Yeah, Gareth's immediate response was "hand them an Ubuntu disk".<div><br></div><div>He did suggest using a W2 supplicant called "Secure W2", but there's actually not a free version of that. The only other solution, if you're running AD is to use a weak version of 1x which isn't such a good idea.</div>
<div><br></div><div>Apparently it's caused a number of headaches for Eduroam and other places have just bought site licences for Secure W2 :(</div><div><br></div><div>- MRD</div><div><br><div class="gmail_quote">On Tue, Apr 13, 2010 at 1:46 PM, Matt Didcoe <span dir="ltr"><<a href="mailto:mattman@ucc.gu.uwa.edu.au">mattman@ucc.gu.uwa.edu.au</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Frames and TPG had a play on a Windows XP laptop earlier (version unknown) and it seems to suggest that it cannot find a certificate.<div>
<br></div><div>Think we'll need to get a new CSR generated for <a href="http://mussel.ucc.gu.uwa.edu.au" target="_blank">mussel.ucc.gu.uwa.edu.au</a> with the XP Extensions (outlined here ->�<a href="http://www.linuxjournal.com/article/8095?page=0,1" target="_blank">http://www.linuxjournal.com/article/8095?page=0,1</a>)</div>
<div><span style="font-family:Arial, sans-serif;font-size:13px"><br></span></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div><span style="font-family:Arial, sans-serif;font-size:13px">[ xpclient_ext ]</span></div><div><span style="font-family:Arial, sans-serif;font-size:13px">extendedKeyUsage = 1.3.6.1.5.5.7.3.2</span></div>
<div><span style="font-family:Arial, sans-serif;font-size:13px"><p>[ xpserver_ext ]<br>extendedKeyUsage = 1.3.6.1.5.5.7.3.1</p></span></div></blockquote><div>Going to drop a line to Gareth at ITS and see if they know much about this given the work that's been going on with Eduroam (though I think AARNet may have handled more of the setup there).</div>
<div><br></div><div>Matt</div><div><br></div><div>--<br clear="all">Matt Didcoe [MRD]</div><div>President / Wheel member</div><div>University Computer Club</div><div><a href="mailto:mattdidcoe@ucc.gu.uwa.edu.au" target="_blank">mattdidcoe@ucc.gu.uwa.edu.au</a><div>
<div></div><div class="h5"><br>
<br><br><div class="gmail_quote">On Mon, Apr 12, 2010 at 11:43 PM, Patrick Coleman <span dir="ltr"><<a href="mailto:blinken@gmail.com" target="_blank">blinken@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>On Mon, Apr 12, 2010 at 6:44 PM, David Adam <<a href="mailto:zanchey@ucc.gu.uwa.edu.au" target="_blank">zanchey@ucc.gu.uwa.edu.au</a>> wrote:<br>
><br>
> [MRD] suggested that the certificate confirmation prompt might be from the<br>
> hostname of the RADIUS server (currently mussel) not matching the name on<br>
> the cert (secure.ucc). I'm not sure about this; my understanding of the<br>
> WPA2 protocol doesn't extend to how the client knows what authentication<br>
> server is being used. Next time I'm in the clubroom, hopefully with a more<br>
> useful device than the iPhone, I might try changing that around.<br>
<br>
</div>>From my (limited) knowledge, the TLS tunnel is established back to the<br>
RADIUS server, so it's likely. Freeradius is pretty verbose in debug<br>
mode, perhaps it'll tell you? (PEAP/MS-CHAPv2 is MS-CHAPv2 inside EAP<br>
inside TLS inside EAP inside RADIUS, proving that when one standard<br>
isn't secure enough you should add another four layers).<br>
<div><br>
> In any case, apparently[1] a stock SSL certificate will not work on<br>
> Windows XP without a specific extension. If someone with a Windows<br>
> wireless client could test it out and let me know I would appreciate it,<br>
> although I'll try and bring my laptop in.<br>
<br>
</div>Whoever does this, make sure you're running SP3 or I promise you will<br>
actually go insane.<br>
<br>
-Patrick<br>
<font color="#888888"><br>
--<br>
<a href="http://www.labyrinthdata.net.au" target="_blank">http://www.labyrinthdata.net.au</a> - WA Backup, Web and VPS Hosting<br>
</font></blockquote></div><br></div></div></div>
</blockquote></div><br></div>