Ah, sorry, in my last reply I didn't read far enough down to see you were using EAP-TLS. Daniel Dalton wrote:
Firstly, I've been given some instructions for network-manager, which are as follows:
Hang on, are you using NM, or not? IME NM just makes things more difficult.
use eduSTAR as the SSID Security: WPA & WPA2 enterprise - (WPA2) Authentication: TLS Identity: host/8808-DDLINUX.services.education.vic.gov.au user certificate: point to extracted folder: computers.crt CA Certificate: point to the extracted folder: cacert.pem Private key: point to the extracted folder: key.pem Password: password
Yep, OK, this is the original EAP method TLS, where both sides have a private key and a cert (signed public key), and they validate one another by checking the certs against a trusted CA. IME EAP-TLS doesn't work with Xbox 360s, HP MFDs nor (without a lot of grief) iphones and n900s. Despite being required for WiFi Alliance enterprise certification. Grr! Incidentally, if the GAVE you the private key your client will be using, rather than you generating it yourself, that's a bit of a security fail :-/ Really, you should be generating a private key and a CSR, sending them the CSR to sign, and getting the cert back from them; i.e. they never know your private key.
network={ ssid="eduSTAR" key_mgmt=WPA-EAP proto=WPA2 # pairwise=CCMP # group=CCMP eap=TLS identity="host/8808-DDLINUX.services.education.vic.gov.au" ca_cert="/path/to/cacert.pem" client_cert="/path/to/computers.crt" private_key="/path/to/cacert.pem" private_key_passwd="password" }
This is what I was using: network={ ssid="cyber" key_mgmt=WPA-EAP pairwise=CCMP group=CCMP eap=TLS identity="twb@cyber.com.au" ca_cert="/etc/ssl/certs/cyber.pem" client_cert="/etc/wpa_supplicant/dali.crt" private_key="/etc/wpa_supplicant/dali.pem" } The identity corresponds to the email address in the client's cert. That host/... thing looks a little strange.
1) How do I make this configuration file accurately reflect the configuration for this network, according to the instructions for network-manager?
Looks OK to me.
2. Do I need those lines which I commented out in my final configuration file which has been modified to reflect the information my school provided me (my last paste)
I don't remember, but I had the uncommented, and I tend to leave stuff out unles absolutely necessary, so my guess is they are needed.
3. The original "private_key" certificate in the raw instructions I got from the man page was a "prv" file. However, my school says to use the .pem file. Will this work?
PEM refers to the ascii armour encoding of the file. prv is presumably because it's a private key. IIRC wpa_supplicant doesn't care what extensions you use (for any of these files). Other software does care because the programmers were silly.
4. The same is true for client_cert, the original config specifies a "pem" file while my school says to use the "crt" file. Which makes me a bit confused about what to do for 3 and 4.
As for (3).