Blue Light
Space shortcuts
Child pages
  • Installation

Versions Compared

Old Version 22

changes.mady.by.user Dyuman

Saved on

compared with

New Version 23

changes.mady.by.user Dyuman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Supplicant configuration

Linux

  1. Copy the ca.ca pem file generated during certificate generation onto the computer.
  2. Select the network's SSID from the list in Network Manager.
  3. When asked, enter the following information, then press connect:
    CA certificate: Browse and select the ca.ca pem file
    Identity: the username 
    Password: the password
    Inner authentication: MSCHAPv2 (not "MSCHAPv2 (not EAP)" )
    Leave all other fields as they are

Android

  1. Copy the ca.ca pem file generated during certificate generation onto the phone.
  2. Open the “Settings” app, go to “Wi-Fi” → “Advanced settings” → “Install certificates”.
  3. Select the ca.ca pem file.
  4. Assign it a name of choice
  5. Under “Certificate use” select “WiFi”
  6. Once again, open the “Settings” app, go to “Wi-Fi”, and select the network's SSID from the list.
  7. When asked, enter the following information, then press connect:
    CA certificate: Select the earlier chosen name when installing the ca.ca pem file
    Identity: the username 
    Password: the password
    Leave all other fields as they are

...

On Linux and Android supplicants it is required to install the ca.ca pem file generated during certificate generation in order to verify the RADIUS server's identity. In case the identity presented by the RADIUS server changes at any point, the supplicant fails to connect, and re-presents the user with the prompt for network credentials. It is possible to connect without installing the ca.ca pem file, but one needs to specify "No CA certificate required" or "Do not validate". In this case the supplicant will send credentials to any RADIUS server for that SSID without verifying its identity. It is possible to avoid sending the real user name in the unencrypted outer tunnel, by specifying a different value (normally 'anonymous') in the "Anonymous identity" field.

On Mac OS, iPhone and Windows 10 supplicants, when connecting to the SSID for the first time, the server certificate's details are presented to the user and the user is asked if they want to trust the server. In case the identity presented by the RADIUS server changes at any point, the user will be prompted with a message, not containing any reasonable warning, sadly, that looks identical to the one displayed when connecting for the first time, where a user is extremely likely to press Trust/Connect once again (on Windows 10, the message also advises the user to connect if they are in a location where said SSID is expected to be present). On Windows 10, in case the user does press Connect again, the supplicant stores both identities and thereon connects without further warning to any server presenting any of those identities, on Mac OS and iPhone this has not been tested. On Mac OS and Windows 10, it is also possible to copy the ca.ca pem file and install it, on iPhone, this did not seem to have any effect. This avoids the prompt on first connect and protects against a rogue RADIUS server intercepting the connection at that time, when, it would, otherwise, be still impossible to verify its authenticity. It seems to be possible, but greatly complicated (involving installing a software from the App Store, and using it to create a configuration profile which then needs to be saved to a file, copied and imported onto the supplicant device) on Mac OS and iPhone to configure the supplicant to not send the real user name in the unencrypted outer tunnel. On Windows 10 this is somewhat easier. '@@@' to verify.