Reply
Thread Tools
Posts: 2,154 | Thanked: 8,464 times | Joined on May 2010
#21
Originally Posted by Malakai View Post
Should I understand that in my case (EAP-GTC) even if using a certificate the user and pass are sent in plain text? Or that only in the case of PEAP, TLS and TTLS the user and pass are encrypted so the necessity to use a certificate with EAP-GTC is mandatory to have the user and pass encrypted, otherwise the user and password are sent unencrypted?
You are not using EAP-GTC! Also this method is not supported by Maemo.

You are using EAP-PEAP/EAP-GTC. It means that there are two layers. First is EAP-PEAP which create encrypted TLS tunnel in which is send EAP-GTC.

Username (alias identity) is send unencrypted plain-text in EAP-PEAP and this can be sniffed. But password (together with username) is send in EAP-GTC. It is plain-text too, but in second layer, now encrypted with TLS in tunnel (from EAP-PEAP). And in case that TLS is secure, then password is send securely (in encrypted tunnel).
 

The Following 3 Users Say Thank You to pali For This Useful Post:
Posts: 175 | Thanked: 210 times | Joined on Mar 2013
#22
So today I had access to one of my ISP wifi hotspots and tried the command :

Code:
$ gconftool -s -t boolean /system/osso/connectivity/IAP/<UUID>/EAP_disable_certificate_check true
but without any success... the message still pops-up with the "Done" button.

So I was thinking that maybe I had to get the certificate on the N900, and I was asking myself how to do that. From what I got to read on the web about the way EAP-PEAP/EAP-GTC is working and guessing that my ISP is using RADIUS to authenticate the users, am I right by telling that the certificate in question is on the RADIUS server, as the encryption should be between my N900 and that server?
Could I use wireshark to get more info about this during the connection to the access point? (I don't know if wireshark exists on the N900). Are there any other methods for me to find the server and the address where I could get that certificate?

Oh, and my ISP won't give me more info, as for them it is working (I can connect and I have access to the Internet), so it's my problem if I have a pop-up on the N900.
 

The Following User Says Thank You to Malakai For This Useful Post:
Community Council | Posts: 685 | Thanked: 1,235 times | Joined on Sep 2010 @ Mbabane
#23
Originally Posted by Malakai View Post
So I was thinking that maybe I had to get the certificate on the N900, and I was asking myself how to do that. From what I got to read on the web about the way EAP-PEAP/EAP-GTC is working and guessing that my ISP is using RADIUS to authenticate the users, am I right by telling that the certificate in question is on the RADIUS server, as the encryption should be between my N900 and that server?
Yes, although you actually only need the CA cert.
Could I use wireshark to get more info about this during the connection to the access point? (I don't know if wireshark exists on the N900).
Yes, we have wireshark on N900 & it can do what you want. I'm not home tonight so can't help you there. But you can find the info on Internet easily. Just pray they have 'proper' certificate with complete chain of trust.
....

Oh, and my ISP won't give me more info, as for them it is working (I can connect and I have access to the Internet), so it's my problem if I have a pop-up on the N900.
TBH, that pop-up is not an error .. it's just a warning, so you don't really need to worry about it so much. At least you know you're connecting to the right AP
 

The Following User Says Thank You to sicelo For This Useful Post:
Posts: 175 | Thanked: 210 times | Joined on Mar 2013
#24
Originally Posted by sicelo View Post
TBH, that pop-up is not an error .. it's just a warning, so you don't really need to worry about it so much. At least you know you're connecting to the right AP
True, but I generally want to set up things properly and for now with the pop-up it just "feels dirty". Until I will have the time and the opportunity to dive into this I will have to live with it, I guess.
 
Community Council | Posts: 685 | Thanked: 1,235 times | Joined on Sep 2010 @ Mbabane
#25
you can capture the whole wifi session by first doing an `ifconfig wlan0 up` so that wireshark/dumpcap/tcpdump (depending which you like to use) can find the interface.

connect to your network, and you can then analyze the pcap file on computer (more convenient than on N900 )

https://www.wireshark.org/lists/wire.../msg00080.html has the info you need in order to extract the certificate. i could successfully get my organization's CA cert this way. As mentioned earlier, this solution may possibly not work if the certificates passed down by your network are not properly formatted from Maemo's cert manager point of view.
 

The Following 2 Users Say Thank You to sicelo For This Useful Post:
Posts: 2,154 | Thanked: 8,464 times | Joined on May 2010
#26
Finally autoconnect to WPA-EAP networks is working! It has some requirements: all passwords must be set in gconf, all certificates must be encrypted with default password (in certificate dialog = remove password) and all certificates must be valid... basically everything so it will work without any user interaction.

Update is in cssu-devel, see more:
http://talk.maemo.org/showthread.php...02#post1502802
 

The Following 4 Users Say Thank You to pali For This Useful Post:
Community Council | Posts: 685 | Thanked: 1,235 times | Joined on Sep 2010 @ Mbabane
#27
Will test it on my Freeradius setup
after work
WPA-EAP at work has the problem reported in my first post here, so can't do.
 
Community Council | Posts: 685 | Thanked: 1,235 times | Joined on Sep 2010 @ Mbabane
#28
Ah, it's already trying to connect to work network (unsuccessfully of course).

Thanks a mil pali for this one.
 
Reply

Tags
maemo 5, wpa-eap, wpa2-eap


 
Forum Jump


All times are GMT. The time now is 20:19.