On Mon, Mar 12, 2012 at 01:36:36PM +1100, Trent W. Buck wrote:
Ah, sorry, in my last reply I didn't read far enough down to see you were using EAP-TLS.
No worries, thanks for your detailed response. I've just made a few more queries below...
Hang on, are you using NM, or not? IME NM just makes things more difficult.
No, just wpasupplicant.
Incidentally, if the GAVE you the private key your client will be using, rather than you generating it yourself, that's a bit of a security fail :-/ Really, you should be generating a private key and a CSR, sending them the CSR to sign, and getting the cert back from them; i.e. they never know your private key.
Makes sense. I really don't know what the process involves with generating the various keys? I was assuming the tech department would tell me that, but maybe not...?
This is what I was using:
network={ ssid="cyber" key_mgmt=WPA-EAP pairwise=CCMP group=CCMP eap=TLS identity="twb@cyber.com.au" ca_cert="/etc/ssl/certs/cyber.pem" client_cert="/etc/wpa_supplicant/dali.crt" private_key="/etc/wpa_supplicant/dali.pem" }
Ok, so it's just the same thing besides the identity, certs and ssid?
The identity corresponds to the email address in the client's cert. That host/... thing looks a little strange.
It does. I suppose I can just try both.
1) How do I make this configuration file accurately reflect the configuration for this network, according to the instructions for network-manager?
Looks OK to me.
Good:)
2. Do I need those lines which I commented out in my final configuration file which has been modified to reflect the information my school provided me (my last paste)
I don't remember, but I had the uncommented, and I tend to leave stuff out unles absolutely necessary, so my guess is they are needed.
I shall keep them in that case:)
3. The original "private_key" certificate in the raw instructions I got from the man page was a "prv" file. However, my school says to use the .pem file. Will this work?
PEM refers to the ascii armour encoding of the file. prv is presumably because it's a private key. IIRC wpa_supplicant doesn't care what extensions you use (for any of these files). Other software does care because the programmers were silly.
Fair enough, so ultimately they are the same file type, just different extension? Thanks for your help. I've got a bit more to play with now so I'll give it ago tomorrow or the day after and report back. Dan