Hi, I'm attempting to connect my linux laptop to my government school's wifi network via wpa_supplicant. Firstly, I've been given some instructions for network-manager, which are as follows: open network manager (probably top right) and manually add a new wireless network use eduSTAR as the SSID Security: WPA & WPA2 enterprise - (WPA2) Authentication: TLS Identity: host/8808-DDLINUX.services.education.vic.gov.au user certificate: point to extracted folder: computers.crt CA Certificate: point to the extracted folder: cacert.pem Private key: point to the extracted folder: key.pem Password: password Next I've looked through some example wpasupplicant config files and also consulted man wpa_supplicant.conf And developed the following: network={ ssid="example wpa2-eap network" key_mgmt=WPA-EAP proto=WPA2 pairwise=CCMP group=CCMP eap=TLS identity="user@example.com" ca_cert="/etc/cert/ca.pem" client_cert="/etc/cert/user.pem" private_key="/etc/cert/user.prv" private_key_passwd="PKCS#12 passhrase" } Next I modify this file for my school's network according to the instructions I got at the top. network={ ssid="eduSTAR" key_mgmt=WPA-EAP proto=WPA2 # pairwise=CCMP # group=CCMP eap=TLS identity="host/8808-DDLINUX.services.education.vic.gov.au" ca_cert="/path/to/cacert.pem" client_cert="/path/to/computers.crt" private_key="/path/to/cacert.pem" private_key_passwd="password" } I'm suspecting this probably won't work though since it's usually the case:) So some questions: 1) HOw do I make this configuration file accurately reflect the configuration for this network, according to the instructions for network-manager? 2. Do I need those lines which I commented out in my final configuration file which has been modified to reflect the information my school provided me (my last paste) 3. The original "private_key" certificate in the raw instructions I got from the man page was a "prv" file. However, my school says to use the .pem file. Will this work? 4. The same is true for client_cert, the original config specifies a "pem" file while my school says to use the "crt" file. Which makes me a bit confused about what to do for 3 and 4. So does anyone have any ideas how to make this network configuration likely work? I haven't tested it yet, but I thought I'd try and get it as perfect as I could first before testing since I don't really know what I'm doing :) Thanks very much for any help. Dan
Daniel Dalton wrote:
I'm attempting to connect my linux laptop to my government school's wifi network via wpa_supplicant.
Headless wifi/DHCP client using WPA2-PSK (or WPA-PSK): 1. apt-get install wpasupplicant 2. make /etc/network/interfaces look something like this:: auto lo iface lo inet loopback #auto eth0 iface eth0 inet dhcp auto wlan0 iface wlan0 inet manual wpa-roam /etc/wpa_supplicant.conf wpa-roam-default-iface wlan0-default iface wlan0-default inet dhcp 3. make /etc/wpa_supplicant.conf look something like this:: network={ ssid="foo" psk="UNPRINTABLE" } 4. as the PSK is clear text, be sure to:: chown root: /etc/wpa_supplicant.conf chmod 600 /etc/wpa_supplicant.conf You may also wish to use wpa_passphrase(8) to hash the SSID and PSK together, making it harder (but not impossible) to convert it back into plain text. See /usr/share/doc/wpasupplicant/README.Debian.gz for more info. To debug, try:: ip link set wlan0 up wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf # wpa_supplicant will run in foreground. Once it indicates that # it's up, open a second shell and try to talk to the DHCP server # over wlan0: dhclient -v wlan0 -- http://cyber.com.au/~twb/doc/wifi.txt
Ah, sorry, in my last reply I didn't read far enough down to see you were using EAP-TLS. Daniel Dalton wrote:
Firstly, I've been given some instructions for network-manager, which are as follows:
Hang on, are you using NM, or not? IME NM just makes things more difficult.
use eduSTAR as the SSID Security: WPA & WPA2 enterprise - (WPA2) Authentication: TLS Identity: host/8808-DDLINUX.services.education.vic.gov.au user certificate: point to extracted folder: computers.crt CA Certificate: point to the extracted folder: cacert.pem Private key: point to the extracted folder: key.pem Password: password
Yep, OK, this is the original EAP method TLS, where both sides have a private key and a cert (signed public key), and they validate one another by checking the certs against a trusted CA. IME EAP-TLS doesn't work with Xbox 360s, HP MFDs nor (without a lot of grief) iphones and n900s. Despite being required for WiFi Alliance enterprise certification. Grr! Incidentally, if the GAVE you the private key your client will be using, rather than you generating it yourself, that's a bit of a security fail :-/ Really, you should be generating a private key and a CSR, sending them the CSR to sign, and getting the cert back from them; i.e. they never know your private key.
network={ ssid="eduSTAR" key_mgmt=WPA-EAP proto=WPA2 # pairwise=CCMP # group=CCMP eap=TLS identity="host/8808-DDLINUX.services.education.vic.gov.au" ca_cert="/path/to/cacert.pem" client_cert="/path/to/computers.crt" private_key="/path/to/cacert.pem" private_key_passwd="password" }
This is what I was using: network={ ssid="cyber" key_mgmt=WPA-EAP pairwise=CCMP group=CCMP eap=TLS identity="twb@cyber.com.au" ca_cert="/etc/ssl/certs/cyber.pem" client_cert="/etc/wpa_supplicant/dali.crt" private_key="/etc/wpa_supplicant/dali.pem" } The identity corresponds to the email address in the client's cert. That host/... thing looks a little strange.
1) How do I make this configuration file accurately reflect the configuration for this network, according to the instructions for network-manager?
