WPA enterprise and default parameters on Linux
Dan Williams
dcbw
Wed Nov 18 10:52:01 PST 2009
On Wed, 2009-11-18 at 19:35 +0100, Alessandro Sivieri wrote:
> 2009/11/18 Dan Williams <dcbw at redhat.com>
> Can you post your wpa_supplicant configuration? Are you using
> TLS or
> TTLS?
>
> If you configure wpa_supplicant correctly, the provider's
> certificate is
> also checked. That's the "ca_cert" option. If the
> certificate that the
> provider sends is not signed by your trusted Certificate
> Authority then
> the connection is denied by wpa_supplicant. If you do no
> specify the
> ca_cert option in the configuration, then your connection is
> insecure
> and could be hijacked.
>
> There's also the "subject_match" and "altsubject_match"
> configuration
> options, which can further increase security by ensuring that
> the
> provider's certificate matches a few basic criteria that you
> specify.
>
>
>
> Yes, here it is:
>
>
> --->0-----------------------------------
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=0
> ap_scan=1
> network={
> ssid="internet"
> proto=WPA
> key_mgmt=WPA-EAP
> auth_alg=OPEN
> pairwise=TKIP
> eap=TLS
> anonymous_identity="SOMEUNIQUEID"
> ca_cert="/etc/certificati/somefile.cer"
> private_key="/etc/certificati/somefile.p12"
> private_key_passwd="CERTPASSWD"
> phase2="auth=MSCHAPV2"
> }
Ok, so so you *are* checking the provider's certificate using the CA
certificate "somefile.cer". If you want to tighten the check you can
use subject_match to ensure that the provider's certificate matches some
known attributes.
But providing a CA certificate is the most important thing, which you
are doing.
(side note: phase2 and anonymous_identity are useless because TLS
doesn't use phase2 at all and those two parameters are phase2
parameters)
Dan
More information about the Hostap
mailing list