search

Ebbe / Iliwi

Connect your Neo
GNU General Public License v3.0
5 stars 2 forks source link

Be able to connect to WPA-enterprise networks #4

Open Ebbe opened 14 years ago

Ebbe commented 14 years ago

From mail correspondence:

On Mon, Apr 26, 2010 at 07:01:03PM +0100, Ben Thompson wrote:

On Mon, Apr 26, 2010 at 07:26:48PM +0200, Esben Damgaard wrote:

Ben Thompson skrev:

Hi

Does/will it support WPA-Enterprise? Currently it does not, but it could be added. If you can show me the output of 'iwlist scan' (from the Neo) near a wpa-enterprise network and tell me what information is needed to log in, maybe I can make it.

Hi

There are a few different ways to do it because although you can get connected with just a username and password, there are also optional parameters for wpa_supplicant which force it not just to connect but also verify the identity of the network. I have my own ideas about how this should work, but probably the most basic way would be to also have an option to select a certificate from /etc/ssl/certs. Please let me know if you want my input and I will give you all the help I can.

eth0 Scan completed : Cell 01 - Address: 00:1A:1E:E2:44:C0 ESSID:"eduroam" Mode:Master Frequency:2.422 GHz (Channel 3) Quality=51/94 Signal level=-44 dBm Noise level=-95 dBm Encryption key:on Extra:bcn_int=100 Extra:wpa_ie=dd160050f20101000050f20201000050f20201000050f201

Hi

Further to my previous email, could I make the following suugestions on how to implement WPA-Enterprise in a simple way :-

GUI Requirements :-

  1. User scans for networks and selects an SSID shown as WPA-Enterprise.
  2. Setup screen is shown with three mandatory fields a) Username - text entry from keyboard b) Password - text entry from keyboard c) Server Certificate - drop down list which selects .pem or .der files from ~/.wifi_certs/ and /etc/ssl/certs/ and also includes a option labelled "Send my password to anyone (insecure!)"

WPA Supplicant config :-

If the user selects "Send my password to anyone (insecure!)", wpa_supplicant config is as follows :-

  network={
    ssid=<selected SSID>
scan_ssid=1
key_mgmt=WPA-EAP
pairwise=CCMP TKIP
group=CCMP TKIP
eap=PEAP
    identity=<entered username>
password=<entered password>
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
  }

If the user selects a cert from /etc/ssl/certs wpa_supplicant config is as follows :-

  network={
    ssid=<selected SSID>
scan_ssid=1
key_mgmt=WPA-EAP
pairwise=CCMP TKIP
group=CCMP TKIP
eap=PEAP TTLS
ca_cert="<path to user selected cert>"
    identity=<entered username>
    password=<entered password>
    phase1="peaplabel=0"
    phase2="auth=MSCHAPV2"
  }

I think this would work for 99% of the networks out there. If anyone needs to use a self signed cert they can put it in ~/wifi_certs. Other protocols such as TTLS or TLS could be added later as could things like CN check if they are deemed necesarry.

Ben

bt4 commented 14 years ago

Just spotted a typo in last wpa_supplicant section where "eap=PEAP TTLS" should be "eap=PEAP".