WPA enterprise and default parameters on Linux

Dan Williams dcbw at redhat.com
Wed Nov 18 13:00:34 EST 2009


On Wed, 2009-11-18 at 18:22 +0100, Alessandro Sivieri wrote:
> Hi all,
> 
> 
> I have found this mailing list on the WPA Supplicant application Web
> page, and I'm writing here to solve a doubt: I use for work a wireless
> connection, which is configured to use WPA Enterprise (with WPA-EAP);
> to use it, I have downloaded the certificate from my provider's Web
> page, associated to my ID, and everything is working fine.
> I have a doubt about the authentication phase: when I connect to the
> network, the provider checks if my key (that is associated to the
> certificate that I have downloaded, I suppose) corresponds to the
> identity ID that I provide, but does the client (so my computer in
> this case) check if the authenticator certificate is correct? I mean,
> is it possible for someone to provide a fake access point, configured
> to accept any user that tries to connect to it?

Can you post your wpa_supplicant configuration?  Are you using TLS or
TTLS?

If you configure wpa_supplicant correctly, the provider's certificate is
also checked.  That's the "ca_cert" option.  If the certificate that the
provider sends is not signed by your trusted Certificate Authority then
the connection is denied by wpa_supplicant.  If you do no specify the
ca_cert option in the configuration, then your connection is insecure
and could be hijacked.

There's also the "subject_match" and "altsubject_match" configuration
options, which can further increase security by ensuring that the
provider's certificate matches a few basic criteria that you specify.

Dan

> 
> I have asked to some people, but everyone seems to have a different
> opinion on this: some say that the client must be configured to check
> if the access point is a "real" one, thus checking the public provider
> certificate, while others say that it is an authenticator option,
> independent on what the client does; I thought that you may know
> better than others the protocol implementations.
> Thank you for your help.
> 
> 
> Cheers,
> Alessandro
> 
> -- 
> Sivieri Alessandro
> alessandro.sivieri at gmail.com
> http://www.chimera-bellerofonte.eu/
> http://www.poul.org/
> 
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap



More information about the HostAP mailing list