On Thu, 2011-05-05 at 11:29 +0300, batcilla itself wrote: > 2011/5/5 I?aky P?rez-Gonz?lez <inaky at linux.intel.com>: > > On Fri, 2011-04-29 at 10:11 +0300, batcilla itself wrote: > > ... > >> > >> The intel WiMAX hw doesn't work without client authentication. > >> It cannot > >> be disabled, so that's probably it. > >> > >> > >> > >> Than, how it work with Freshtel/Ukraine? > >> They use Captive portal for authorizing users and unrestricted entry > >> and access to their web, for at least ImPAD 0410 hardware, which has > >> Intel 6250 inside. It is working from Windows 7 32 bit with Intel > >> driver (may be customized for Freshtel/Ukraine). > >> AFAIK they not use EAP-TLS with device certificates, for USB sticks > >> they use EAP-TTLS/MSCHAPv2 so there is need to enter realm and > >> password. > >> But for Intel hardware there is nothing to enter and network > >> connected. Internet service is allowed after authentication over > >> Captive portal. > >> I have this hardware in my possession, but has problem with Linux on > >> it, because it is a tablet and recent Linux distro has no driver for > >> touchscreen. > > > > The communication is still encrypted with TLS. > > > > The system (card and base station) establish a crypted pipe, using as > > TLS id the MAC at freshtel.com.ua (where MAC is the MAC address of the > > card). Because the card has a certificate signed by the WiMAX Forum > > which validates the MAC address, the basestation can assume that your > > card is a 'legal' card and a crypted link is established. > > > > Now, you use captive portal to actually get service, but that's a > > business level decision on doing it like that. Once you swipe your card > > in the portal, your MAC address is probably associated to your account > > and given straight access next time you connect ... until your > > subscription runs out, and then you are sent to the portal again :) > > > > > I see your point, but encrypted tunnel usually built between AAA > server (ASNGW may have internal or external, some BS may have > integrated may be in same rack unit) and CPE, not between BS and CPE. > In this scenario mac at freshtel.com.ua is OuterNAI (anonymous id), which > allow access to network, but > not to service. In same time USB uses EAP-TTLS/MSCHAPv2 to bypass > captive portal, because InnerNAI/password are same as for a captive > portal. E.g. in that scenario BS use 2 types of authorization at same > time? Those are details I am not aware of -- all I am saying is that Intel devices won't connect to a basestation without a crypto link with the proper certificate exchange and verification. > Is it possible to use Intel driver with EAP-TTLS/MSCHAPv2? It is, yes. Reports of success have been heard in the UQ network in Japan, which is to the best of my knowledge, TTLS/CHAP2.
