2011/5/5 I?aky P?rez-Gonz?lez <inaky at linux.intel.com>: > On Fri, 2011-04-29 at 10:11 +0300, batcilla itself wrote: > ... >> >> ? ? ? ? The intel WiMAX hw doesn't work without client authentication. >> ? ? ? ? It cannot >> ? ? ? ? be disabled, so that's probably it. >> >> >> >> Than, how it work with Freshtel/Ukraine? >> They use Captive portal for authorizing users and unrestricted entry >> and access to their web, for at least ImPAD 0410 hardware, which has >> Intel 6250 inside. It is working from Windows 7 32 bit with Intel >> driver (may be customized for Freshtel/Ukraine). >> AFAIK they not use EAP-TLS with device certificates, for USB sticks >> they use EAP-TTLS/MSCHAPv2 so there is need to enter realm and >> password. >> But for Intel hardware there is nothing to enter and network >> connected. Internet service is allowed after authentication over >> Captive portal. >> I have this hardware in my possession, but has problem with Linux on >> it, because it is a tablet and recent Linux distro has no driver for >> touchscreen. > > The communication is still encrypted with TLS. > > The system (card and base station) establish a crypted pipe, using as > TLS id the MAC at freshtel.com.ua (where MAC is the MAC address of the > card). Because the card has a certificate signed by the WiMAX Forum > which validates the MAC address, the basestation can assume that your > card is a 'legal' card and a crypted link is established. > > Now, you use captive portal to actually get service, but that's a > business level decision on doing it like that. Once you swipe your card > in the portal, your MAC address is probably associated to your account > and given straight access next time you connect ... until your > subscription runs out, and then you are sent to the portal again :) > > I see your point, but encrypted tunnel usually built between AAA server (ASNGW may have internal or external, some BS may have integrated may be in same rack unit) and CPE, not between BS and CPE. In this scenario mac at freshtel.com.ua is OuterNAI (anonymous id), which allow access to network, but not to service. In same time USB uses EAP-TTLS/MSCHAPv2 to bypass captive portal, because InnerNAI/password are same as for a captive portal. E.g. in that scenario BS use 2 types of authorization at same time? Is it possible to use Intel driver with EAP-TTLS/MSCHAPv2? -- //batcilla
