20080129

WiFi in the TF

Ok, forget completely about xsupplicant - it's horribly written software. I had to correct several sections of code just so it would compile, and then I later realized that it was truncating the ESSID string to an improper length.

I managed to get WPA-EAP / EAP-TLS working with wpa_supplicant, and it wasn't so hard after all.

Requirements:

You should have been given 4 files from the TF administrator - Root.der, Client.der, Server.der, and xyz.p12, where xyz is your username. You should also know your passphrase.

You should have wpa_supplicant installed (it should pull in OpenSSL as a requirement). If you don't have wpa_supplicant installed, then do 'emerge -av1 wpa_supplicant'.

Important: Do not install wpa_supplicant with the gnutls USE flag; gnutls has a broken implementation of eap-tls right now, resulting in errors such as 
  • "Failed to read client cert/key in PEM format: Base64 unexpected header error" 
  • "Failed to read client cert/key in DER format: ASN1 parser: Error in TAG." 
If you have wpa_supplicant installed with the gnutls USE flag, then simply run  'USE=-gnutls emerge -av1 wpa_supplicant' as root, or better yet, add 'net-wireless/wpa_supplicant -gnutls' to your /etc/portage/package.use file.

Steps:

1) Switch to the root user. Copy all 4 files to /etc/wpa_supplicant.

sudo -s
mkdir -p /etc/wpa_supplicant # should be created by wpa_supplicant
cp Root.der Client.der Server.der xyz.p12 /etc/wpa_supplicant


2) According to 'man wpa_supplicant',

"Wpa_supplicant supports X.509 certificates in PEM and DER formats. User certificate and private key can be included in the same file. If the user certificate and private key is received in PKCS#12/PFX format, they need to be converted to suitable PEM/DER format."

cd /etc/wpa_supplicant
for i in Root Server Client; do 
    openssl x509 -inform DER -in ${i}.der -out ${i}.pem
done
openssl pkcs12 -in xyz.p12 -out xyz.pem -clcerts
# we do not want anyone reading / modifying the keys aside from root
chmod u+rw,go-rwx {Root,Server,Client}.{der,pem} xyz.{p12,pem}

When converting your public / private key from pkcs12 format above, it will ask you for an 'Import Password', which is null. Simply hit enter. Next it will ask you for your PEM passphrase, which is the one you should already be familiar with.

3) From 'man wpa_supplicant.conf', append the following to /etc/wpa_supplicant/wpa_supplicant.conf :

# Technische Fakultaet
network={
     ssid="TFconnect"
     key_mgmt=IEEE8021X
     eap=TLS
     identity="xyz"
     ca_cert="/etc/wpa_supplicant/Root.der"

     ca_path="/etc/wpa_supplicant/"
     private_key="/etc/wpa_supplicant/xyz.pem"
     client_cert="/etc/wpa_supplicant/xyz.pem"
     private_key_passwd="your secret passphrase"
     eapol_flags=3
}


4) Now use your common method of starting wpa_supplicant. I assume your wireless device is called wlan0, but sometimes it's simply called eth1. For Gentoo, I do

cd /etc/init.d
ln -sf net.lo net.wlan0


5) The -D argument can vary. Mine is wext, but yours could be madwifi or madwifi-ng. Add something like the following to /etc/conf.d/net, if you don't already have a configuration for wpa_supplicant.

modules_wlan0=( "wpa_supplicant" "dhcpcd" )
wpa_supplicant_wlan0=( "-D wext -c /etc/wpa_supplicant/wpa_supplicant.conf" )


6) Lastly, run

/etc/init.d/net.wlan0 restart

No comments: