Re: WPA/WPA2 Enterprise details
On Mon, 2015-09-14 at 15:02 +0200, Jirka Klimes wrote: > On Mon, 14 Sep 2015 13:23:14 +0200 > Jan Grulich wrote: > > > On Monday 14 of September 2015 12:51:01 Jirka Klimes wrote: > > > On Mon, 14 Sep 2015 10:36:59 +0200 > > > > > > Jan Grulich wrote: > > > > Hi, > > > > > > > > I'm trying to improve our WPA/WPA2 Enterprise support in KDE and I > > > > have few questions regarding 802-11x security setting. > > > > > > > > 1) When phase2-foo properties should be used instead of just foo > > > > properties (e.g phase2-private-key/private-key) ? In > > > > implementation of gnome-applet I see they are used when phase2 > > > > property is set to true, but it's always set to false as I can > > > > see. > > > > > > phase2-foo properties are used for EAP methods that have 2 phases. > > > In the first phase a tunnel is established, and then, in phase 2, > > > the authentication is done inside the tunnel using the inner method > > > that uses the phase2 properties. > > > NM uses that for PEAP, TTLS and FAST EAP methods for which you can > > > specify inner methods. > > > > > > I am not aware of gnome-shell applet implementation. You can look at > > > nm-applet/nm-connection-editor code here: > > > https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-securi > > > ty/eap-method.c > > > https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-secur > > > ity/eap-method-peap.c > > > > I actually meant nm-applet and not gnome-applet. > > > > I see only phase2_auth property used in PEAP, FAST PEAP and TTLS, but > > in TLS there are other phase2-foo properties used only when > > parent->phase2 is true. I just don't understand why this property is > > always set to false in > > https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-security/wireless-security.c[1] > > by passing false as third parameter to eap_method_tls_new (line 428). > > > > Is there any place where this property gets changed? > > > As I said, phase 2 is only used for some of the methods, that have > an inner authentication. Those are PEAP, TTLS and FAST. > TLS if used by itself does not have phase 2, so the phase2 properties > are not used. > I think that the phase2 parameter in the eap_method_tls_new() is there > just for the case EAP-TLS is used as an inner authentication method. > However, nm-connection-editor does not support this configuration. And > I am not sure if it is a common setup. Yeah, I don't think we had an actual case of TTLS+TLS before. There is a valid reason for doing this (in plain one-phase EAP-TLS the identity is transmitted in the clear, using TTLS+TLS fixes that) but most locations seem to use PEAP or TTLS+(something else) since certificates are fairly difficult to administer at scale. Could be added though. Dan > http://www.opus1.com/www/whitepapers/8021xinnerauthmethods.pdf > > Jirka > > > > > 2) Are subjectMatch/altSubjectMatch properties still valid and > > > > used? I don't see this implemented in gnome-applet, but we had > > > > this implemented in the old KDE networkmanagement applet. I'm > > > > asking because we got a bug report about missing implementation > > > > of these properties for the new applet and I would like to be > > > > sure how this should be implemented. > > > > > > https://developer.gnome.org/NetworkManager/1.0/ref-settings.html > > > > > > Yes, the properties are valid and used for matching the > > > certificates. They are passed to wpa_supplicant that performs the > > > certificates matching. > > > http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/supplican > > > t-manager/nm-supplicant-config.c#n971 > > > > > > It seems that nm-connection-editor/nn-applet did not handle the > > > properties. But they can be set via nmcli. > > > > > > Jirka > > > > > > > Regards, > > Jan > > > > > > > > [1] > > https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-security/wireless-security.c > ___ > networkmanager-list mailing list > networkmanager-list@gnome.org > https://mail.gnome.org/mailman/listinfo/networkmanager-list ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: WPA/WPA2 Enterprise details
On Mon, 14 Sep 2015 13:23:14 +0200 Jan Grulich wrote: > On Monday 14 of September 2015 12:51:01 Jirka Klimes wrote: > > On Mon, 14 Sep 2015 10:36:59 +0200 > > > > Jan Grulich wrote: > > > Hi, > > > > > > I'm trying to improve our WPA/WPA2 Enterprise support in KDE and I > > > have few questions regarding 802-11x security setting. > > > > > > 1) When phase2-foo properties should be used instead of just foo > > > properties (e.g phase2-private-key/private-key) ? In > > > implementation of gnome-applet I see they are used when phase2 > > > property is set to true, but it's always set to false as I can > > > see. > > > > phase2-foo properties are used for EAP methods that have 2 phases. > > In the first phase a tunnel is established, and then, in phase 2, > > the authentication is done inside the tunnel using the inner method > > that uses the phase2 properties. > > NM uses that for PEAP, TTLS and FAST EAP methods for which you can > > specify inner methods. > > > > I am not aware of gnome-shell applet implementation. You can look at > > nm-applet/nm-connection-editor code here: > > https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-securi > > ty/eap-method.c > > https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-secur > > ity/eap-method-peap.c > > I actually meant nm-applet and not gnome-applet. > > I see only phase2_auth property used in PEAP, FAST PEAP and TTLS, but > in TLS there are other phase2-foo properties used only when > parent->phase2 is true. I just don't understand why this property is > always set to false in > https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-security/wireless-security.c[1] > by passing false as third parameter to eap_method_tls_new (line 428). > > Is there any place where this property gets changed? > As I said, phase 2 is only used for some of the methods, that have an inner authentication. Those are PEAP, TTLS and FAST. TLS if used