WPA enterprise and default parameters on Linux

Alessandro Sivieri alessandro.sivieri at gmail.com
Wed Nov 18 13:35:32 EST 2009


2009/11/18 Dan Williams <dcbw at redhat.com>

> Can you post your wpa_supplicant configuration?  Are you using TLS or
> TTLS?
>
> If you configure wpa_supplicant correctly, the provider's certificate is
> also checked.  That's the "ca_cert" option.  If the certificate that the
> provider sends is not signed by your trusted Certificate Authority then
> the connection is denied by wpa_supplicant.  If you do no specify the
> ca_cert option in the configuration, then your connection is insecure
> and could be hijacked.
>
> There's also the "subject_match" and "altsubject_match" configuration
> options, which can further increase security by ensuring that the
> provider's certificate matches a few basic criteria that you specify.
>
>
Yes, here it is:

--->0-----------------------------------
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
ap_scan=1
network={
ssid="internet"
proto=WPA
key_mgmt=WPA-EAP
auth_alg=OPEN
pairwise=TKIP
eap=TLS
anonymous_identity="SOMEUNIQUEID"
ca_cert="/etc/certificati/somefile.cer"
private_key="/etc/certificati/somefile.p12"
private_key_passwd="CERTPASSWD"
phase2="auth=MSCHAPV2"
}

-- 
Sivieri Alessandro
alessandro.sivieri at gmail.com
http://www.chimera-bellerofonte.eu/
http://www.poul.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20091118/daf7a182/attachment.htm 


More information about the HostAP mailing list