WPA enterprise and default parameters on Linux

Dan Williams dcbw at redhat.com
Wed Nov 18 13:52:01 EST 2009


On Wed, 2009-11-18 at 19:35 +0100, Alessandro Sivieri wrote:
> 2009/11/18 Dan Williams <dcbw at redhat.com>
>         Can you post your wpa_supplicant configuration?  Are you using
>         TLS or
>         TTLS?
>         
>         If you configure wpa_supplicant correctly, the provider's
>         certificate is
>         also checked.  That's the "ca_cert" option.  If the
>         certificate that the
>         provider sends is not signed by your trusted Certificate
>         Authority then
>         the connection is denied by wpa_supplicant.  If you do no
>         specify the
>         ca_cert option in the configuration, then your connection is
>         insecure
>         and could be hijacked.
>         
>         There's also the "subject_match" and "altsubject_match"
>         configuration
>         options, which can further increase security by ensuring that
>         the
>         provider's certificate matches a few basic criteria that you
>         specify.
>         
> 
> 
> Yes, here it is:
> 
> 
> --->0-----------------------------------
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=0
> ap_scan=1
> network={
> ssid="internet"
> proto=WPA
> key_mgmt=WPA-EAP
> auth_alg=OPEN
> pairwise=TKIP
> eap=TLS
> anonymous_identity="SOMEUNIQUEID"
> ca_cert="/etc/certificati/somefile.cer"
> private_key="/etc/certificati/somefile.p12"
> private_key_passwd="CERTPASSWD"
> phase2="auth=MSCHAPV2"
> } 

Ok, so so you *are* checking the provider's certificate using the CA
certificate "somefile.cer".  If you want to tighten the check you can
use subject_match to ensure that the provider's certificate matches some
known attributes.

But providing a CA certificate is the most important thing, which you
are doing.

(side note: phase2 and anonymous_identity are useless because TLS
doesn't use phase2 at all and those two parameters are phase2
parameters)

Dan




More information about the HostAP mailing list