by itself does not have phase 2, so the phase2 properties are not used. I think that the phase2 parameter in the eap_method_tls_new() is there just for the case EAP-TLS is used as an inner authentication method. However, nm-connection-editor does not support this configuration. And I am not sure if it is a common setup. http://www.opus1.com/www/whitepapers/8021xinnerauthmethods.pdf Jirka > > > 2) Are subjectMatch/altSubjectMatch properties still valid and > > > used? I don't see this implemented in gnome-applet, but we had > > > this implemented in the old KDE networkmanagement applet. I'm > > > asking because we got a bug report about missing implementation > > > of these properties for the new applet and I would like to be > > > sure how this should be implemented. > > > > https://developer.gnome.org/NetworkManager/1.0/ref-settings.html > > > > Yes, the properties are valid and used for matching the > > certificates. They are passed to wpa_supplicant that performs the > > certificates matching. > > http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/supplican > > t-manager/nm-supplicant-config.c#n971 > > > > It seems that nm-connection-editor/nn-applet did not handle the > > properties. But they can be set via nmcli. > > > > Jirka > > > > Regards, > Jan > > > > [1] > https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-security/wireless-security.c ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: WPA/WPA2 Enterprise details
On Monday 14 of September 2015 12:51:01 Jirka Klimes wrote: > On Mon, 14 Sep 2015 10:36:59 +0200 > > Jan Grulich wrote: > > Hi, > > > > I'm trying to improve our WPA/WPA2 Enterprise support in KDE and I > > have few questions regarding 802-11x security setting. > > > > 1) When phase2-foo properties should be used instead of just foo > > properties (e.g phase2-private-key/private-key) ? In implementation > > of gnome-applet I see they are used when phase2 property is set to > > true, but it's always set to false as I can see. > > phase2-foo properties are used for EAP methods that have 2 phases. In > the first phase a tunnel is established, and then, in phase 2, the > authentication is done inside the tunnel using the inner method that > uses the phase2 properties. > NM uses that for PEAP, TTLS and FAST EAP methods for which you can > specify inner methods. > > I am not aware of gnome-shell applet implementation. You can look at > nm-applet/nm-connection-editor code here: > https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-securi > ty/eap-method.c > https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-secur > ity/eap-method-peap.c I actually meant nm-applet and not gnome-applet. I see only phase2_auth property used in PEAP, FAST PEAP and TTLS, but in TLS there are other phase2-foo properties used only when parent->phase2 is true. I just don't understand why this property is always set to false in https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-security/wireless-security.c[1] by passing false as third parameter to eap_method_tls_new (line 428). Is there any place where this property gets changed? > > 2) Are subjectMatch/altSubjectMatch properties still valid and used? > > I don't see this implemented in gnome-applet, but we had this > > implemented in the old KDE networkmanagement applet. I'm asking > > because we got a bug report about missing implementation of these > > properties for the new applet and I would like to be sure how this > > should be implemented. > > https://developer.gnome.org/NetworkManager/1.0/ref-settings.html > > Yes, the properties are valid and used for matching the certificates. > They are passed to wpa_supplicant that performs the certificates > matching. > http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/supplican > t-manager/nm-supplicant-config.c#n971 > > It seems that nm-connection-editor/nn-applet did not handle the > properties. But they can be set via nmcli. > > Jirka > Regards, Jan [1] https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-security/wireless-security.c ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: WPA/WPA2 Enterprise details
On Mon, 14 Sep 2015 10:36:59 +0200 Jan Grulich wrote: > Hi, > > I'm trying to improve our WPA/WPA2 Enterprise support in KDE and I > have few questions regarding 802-11x security setting. > > 1) When phase2-foo properties should be used instead of just foo > properties (e.g phase2-private-key/private-key) ? In implementation > of gnome-applet I see they are used when phase2 property is set to > true, but it's always set to false as I can see. > phase2-foo properties are used for EAP methods that have 2 phases. In the first phase a tunnel is established, and then, in phase 2, the authentication is done inside the tunnel using the inner method that uses the phase2 properties. NM uses that for PEAP, TTLS and FAST EAP methods for which you can specify inner methods. I am not aware of gnome-shell applet implementation. You can look at nm-applet/nm-connection-editor code here: https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-security/eap-method.c https://git.gnome.org/browse/network-manager-applet/tree/src/wireless-security/eap-method-peap.c > 2) Are subjectMatch/altSubjectMatch properties still valid and used? > I don't see this implemented in gnome-applet, but we had this > implemented in the old KDE networkmanagement applet. I'm asking > because we got a bug report about missing implementation of these > properties for the new applet and I would like to be sure how this > should be implemented. > https://developer.gnome.org/NetworkManager/1.0/ref-settings.html Yes, the properties are valid and used for matching the certificates. They are passed to wpa_supplicant that performs the certificates matching. http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/supplicant-manager/nm-supplicant-config.c#n971 It seems that nm-connection-editor/nn-applet did not handle the properties. But they can be set via nmcli. Jirka ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list