with wpa_supplicant? (What tools/apps and file config
> >> > should I look?)
> >> Is your server certificate signed by one of the common CAs (i.e.,
> >> something that is included in trusted CA lists)
> > Yes it is
> > or is this an in-house
> >> self-signed CA (if yes, how is the CA certificate distributed to
> >> clients?)?
> > In Windows, it's bundled with SecureW2 (a customized installation
> > includes CA certificate),
> >> wpa_supplicant can be configured to trust a set of CA certificates,
> >> e.g., using a single PEM file with multiple files or using ca_path
> >> parameter to point to a directory of trusted CA certificates. For
> >> example, ca_path="/etc/ssl/certs" would do this on a Gentoo system (that
> >> directory of CA certificates may differ in other distros). subject_match
> >> and altsubject_match parameters can be used to configure requirements
> >> for the authentication server certificate, e.g.,
> >> altsubject_match="DNS:as.example.com".
> > Thanks Jouni, I think that that's is what I'm looking for!
> > Greets.
> > --
> > --
> > Open Kairos http://www.openkairos.com
> > Watch More TV http://sebelk.blogspot.com
> > Sergio Belkin -
> I come back because I still have a big doubt. I want to connect to a
> wireless network either WPA(2) Enterprise TTLS/PAP or WPA(2)
> Enterprise(2) PEAP/MSCHAPv2. I could connect using NetworkManager. But
> AFAIK NetworkManager lack the capability of check server radius name,
> so there is somewhat insecure. I'd like provide a workaround using
> wpa_supplicant (that it seems has such a capability) that along wwork
> with NetworkManager, (in fact I have the maybe wrong impression that
> it is not aware of wpa_supplicant.conf) but I don't understand how
> modern distros like Fedora or Ubuntu make interact those software with
> each other.
Or we could just update NetworkManager to handle this... Do you know
whether you need "subject_match" or "altsubject_match"?
More information about the Hostap