[tech] Secure wireless
Matt Didcoe
mattman at ucc.gu.uwa.edu.au
Tue Apr 13 14:04:34 WST 2010
Yeah, Gareth's immediate response was "hand them an Ubuntu disk".
He did suggest using a W2 supplicant called "Secure W2", but there's
actually not a free version of that. The only other solution, if you're
running AD is to use a weak version of 1x which isn't such a good idea.
Apparently it's caused a number of headaches for Eduroam and other places
have just bought site licences for Secure W2 :(
- MRD
On Tue, Apr 13, 2010 at 1:46 PM, Matt Didcoe <mattman at ucc.gu.uwa.edu.au>wrote:
> Frames and TPG had a play on a Windows XP laptop earlier (version unknown)
> and it seems to suggest that it cannot find a certificate.
>
> Think we'll need to get a new CSR generated for mussel.ucc.gu.uwa.edu.auwith the XP Extensions (outlined here ->
> http://www.linuxjournal.com/article/8095?page=0,1)
>
> [ xpclient_ext ]
> extendedKeyUsage = 1.3.6.1.5.5.7.3.2
>
> [ xpserver_ext ]
> extendedKeyUsage = 1.3.6.1.5.5.7.3.1
>
> Going to drop a line to Gareth at ITS and see if they know much about this
> given the work that's been going on with Eduroam (though I think AARNet may
> have handled more of the setup there).
>
> Matt
>
> --
> Matt Didcoe [MRD]
> President / Wheel member
> University Computer Club
> mattdidcoe at ucc.gu.uwa.edu.au
>
>
>
> On Mon, Apr 12, 2010 at 11:43 PM, Patrick Coleman <blinken at gmail.com>wrote:
>
>> On Mon, Apr 12, 2010 at 6:44 PM, David Adam <zanchey at ucc.gu.uwa.edu.au>
>> wrote:
>> >
>> > [MRD] suggested that the certificate confirmation prompt might be from
>> the
>> > hostname of the RADIUS server (currently mussel) not matching the name
>> on
>> > the cert (secure.ucc). I'm not sure about this; my understanding of the
>> > WPA2 protocol doesn't extend to how the client knows what authentication
>> > server is being used. Next time I'm in the clubroom, hopefully with a
>> more
>> > useful device than the iPhone, I might try changing that around.
>>
>> >From my (limited) knowledge, the TLS tunnel is established back to the
>> RADIUS server, so it's likely. Freeradius is pretty verbose in debug
>> mode, perhaps it'll tell you? (PEAP/MS-CHAPv2 is MS-CHAPv2 inside EAP
>> inside TLS inside EAP inside RADIUS, proving that when one standard
>> isn't secure enough you should add another four layers).
>>
>> > In any case, apparently[1] a stock SSL certificate will not work on
>> > Windows XP without a specific extension. If someone with a Windows
>> > wireless client could test it out and let me know I would appreciate it,
>> > although I'll try and bring my laptop in.
>>
>> Whoever does this, make sure you're running SP3 or I promise you will
>> actually go insane.
>>
>> -Patrick
>>
>> --
>> http://www.labyrinthdata.net.au - WA Backup, Web and VPS Hosting
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ucc.gu.uwa.edu.au/pipermail/tech/attachments/20100413/ec18759c/attachment.htm
More information about the tech
mailing list