On Mon, 2015-09-14 at 15:02 +0200, Jirka Klimes wrote: > On Mon, 14 Sep 2015 13:23:14 +0200 > Jan Grulich <jgrul...@redhat.com> wrote: > > > On Monday 14 of September 2015 12:51:01 Jirka Klimes wrote: > > > On Mon, 14 Sep 2015 10:36:59 +0200 > > > > > > Jan Grulich <jgrul...@redhat.com> wrote: > > > > Hi, > > > > > > > > I'm trying to improve our WPA/WPA2 Enterprise support in KDE and I > > > > have few questions regarding 802-11x security setting. > > > > > > > > 1) When phase2-foo properties should be used instead of just foo > > > > properties (e.g phase2-private-key/private-key) ? In > > > > implementation of gnome-applet I see they are used when phase2 > > > > property is set to true, but it's always set to false as I can > > > > see. > > > > > > phase2-foo properties are used for EAP methods that have 2 phases. > > > In the first phase a tunnel is established, and then, in phase 2, > > > the authentication is done inside the tunnel using the inner method > > > that uses the phase2 properties. > > > NM uses that for PEAP, TTLS and FAST EAP methods for which you can > > > specify inner methods. > > > > > > I am not aware of gnome-shell applet implementation. You can look at > > > nm-applet/nm-connection-editor code here: > > > https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-securi > > > ty/eap-method.c > > > https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-secur > > > ity/eap-method-peap.c > > > > I actually meant nm-applet and not gnome-applet. > > > > I see only phase2_auth property used in PEAP, FAST PEAP and TTLS, but > > in TLS there are other phase2-foo properties used only when > > parent->phase2 is true. I just don't understand why this property is > > always set to false in > > https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-security/wireless-security.c[1] > > by passing false as third parameter to eap_method_tls_new (line 428). > > > > Is there any place where this property gets changed? > > > As I said, phase 2 is only used for some of the methods, that have > an inner authentication. Those are PEAP, TTLS and FAST. > TLS if used by itself does not have phase 2, so the phase2 properties > are not used. > I think that the phase2 parameter in the eap_method_tls_new() is there > just for the case EAP-TLS is used as an inner authentication method. > However, nm-connection-editor does not support this configuration. And > I am not sure if it is a common setup.
Yeah, I don't think we had an actual case of TTLS+TLS before. There is a valid reason for doing this (in plain one-phase EAP-TLS the identity is transmitted in the clear, using TTLS+TLS fixes that) but most locations seem to use PEAP or TTLS+(something else) since certificates are fairly difficult to administer at scale. Could be added though. Dan > http://www.opus1.com/www/whitepapers/8021xinnerauthmethods.pdf > > Jirka > > > > > 2) Are subjectMatch/altSubjectMatch properties still valid and > > > > used? I don't see this implemented in gnome-applet, but we had > > > > this implemented in the old KDE networkmanagement applet. I'm > > > > asking because we got a bug report about missing implementation > > > > of these properties for the new applet and I would like to be > > > > sure how this should be implemented. > > > > > > https://developer.gnome.org/NetworkManager/1.0/ref-settings.html > > > > > > Yes, the properties are valid and used for matching the > > > certificates. They are passed to wpa_supplicant that performs the > > > certificates matching. > > > http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/supplican > > > t-manager/nm-supplicant-config.c#n971 > > > > > > It seems that nm-connection-editor/nn-applet did not handle the > > > properties. But they can be set via nmcli. > > > > > > Jirka > > > > > > > Regards, > > Jan > > > > > > -------- > > [1] > > https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-security/wireless-security.c > _______________________________________________ > networkmanager-list mailing list > networkmanager-list@gnome.org > https://mail.gnome.org/mailman/listinfo/networkmanager-list _______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list