Authentication configuration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dan, Dermot, thanks for your answers an sorry for the delay to answer you..

Indeed, finding a way to use "only" EAP-MSCHAPv2 as my CPE do would be just fine to me.

I do not have a site certificate on the lab since I did not expect Intel cards to be so demanding on this point. Do you think this is a firmware feature or I have a chance to bypass it at driver level ?

@Dermot:
- In linux there are a coupleof certs: cacert.pem, supplicant_cert.pem. Isn't cacert.pem the root certificate you mention ? 
- The configuration files are WiMAX_DEF.bin and WiMAX_DB.bin. Actually modifying the DB seems to be sufficient to configure the stack. I could modify it so that TTLS is used (but fails due to invalid server certificate apparently)
- I do not get why using TTLS would obviate the need of a server certificate. In my understanding, with TTLS there is an authentication of the server made by the device. Am I wrong ?

Regards
Eric

----- Mail original -----
De: "Dermot Williams" <Dermot.Williams at imaginegroup.ie>
?: "Dan Williams" <dcbw at redhat.com>, reric1 at free.fr
Cc: wimax at linuxwimax.org
Envoy?: Vendredi 2 Mars 2012 11:33:18
Objet: RE: Authentication configuration


> -----Original Message-----
> From: wimax-bounces at linuxwimax.org [mailto:wimax-
> bounces at linuxwimax.org] On Behalf Of Dan Williams
> Sent: 01 March 2012 15:20
> To: reric1 at free.fr
> Cc: wimax at linuxwimax.org
> Subject: Re: Authentication configuration
> 
> On Thu, 2012-03-01 at 01:18 +0100, reric1 at free.fr wrote:
> > Hi,
> >
> > we're making trials of various authentication levels on our WiMax
> infrastructure. With the CPEs we have, it's possible just to
> authenticate the client on the AAA using a user/passwd. Is it possible
> to have the same very basic level with linux WiMAx stack and an Intel
> 6250 ? If yes, what does the auhentication section of the .bin file
> should look like ?
> >
> > In case we want to implement EAP-TLS or EAP-TTLS, what certificate
> should we install on the AAA (Freeradius) with respect to those
present
> on the linux wimax client side (cacert.pem ...). On this client what
> should be the configuration (DEVICE, CA...) of the CERT section of the
> EAP node ?
> 
> Everything I've heard about the Intel cards indicates they require EAP
> authentication.  What EAP *methods* they support is something Inaky
> would have to say, but I've only heard of people using EAP-TLS and
EAP-
> TTLS in deployments so far.  I assume if you're using user/pass only
> you'd be using EAP-MD5 or EAP-MSCHAPV2 ?
> 

[Dermot Williams] As far as I know, they only support EAP-TLS, at least
on Windows. You'll also need to get a server certificate that's been
signed by Verisign/Symantec, who are the acting CA for the Wimax Forum.
They're not cheap either since you need to sign up for their Enterpire
MPKI service as well.

Now, that mightn't apply to Linux - it's a while since I've played with
the stack on Linux. It might be possible to edit the entries for your
NSP in the two XML files (one of which is WiMax_def.xml, I can't
remember the other) on the client so that they use EAP-TTLS instead.
That *should* obviate the need for a server certificate but you'll still
need a copy of the Wimax Forum's root CA cert for devices.

Dermot


[Index of Archives]     [Linux Kernel]     [Linux Wireless]     [Linux Bluetooth]     [Linux Netdev]     [Linux Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux