Network/802.1X client settings

From 33C3_Public_Wiki
Jump to: navigation, search

Windows / netsh profile

The profile XML linked in this article doesn't seem to conform to the XML schema. Here's a version I was able to use, please take a look at this and update the original file, if necessary. 

<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
  <name>33C3</name>
  <SSIDConfig>
    <SSID>
      <hex>33334333</hex>
      <name>33C3</name>
    </SSID>
    <nonBroadcast>false</nonBroadcast>
  </SSIDConfig>
  <connectionType>ESS</connectionType>
  <connectionMode>auto</connectionMode>
  <autoSwitch>false</autoSwitch>
  <MSM>
    <security>
      <authEncryption>
        <authentication>WPA2</authentication>
        <encryption>AES</encryption>
        <useOneX>true</useOneX>
      </authEncryption>
      <OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
        <cacheUserData>true</cacheUserData>
        <authMode>user</authMode>
        <EAPConfig>
          <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
            <EapMethod>
              <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25
              </Type>
              <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0
              </VendorId>
              <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0
              </VendorType>
              <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0
              </AuthorId>
            </EapMethod>
            <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
              <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
                <Type>25</Type>
                <EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1">
                  <ServerValidation>
                    <DisableUserPromptForServerValidation>
                      false
                    </DisableUserPromptForServerValidation>
                    <ServerNames>
                      radius.c3noc.net
                    </ServerNames>
                    <TrustedRootCA>
                      da c9 02 4f 54 d8 f6 df 94 93 5f b1 73 26 38 ca 6a d7 7c 13
                    </TrustedRootCA>
                  </ServerValidation>
                  <FastReconnect>
                    true
                  </FastReconnect>
                  <InnerEapOptional>
                    false
                  </InnerEapOptional>
                  <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
                    <Type>
                      26
                    </Type>
                    <EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1">
                      <UseWinLogonCredentials>
                        false
                      </UseWinLogonCredentials>
                    </EapType>
                  </Eap>
                  <EnableQuarantineChecks>
                    false
                  </EnableQuarantineChecks>
                  <RequireCryptoBinding>
                    false
                  </RequireCryptoBinding>
                  <PeapExtensions>
                    <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">
                      true
                    </PerformServerValidation>
                    <AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">
                    true
                    </AcceptServerName>
                  </PeapExtensions>
                </EapType>
              </Eap>
            </Config>
          </EapHostConfig>
        </EAPConfig>
      </OneX>
    </security>
  </MSM>
</WLANProfile>

WPA Supplicant / netctl: Hash Verification

Instead of specifying a CA Certificate, the SHA256 hash of the certificate can be used directly: 

ca_cert="hash://server/sha256/4f96e5ad0bd120b7d95fc0eb0e63683db22b58f7cbb4fef29a5a798dec350374"

The SHA256 hash can be generated like this: 

openssl x509 -in 33c3.pem -outform der | sha256sum

Quote: "Alternatively, this can be used to only perform matching of the server certificate (SHA-256 hash of the DER encoded X.509 certificate). In this case, the possible CA certificates in the server certificate chain are ignored and only the server certificate is verified."

Source: https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf (CTRL+F for "ca_cert")

/etc/wpa_supplicant.conf for FreeBSD

See also
man wpa_supplicant.conf 
network={
	ssid="33C3"
### the default for proto is '"WPA RSN"'.
### for the usage of wpa2 (aka rsn) only
	proto="RSN"
	key_mgmt=WPA-EAP
	eap=TTLS
	identity="edward"
	password="snowden"
	ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
### (example from https://events.ccc.de/congress/2016/wiki/Static:Network/802.1X_client_settings#wpa_supplicant.conf )
### probably debian style
#	altsubject_match="DNS:radius.c3noc.net"
### maybe freebsd style
	subject_match="DNS:radius.c3noc.net"
### alternate (if needed 'for EAP inner Phase 2') freebsd style
#	subject_match2"DNS:radius.c3noc.net"
	phase2="auth=PAP"
}

btw: does anyone know the a man page where altsubject_match is described? (my quick search was only successful at a german wiki page about ubuntu (article WLAN/wpa_supplicant/wpa_supplicant.conf.examples/).)

--Vater (talk) 04:31, 22 December 2016 (CET)

Network Manager Config Does Nothing

I created the file as described (and changed the MAC), I restarted NM, and then... nothing changed. When trying to connect to 33C3, I still got prompted to enter the security settings manually.

Someone then pointed me to Network. The instructions there work. -- Brightbyte (talk) 16:45, 27 December 2016 (CET)

Retrieved from "/congress/2016/wiki/index.php?title=Static_Talk:Network/802.1X_client_settings&oldid=12366"