[tech] Secure wireless
David Adam
zanchey at ucc.gu.uwa.edu.au
Tue Apr 13 22:10:56 WST 2010
On Mon, 12 Apr 2010, Patrick Coleman wrote:
> On Mon, Apr 12, 2010 at 6:44 PM, David Adam <zanchey at ucc.gu.uwa.edu.au> wrote:
> > [MRD] suggested that the certificate confirmation prompt might be from the
> > hostname of the RADIUS server (currently mussel) not matching the name on
> > the cert (secure.ucc). I'm not sure about this; my understanding of the
> > WPA2 protocol doesn't extend to how the client knows what authentication
> > server is being used. Next time I'm in the clubroom, hopefully with a more
> > useful device than the iPhone, I might try changing that around.
>
> From my (limited) knowledge, the TLS tunnel is established back to the
> RADIUS server, so it's likely. Freeradius is pretty verbose in debug
> mode, perhaps it'll tell you? (PEAP/MS-CHAPv2 is MS-CHAPv2 inside EAP
> inside TLS inside EAP inside RADIUS, proving that when one standard
> isn't secure enough you should add another four layers).
I think you mean PEAPv0/MS-CHAPv2 :-P
http://support.microsoft.com/kb/814394 suggests that "the Subject line of
the server certificate [must] match the name that is configured on the
client for the connection", which I assume means the SSID, and "the
Subject Alternative Name (SubjectAltName) extension [must] contain the
server's SQDN". I still haven't worked out how the client could possibly
verify the FQDN as the EAP-over-LAN (EAPOL) connection isn't IP-based.
Anyway, I will poke it a bit when I have some time.
> > In any case, apparently[1] a stock SSL certificate will not work on
> > Windows XP without a specific extension. If someone with a Windows
> > wireless client could test it out and let me know I would appreciate it,
> > although I'll try and bring my laptop in.
>
> Whoever does this, make sure you're running SP3 or I promise you will
> actually go insane.
Useful advice, but any more details?
[DAA]
More information about the tech
mailing list