Re: [UM-LINUX] umd-secure

Thu, 07 Dec 2006 15:20:57 -0800 

So this is what I have so far:

network={
        disabled=0        # change to 1 to disable
        mode=0            # infrastructure mode
        ssid="umd-secure"
        scan_ssid=1       # scan for hidden a.p.s
        key_mgmt=WPA-EAP
        proto=WPA2
        pairwise=CCMP TKIP
        group=CCMP TKIP
        eap=TTLS
        identity="bhackett"
        password="myverysecretpassword"
        anonymous_identity="anonymous"
        ca_cert="/etc/thawte_server_roots/ThawtePremiumServerCA.cer"
        subject_match="wireless.umd.edu"
        phase2="auth=PAP"
}

I downloaded the certs from Thawte.

At this point I get connected and the authentication seems to work but I never 
get a dhcp lease for some reason.

Any ideas?

~bernie


---- Original message ----
>Date: Thu, 7 Dec 2006 18:02:32 -0500
>From: Karl Reuss <[EMAIL PROTECTED]>  
>Subject: Re: [UM-LINUX] umd-secure  
>To: [email protected]
>
>Bernie Hackett wrote:
>> Anybody figure out how to get this working with wpa_supplicant?   The OIT 
>> page
> > says you have verify the server name but there doesn't appear to be an 
> > option
> > for that in wpa_supplicant.conf.
>> 
>> I'm so close....
>
>
>The 'verify server name' stuff is part of WPA's mutual authentication.
>You actually don't need it to connect, but it's a darn good idea.
>TTLS does a certificate exchange, and you should get a cert signed
>by the Thawte Premium Server CA with a CN of 'wireless.umd.edu'.
>If you don't, you might be connected to badguy AP who could steal
>your passwd.
>
>So how does this translate into wpa_supplicant?  From my quick read
>of the man page it looks like this is the 'subject_match' parameter.
>Most supplicants i've seen just check the CN in the subject, but
>it looks like wpa_supplicant lets you check the whole thing, or
>just part of it.  The subject of our cert, as returned by openssl, is:
>
>     Subject: C=US, ST=Maryland, L=College Park, O=University of 
> Maryland-College Park, OU=OIT, CN=wireless.umd.edu
>
>so I would guess you want something like:
>
>       subject_match="CN=wireless.umd.edu$".
>
>Not sure about the $, but to be 100% safe you need to make sure someone
>doesn't give you a CN of wireless.umd.edu.badguy.com.
>
>Let me know if you get it to work!
>
>-Karl

Reply via email to