Looks OK to me.
2. Do I need those lines which I commented out in my final configuration file which has been modified to reflect the information my school provided me (my last paste)
I don't remember, but I had the uncommented, and I tend to leave stuff out unles absolutely necessary, so my guess is they are needed.
3. The original "private_key" certificate in the raw instructions I got from the man page was a "prv" file. However, my school says to use the .pem file. Will this work?
PEM refers to the ascii armour encoding of the file. prv is presumably because it's a private key. IIRC wpa_supplicant doesn't care what extensions you use (for any of these files). Other software does care because the programmers were silly.
4. The same is true for client_cert, the original config specifies a "pem" file while my school says to use the "crt" file. Which makes me a bit confused about what to do for 3 and 4.
As for (3).
On Mon, Mar 12, 2012 at 01:36:36PM +1100, Trent W. Buck wrote:
Ah, sorry, in my last reply I didn't read far enough down to see you were using EAP-TLS.
No worries, thanks for your detailed response. I've just made a few more queries below...
Hang on, are you using NM, or not? IME NM just makes things more difficult.
No, just wpasupplicant.
Incidentally, if the GAVE you the private key your client will be using, rather than you generating it yourself, that's a bit of a security fail :-/ Really, you should be generating a private key and a CSR, sending them the CSR to sign, and getting the cert back from them; i.e. they never know your private key.
Makes sense. I really don't know what the process involves with generating the various keys? I was assuming the tech department would tell me that, but maybe not...?
This is what I was using:
network={ ssid="cyber" key_mgmt=WPA-EAP pairwise=CCMP group=CCMP eap=TLS identity="twb@cyber.com.au" ca_cert="/etc/ssl/certs/cyber.pem" client_cert="/etc/wpa_supplicant/dali.crt" private_key="/etc/wpa_supplicant/dali.pem" }
Ok, so it's just the same thing besides the identity, certs and ssid?
The identity corresponds to the email address in the client's cert. That host/... thing looks a little strange.
It does. I suppose I can just try both.
1) How do I make this configuration file accurately reflect the configuration for this network, according to the instructions for network-manager?
Looks OK to me.
Good:)
2. Do I need those lines which I commented out in my final configuration file which has been modified to reflect the information my school provided me (my last paste)
I don't remember, but I had the uncommented, and I tend to leave stuff out unles absolutely necessary, so my guess is they are needed.
I shall keep them in that case:)
3. The original "private_key" certificate in the raw instructions I got from the man page was a "prv" file. However, my school says to use the .pem file. Will this work?
PEM refers to the ascii armour encoding of the file. prv is presumably because it's a private key. IIRC wpa_supplicant doesn't care what extensions you use (for any of these files). Other software does care because the programmers were silly.
Fair enough, so ultimately they are the same file type, just different extension? Thanks for your help. I've got a bit more to play with now so I'll give it ago tomorrow or the day after and report back. Dan
Daniel Dalton wrote:
Incidentally, if the GAVE you the private key your client will be using, rather than you generating it yourself, that's a bit of a security fail :-/ Really, you should be generating a private key and a CSR, sending them the CSR to sign, and getting the cert back from them; i.e. they never know your private key.
Makes sense. I really don't know what the process involves with generating the various keys? I was assuming the tech department would tell me that, but maybe not...?
IME at such sites there is a black box that is "the management server" or whatever, and it has a java web UI that spits out a zip file with a given user's certand key, the cacert, &c. This is an unfortunate (but unsurprising) trade-off of security for convenience (i.e. "can be administered by unskilled labour").
This is what I was using:
network={ ssid="cyber" key_mgmt=WPA-EAP pairwise=CCMP group=CCMP eap=TLS identity="twb@cyber.com.au" ca_cert="/etc/ssl/certs/cyber.pem" client_cert="/etc/wpa_supplicant/dali.crt" private_key="/etc/wpa_supplicant/dali.pem" }
Ok, so it's just the same thing besides the identity, certs and ssid?
AFAICT that is correct.
The identity corresponds to the email address in the client's cert. That host/... thing looks a little strange.
It does. I suppose I can just try both.
You probably want to use gnutls's certool program (or openssl's ssl program) to inspect the cert and see what X.509 attributes are in it. Then just copy the appropriate one from there.
3. The original "private_key" certificate in the raw instructions I got from the man page was a "prv" file. However, my school says to use the .pem file. Will this work?
PEM refers to the ascii armour encoding of the file. prv is presumably because it's a private key. IIRC wpa_supplicant doesn't care what extensions you use (for any of these files). Other software does care because the programmers were silly.
Fair enough, so ultimately they are the same file type, just different extension?
Yes. PEM is similar to base64 or uuencoding, it just descibes how to asciify binary data. Such files usually have a line at the top saying something like "I'm an RSA key" or "I'm a TLS cert" as well. I don't think that line has any actual effect, it's just there for humans.
Hi, Thanks Trent for your help with this. I was successful connecting to my school's network with my original config including the confusing identity stuff, apparently it's just generally used for the macs as well. The only thing that needed to occur was the pairwise and group fields needed to be commented or removed. So the config looks something like this: network={ ssid="eduSTAR" key_mgmt=WPA-EAP proto=WPA2 eap=TLS identity="host/8808-DDLINUX.services.education.vic.gov.au" ca_cert="/path/to/cacert.pem" client_cert="/path/to/computers.crt" private_key="/path/to/cacert.pem" private_key_passwd="password" } Thanks very much, Dan
participants (2)
-
Daniel Dalton -
Trent W. Buck