[tech] Secure wireless

[David Adam]

On Sun, 11 Apr 2010, David Adam wrote:
> WPA2-Enterprise uses PEAPv0/MS-CHAPv2, which is complex way of saying 
> 'there's an SSL-based tunnel wrapping the password exchange'. That tunnel 
> is currently set up to use the secure.ucc.asn.au certificates, although 
> switching back to the UCC CA self-signed certificates is straightforward. 
> 
> I'm curious how much effect the actual certficate has on the user 
> experience. The iPhone asks you to confirm the certificate regardless of 
> whether it is signed by a trusted CA or not, but I didn't have a chance to 
> test any other devices. If people with Mac OS and Windows laptops could 
> try it out and let me know how they go I would appreciate it - in 
> particular, whether there is a prompt to accept the certificate and if it 
> provides any useful information in working out whether to trust the 
> connection.

[MRD] suggested that the certificate confirmation prompt might be from the 
hostname of the RADIUS server (currently mussel) not matching the name on 
the cert (secure.ucc). I'm not sure about this; my understanding of the 
WPA2 protocol doesn't extend to how the client knows what authentication 
server is being used. Next time I'm in the clubroom, hopefully with a more 
useful device than the iPhone, I might try changing that around.

In any case, apparently[1] a stock SSL certificate will not work on 
Windows XP without a specific extension. If someone with a Windows 
wireless client could test it out and let me know I would appreciate it, 
although I'll try and bring my laptop in.

David Adam

[1]: 
http://www.smallnetbuilder.com/wireless/wireless-howto/30213-how-to-setting-up-freeradius-for-wpa-a-wpa2-enterprise-part-2?start=1