[tech] Secure wireless

Matt Didcoe mattman at ucc.gu.uwa.edu.au
Tue Apr 13 13:46:46 WST 2010 

Frames and TPG had a play on a Windows XP laptop earlier (version unknown)
and it seems to suggest that it cannot find a certificate.

Think we'll need to get a new CSR generated for
mussel.ucc.gu.uwa.edu.auwith the XP Extensions (outlined here ->
http://www.linuxjournal.com/article/8095?page=0,1)

[ xpclient_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

Going to drop a line to Gareth at ITS and see if they know much about this
given the work that's been going on with Eduroam (though I think AARNet may
have handled more of the setup there).

Matt

--
Matt Didcoe [MRD]
President / Wheel member
University Computer Club
mattdidcoe at ucc.gu.uwa.edu.au


On Mon, Apr 12, 2010 at 11:43 PM, Patrick Coleman <blinken at gmail.com> wrote:

> On Mon, Apr 12, 2010 at 6:44 PM, David Adam <zanchey at ucc.gu.uwa.edu.au>
> wrote:
> >
> > [MRD] suggested that the certificate confirmation prompt might be from
> the
> > hostname of the RADIUS server (currently mussel) not matching the name on
> > the cert (secure.ucc). I'm not sure about this; my understanding of the
> > WPA2 protocol doesn't extend to how the client knows what authentication
> > server is being used. Next time I'm in the clubroom, hopefully with a
> more
> > useful device than the iPhone, I might try changing that around.
>
> >From my (limited) knowledge, the TLS tunnel is established back to the
> RADIUS server, so it's likely. Freeradius is pretty verbose in debug
> mode, perhaps it'll tell you? (PEAP/MS-CHAPv2 is MS-CHAPv2 inside EAP
> inside TLS inside EAP inside RADIUS, proving that when one standard
> isn't secure enough you should add another four layers).
>
> > In any case, apparently[1] a stock SSL certificate will not work on
> > Windows XP without a specific extension. If someone with a Windows
> > wireless client could test it out and let me know I would appreciate it,
> > although I'll try and bring my laptop in.
>
> Whoever does this, make sure you're running SP3 or I promise you will
> actually go insane.
>
> -Patrick
>
> --
> http://www.labyrinthdata.net.au - WA Backup, Web and VPS Hosting
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ucc.gu.uwa.edu.au/pipermail/tech/attachments/20100413/16f90356/attachment.htm

More information about the tech mailing list