Bernie Hackett wrote:
Anybody figure out how to get this working with wpa_supplicant? The OIT page
> says you have verify the server name but there doesn't appear to be an option
> for that in wpa_supplicant.conf.
I'm so close....
The 'verify server name' stuff is part of WPA's mutual authentication.
You actually don't need it to connect, but it's a darn good idea.
TTLS does a certificate exchange, and you should get a cert signed
by the Thawte Premium Server CA with a CN of 'wireless.umd.edu'.
If you don't, you might be connected to badguy AP who could steal
your passwd.
So how does this translate into wpa_supplicant? From my quick read
of the man page it looks like this is the 'subject_match' parameter.
Most supplicants i've seen just check the CN in the subject, but
it looks like wpa_supplicant lets you check the whole thing, or
just part of it. The subject of our cert, as returned by openssl, is:
Subject: C=US, ST=Maryland, L=College Park, O=University of
Maryland-College Park, OU=OIT, CN=wireless.umd.edu
so I would guess you want something like:
subject_match="CN=wireless.umd.edu$".
Not sure about the $, but to be 100% safe you need to make sure someone
doesn't give you a CN of wireless.umd.edu.badguy.com.
Let me know if you get it to work!
-Karl
