[tech] Secure wireless

Patrick Coleman blinken at gmail.com
Fri Jul 16 12:24:48 WST 2010 

On Tue, Apr 13, 2010 at 10:10 PM, David Adam <zanchey at ucc.gu.uwa.edu.au> wrote:
> On Mon, 12 Apr 2010, Patrick Coleman wrote:
>>
>> From my (limited) knowledge, the TLS tunnel is established back to the
>> RADIUS server, so it's likely. Freeradius is pretty verbose in debug
>> mode, perhaps it'll tell you? (PEAP/MS-CHAPv2 is MS-CHAPv2 inside EAP
>> inside TLS inside EAP inside RADIUS, proving that when one standard
>> isn't secure enough you should add another four layers).
>
> I think you mean PEAPv0/MS-CHAPv2 :-P
>
> http://support.microsoft.com/kb/814394 suggests that "the Subject line of
> the server certificate [must] match the name that is configured on the
> client for the connection", which I assume means the SSID, and "the
> Subject Alternative Name (SubjectAltName) extension [must] contain the
> server's SQDN". I still haven't worked out how the client could possibly
> verify the FQDN as the EAP-over-LAN (EAPOL) connection isn't IP-based.
>
> Anyway, I will poke it a bit when I have some time.

Sorry, just saw this. Our CA here has the following:

        Issuer: C=AU, ST=Western Australia, L=Claremont, O=Christ
Church Grammar School/emailAddress=linuxadmin at ccgs.wa.edu.au, CN=CCGS
Certificate Authority
        Validity
            Not Before: Sep 15 07:57:21 2009 GMT
            Not After : Sep 13 07:57:21 2019 GMT
        Subject: C=AU, ST=Western Australia, L=Claremont, O=Christ
Church Grammar School/emailAddress=linuxadmin at ccgs.wa.edu.au, CN=CCGS
Certificate Authority

and our server certificate has the following:

        Issuer: C=AU, ST=Western Australia, L=Claremont, O=Christ
Church Grammar School/emailAddress=linuxadmin at ccgs.wa.edu.au, CN=CCGS
Certificate Authority
        Validity
            Not Before: Sep 15 07:57:55 2009 GMT
            Not After : Sep 13 07:57:55 2019 GMT
        Subject: C=AU, ST=Western Australia, O=Christ Church Grammar
School, CN=CCGS RADIUS Server
Certificate/emailAddress=linuxadmin at ccgs.wa.edu.au

this "just works" with freeradius bound to our domain; here's our XP
config procedure:

Click Properties on the Authentication tab, and complete the dialog:
Tick 'Validate server certificate'
Detick 'Connect to these servers:'
Under 'Trusted Root Certification Authorities', scroll down to 'CCGS
Certificate Authority' and tick the box next to it.
Tick 'Do not prompt user to authorize new servers or trusted
certification authorities'
Under 'Select Authentication Method:' select 'Secured password (EAP-MSCHAP v2)'.
Click Configure... and tick 'Automatically use my Windows logon name
and password (and domain if any)'
Tick 'Enable Fast Reconnect'
Detick 'Enable Quarantine checks'
Detick 'Disconnect if server does not present cryptobinding TLV',
because I have NFI what this means.

In any case, sounds like you got it working. Congrats :)

>> Whoever does this, make sure you're running SP3 or I promise you will
>> actually go insane.
>
> Useful advice, but any more details?

SP3 made a lot of changes to 802.1x, and despite spending quite a lot
of time on it I was unable to make anything older than this work.

Cheers,

Patrick


-- 
http://www.labyrinthdata.net.au - WA Backup, Web and VPS Hosting

More information about the tech mailing list