Re: WPA Enterprise (EAP-TLS) system connection

[John S. Skogtvedt]

John S. Skogtvedt skrev:
> Dan Williams skrev:
>> Once you have a connection set up in the connection editor, and you have
>> the keyfile plugin enabled, you should be able to check the "make
>> available to all users" checkbox, hit apply, and it'll be a keyfile.
>>
>> It's quite likely you'll want to be using the final 0.7 NetworkManager
>> release, as a lot of the effort in November went into making this sort
>> of thing actually work, but the Ubuntu snapshots are from mid October.
>>
>> Dan
>>
> 
> Thanks, once I've been able to test the final 0.7 version I'll get back
> to you on the the other questions (if still applicable).
> 
> (The debian experimental package I tested is 0.7.0~svn4191-1 and is from
> Oct 18.)
> 
> John.


I finally got around to doing more testing today, this time using
version 0.7.0-1 from http://debs.michaelbiebl.de/network-manager/.

Settings used in nm-connection-editor:
SSID: dd-wrt
Wireless security:
Security: WPA and WPA2 enterprise
Authentication: TLS
Identity: omni
User Certificate: client_cert.pem
CA Certificate: cacert.pem
Private Key: client_key.pem
Private Key Password: (the correct password)

If the "Available to all users" option is _not_ selected,
network-manager connects without problems. But if it is selected, I get
the message "network disconnected".
The created keyfile looks like this:
"""
[802-11-wireless-security]
key-mgmt=wpa-eap
wep-tx-keyidx=0

[connection]
id=dd-wrt
uuid=bdc78c4d-bae8-4b6a-a287-6271cf208307
type=802-11-wireless
autoconnect=true
timestamp=0

[802-11-wireless]
ssid=100;100;45;119;114;116;
mode=infrastructure
channel=0
rate=0
tx-power=0
mtu=0
security=802-11-wireless-security

[ipv4]
method=auto
ignore-auto-routes=false
ignore-auto-dns=false

[802-1x]
eap=tls;
identity=omni
ca-cert=...
client-cert=...
system-ca-certs=false
"""

As you can see, the private key is not saved.

In syslog, I get the following messages:
"""
Dec 18 14:22:15 omni NetworkManager:   Activation (wlan0) starting
connect
ion 'dd-wrt'
Dec 18 14:22:15 omni NetworkManager:   (wlan0): device state
change: 3 ->
4
Dec 18 14:22:15 omni NetworkManager:   Activation (wlan0) Stage 1
of 5 (De
vice Prepare) scheduled...
Dec 18 14:22:15 omni NetworkManager:   Activation (wlan0) Stage 1
of 5 (De
vice Prepare) started...
Dec 18 14:22:15 omni NetworkManager:   Activation (wlan0) Stage 2
of 5 (De
vice Configure) scheduled...
Dec 18 14:22:15 omni NetworkManager:   Activation (wlan0) Stage 1
of 5 (De
vice Prepare) complete.
Dec 18 14:22:15 omni NetworkManager:   Activation (wlan0) Stage 2
of 5 (Device Configure) starting...
Dec 18 14:22:15 omni NetworkManager:   (wlan0): device state
change: 4 ->5
Dec 18 14:22:15 omni NetworkManager:   Activation
(wlan0/wireless): access point 'dd-wrt' has security, but secrets are
required.
Dec 18 14:22:15 omni NetworkManager:   (wlan0): device state
change: 5 ->6
Dec 18 14:22:15 omni NetworkManager:   Activation (wlan0) Stage 2
of 5 (Device Configure) complete.
Dec 18 14:22:15 omni nm-system-settings: add_secrets: unhandled secret
private-key type GArray_guchar_
Dec 18 14:22:15 omni nm-system-settings: add_secrets: unhandled secret
phase2-private-key type GArray_guchar_
"""

Hope this helps,

John.
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: WPA Enterprise (EAP-TLS) system connection

[John S. Skogtvedt]

Dan Williams skrev:
> Once you have a connection set up in the connection editor, and you have
> the keyfile plugin enabled, you should be able to check the "make
> available to all users" checkbox, hit apply, and it'll be a keyfile.
> 
> It's quite likely you'll want to be using the final 0.7 NetworkManager
> release, as a lot of the effort in November went into making this sort
> of thing actually work, but the Ubuntu snapshots are from mid October.
> 
> Dan
> 

Thanks, once I've been able to test the final 0.7 version I'll get back
to you on the the other questions (if still applicable).

(The debian experimental package I tested is 0.7.0~svn4191-1 and is from
Oct 18.)

John.
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

WPA Enterprise (EAP-TLS) system connection

[John S. Skogtvedt]

Hello,

currently it doesn't seem possible to use either EAP-TLS or other WPA
Enterprise system connections.
(I'm using network-manager 0.7 packages from Debian Experimental.)

The connection editor doesn't allow adding a EAP-TLS connection
("Invalid connection: NMSetting8021x / client-cert invalid: 2").

I've also tried manually putting together a keyfile to put in
/etc/NetworkManager/system-connections, modeling it on the settings
visible in GConf and a (working) existing WPA-PSK keyfile. I used a
decrypted client certificate, but got an error message about missing
secrets.
This was 2 months ago, and I've since lost the keyfile. If need be I can
recreate the keyfile and do more tests.


Has anyone gotten this to work? Or can anyone offer advice on what
changes might be necessary to get it to work?


It's a very useful feature for cases where one needs to have a network
connection at the login screen, either for authentication or mounting
remote directories.


Thanks,

John.
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list