I want to note down my successful implementation of wireless at my office using Suse 11.1 x86, with two SSIDS, one for Guest using WPA Personal - Pre-Shared Key and one using WPA Enterprise - Certificate based authentication. Partly to help any future users to avoid the problems I had, and partly as a guide to my self for the next time I need it. This won’t be an in-depth step by step, but an overview of how I did it. If others have questions, feel free to ask.
Description of Task:
Our work network secures LAN access with 802.1x machine based authentication using Windows 2008 Server NPS services as a radius server. We use the same server with similar authentication means to authenticate internal WiFi users to our corporate LAN. Each PC in our network gets issued a certificate by Windows Certificate Services.
Though I have my Linux laptop joined to the Windows AD Domain, it does not participate in Group Policy and therefore had no way to get a certificate for WiFi and LAN authentication.
Environment:
Cisco Aironet 1200 APs
MS AD Domain with MS Certificate Services
MS NPS on W2K8 (formerly IAS)
Gateway M460 laptop with builtin Wireless Intel PRO/Wireless 2200BG
Windows Certificate Services
We installed and offline/online PKI based on Microsoft whitepapers starting from Public Key Infrastructure for Windows Server 2003
Network Protection Services
We installed NPS (also called NAP, and other things) using 802.1x certificate based authentication using Microsoft whitepapers starting from 802.1X Authenticated Wired Access
Wifi Configuration
Our access points are configured with two SSIDs, one for internal LAN access and one for Guest access. Both are set to require WPA, using TKIP. For the LAN SSID, we configured open auth using EAP, for the Guests, we configured open auth using a pre-shared key.
Both Wifi SSIDs were verified working using Windows XP Pro.
Laptop Configuration Internal LAN
Installing the certificate
[INDENT]
This was the hard part for me. First, I tried to generate a key and a CSR using the open SSL command line, then imported the CSR to the Windows certificate server. I found that the template wasn’t listed in the CSR. I found help on line and ran the CSR through a CAPolicy.inf file to modify the CSR to conform to Windows standards, but it was all a pain in the butt. And, it’s not necessary. In my PKI and NPS setup, I allow users to request and be issued certs, not just machines. All I had to do was use a person cert for the authentication.
I request and got a person cert using the a windows XP machine or the server itself. I could have done it using the browser, but I didn’t. I also exported all of the certs in the certification path.
Once I got the server, I used openssl to export the user public cert, and the private key into separate files. Then, I took the CA certs and concatenated them into a single file.
My laptop is configured to use NetworkManager. I clicked on the icon and selected to connect to a hidden wireless network. In the dialog, I gave the SSID name of my internal network and selected WPA-Enterprise. In the dialog box, I set:
Authentication: TLS
Identity: DOMAIN\username for the user I requested the cert as
User Cert: I specified the public cert for the user
CA Cert: I specified the concatenated file of CA Root certs
Private Key: I specified the file with the user cert private key
Key Password: I specified the password for the private key file
After doing all this, my laptop connected to the Wifi internal LAN.
Trouble
I had some trouble getting the certs to show up in the dialog box. Apparently they have to be a certain format. For the CA Root certs,I used the base 64 encoding.
Keeps trying to connect auto as WPA Personal. For some reason, it now tries to connect automatically asking for a preshared key. It didn’t use to. I’ll have to mess around and try to figure out why.
[/INDENT]
Laptop Configuration Guest SSID
This worked just as a normal setup worked. I chose in NetworkManager to connect to a hidden SSID (ours is hidden) and for security, I selected WPA - Personal. It asked for a password and away I went.
I realize this is pretty bare bones, and if I get the chance, I’ll add step by step, but it worked pretty easily for me, once I got the cert issue straightened out.