WPA2, EAP-MSCHAP v2, credentials, and Trusted Root Certification Authority

kramed · 02-25-2007, 07:01 AM

Hi there,

My wireless is working at home but I am trying to get my IPW2200 working with wpa_supplicant at my University. They use WPA2, EAP-MSCHAP v2 authentication but the parts that have me stumped is validating the server certificate "Equifax Secure Global e-Business CA-1" at server cantillion.trentu.ca. I have consulted every example that I could find but I am uncertain that my configuration will work for tomorrow. The commented lines below are what I am unsure if I need them. I also have no idea how to authenticate at the above mentioned server. If I recall correctly when setting up my Thinkpad T43 in Windows that the server certificate did not matter. That leads to me to another question my /etc/cert folder does not exist, are these certificates generated or downloaded? Thanks for any tips or advice in advance.

Code:

network={
	ssid="Airtrent"
	key_mgmt=WPA-EAP
	eap=PEAP
	identity="user"
	password="pass"
	phase1="peaplabel=0"
	phase2="auth=MSCHAPV2"
#	ca_cert="/etc/cert/ca.pem"
#	client_cert="/etc/cert/user.pem"
#	private_key="/etc/cert/user.prv"
#	private_key_passwd="password"
}

Quakeboy02 · 02-26-2007, 04:26 PM

Have you read the configuration page at: http://hostap.epitest.fi/wpa_supplicant/

They have an MSCHAPV2 example wpa_supplicant.conf file:

Code:

ctrl_interface=/var/run/wpa_supplicant

network={
	ssid="example 802.1x network"
	key_mgmt=IEEE8021X
	eap=PEAP
	phase2="auth=MSCHAPV2"
	identity="user name"
	password="password"
	ca_cert="/etc/cert/ca.pem"
}

"That leads to me to another question my /etc/cert folder does not exist, are these certificates generated or downloaded?"

"Well, there's your problem Harry!"

There really should be enough information linked out of this page to get you going. After all, it is the trentu configuration page: http://www.trentu.ca/admin/it/airtrent/

They have both a video tutorial and PDF help.

kaafree · 03-07-2007, 08:16 AM

Quote:

Originally Posted by Quakeboy02

"Well, there's your problem Harry!"

There really should be enough information linked out of this page to get you going. After all, it is the trentu configuration page: http://www.trentu.ca/admin/it/airtrent/

They have both a video tutorial and PDF help.

That is MAIN problem, man ! Link you gave has ABSOLUTELY no information on Linux configuration, only for Mac and Windows.

I have similar problem in office. And because of that I also am very much interested in certificates (from external autority) advice.

inspiron_Droid · 03-07-2007, 08:27 AM

Your best bet is to consult the universities technology department as to the fact tqahat the might havge restivtions in place that prohibit non windows clients from acccess their wierless anr or wiered networks.

BTreeHugger · 03-14-2007, 12:59 PM

In Trent's case, the certificate is an Equifax one. You can usually download certs off the cert authorities' site, but in this case Gentoo already has it if you install the openssl package (which you'll probably need to be able to authenticate with wpa_supplicant anyway). Just pop the following into wpa_supplicant's config file:

Code:

eapol_version=1
network={
        ssid="AirTrent"
        key_mgmt=WPA-EAP
        eap=PEAP
        identity="your Trent login name"
        password="your normal password"
        ca_cert="/etc/ssl/certs/Equifax_Secure_Global_eBusiness_CA.pem"
        phase1="peaplabel=0"
        phase2="auth=MSCHAPV2"
}

According to the Trent documentation, you will have to change your password, probably at a library terminal or another lab. Don't ask me why. Also, this will require at least a good 10-20 seconds to authenticate, so if you are limiting the time that wpa_supplicant gets to authenticate, it will likely fail. Just let wpa_supplicant background (Gentoo default, not sure about other distros).

rwhiteside81 · 04-03-2007, 09:39 PM

You know we use WPA2 not WPA for AirTrent

that may help you

kramed · 04-04-2007, 08:04 PM

So I should have reported my results. This thread wont die, seems I get an email every 2 days from it...

So I got my wireless working the Monday after I made this post. I am planning on doing a small how to and sending it to IT. Here is my /etc/wpa_supplicant.conf with of course my other access points and passwords removed.

Code:

ctrl_interface=/var/run/wpa_supplicant
update_config=0

network={
	ssid="AirTrent"
	key_mgmt=WPA-EAP
	eap=PEAP
	identity="TRENT_USER_NAME"
	password="PASSWORD"
	phase1="peaplabel=0"
	phase2="auth=MSCHAPV2"
}

wpa_supplicant is smart enough to provide the correct certificate and it can easily distinguish between wpa and wpa2. No problems.

Also for others it may or may not be of some interest. I put together a small script that I run only when I need to connect with wireless on my laptop. I like fast boot up times so I dont have network enabled on boot on my notebook, I enable either wireless or Ethernet manually depending on where I am. Edit and use to your own liking, I think I just took the default slackware rc.wireless and made it fit for me.

My wireless device is eth1 in this case and my wpa_supplicant driver is wext. ./rc.wifi start brings wifi up, rc.wifi stop takes it down...

Code:

#!/bin/sh
#
# /etc/rc.d/rc.wifi
#
# Start/stop/restart wpa_supplicant.
#
#

wireless_start() {
  if [ -x /sbin/ifconfig -a -x /usr/sbin/wpa_supplicant -a -r /etc/wpa_supplicant.conf ]; then
echo "Starting Wireless.."
/sbin/iwconfig eth1 txpower on
/sbin/ifconfig eth1 up
/usr/sbin/wpa_supplicant -Dwext -ieth1 -c/etc/wpa_supplicant.conf -B
sleep 2
/sbin/dhcpcd eth1
  fi
}

wireless_stop() {
echo "Shuting down Wireless.."
	/sbin/iwconfig eth1 txpower off
	/usr/sbin/wpa_cli terminate
	/sbin/ifconfig eth1 down
	/bin/killall dhcpcd
}

wireless_restart() {
  wireless_stop
  sleep 2
  wireless_start
}

case "$1" in
'start')
  wireless_start
  ;;
'stop')
  wireless_stop
  ;;
'restart')
  wireless_restart
  ;;
*)
  wireless_start
esac

rwhiteside81 · 04-04-2007, 11:22 PM

Quote:

Originally Posted by BTreeHugger

According to the Trent documentation, you will have to change your password, probably at a library terminal or another lab. Don't ask me why. Also, this will require at least a good 10-20 seconds to authenticate, so if you are limiting the time that wpa_supplicant gets to authenticate, it will likely fail. Just let wpa_supplicant background (Gentoo default, not sure about other distros).

You need to change your password so the server that process's AirTrent login requests has your user name and password sync with it. If you have already changed your password to use WebStatisca you should be fine and not have to change your password as it uses the same database as AirTrent for logins.