You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7

Supplicants

The aim of this section is only to give a deeper understanding of supplicants. For actual configuration, you should use eduroam CAT. The section describes the configuration of the following supplicants:

  • MacOS X Supplicant for MacOS 10.5.
  • wpa_supplicant for Linux.
  • Intel PROset/Wireless

These supplicants are either Open Source or integrated into the Operating System, therefore there are no
licence fees to consider. The main difference between these supplicants is the degree to which they can be
preconfigured. Note that the WPA_supplicant can be used on either Unix or Windows platforms because of its
open source nature.

C.1 MacOS 10.5

These instructions are valid for Mac OS X 10.5 (Leopard) update 4. Please note that previous updates of
Leopard had a different user interface. Future updates could also change this interface and the instructions in
this document could be wrong or not accurate. Mac OS X Versions 10.7 and above are supported by eduroam CAT.

     1. Open Network Preferences. This can be accessed either from the Systems Preferences panel or the
         menu bar:

RECREATE 1st SCREENSHOT HERE?


    

     2. If required, create a new Location for roaming purposes. You can create different locations for ease of
         use (such as Home or Work). In this example, the Location University-roaming is used. Just the
         wireless interface (also known as AirPort in Mac OS X) exists for this location:

RECREATE 3rd SCREENSHOT HERE?

     3. Click on Advanced to open the Advanced Options panel for the AirPort interface. Of the tabs
         available on this panel, the following will be used to configure eduroam:

         802.1X. This tab is for configuring 802.1X access profiles. Please note that these profiles can be used
                  for several Locations.
         ○ AirPort. This tab will display when the interface is On or a network has been manually configured. It
                 displays the identifier for the different networks and security being used when connecting to them
                 (note that several security modes with the same identifier could be configured, for instance for WPA
                 and WPA2).

     4. Click on 802.1X to create an 802.1X User Profile. The 802.1x tab screen appears.
     5. In the Profiles panel, click the plus (+) symbol and select Add User Profile:

         Note: The commonest requirement is to create a user profile. However, you can also create a profile for
         authenticating users to the system, or a common profile for all the users.

     6. A User profile example dialogue appears. The minimum information you must enter for a user profile is:
         Username and password (the actual username and password of the user).
         The default wireless network identifier to join using this profile.
         The authentication method to be used. This can be one of (most commonly):
                  — TTLS, which supports four inner authentication methods: MSCHAP, MSCHAPv2, CHAP, and
                       PAP. You can also provide an inner identity (optional, but recommended for eduroam). The
                       example below uses the prefix anonymous. However, just the postfix with the @ symbol and
                       the user home institution realm is acceptable.

                 — TLS. This method allows us to authenticate using a user certificate. The certificate must be
                      installed in the user's keychain (via the KeyChain Access application) for this option to be
                      activated. After activating the check box, a dialogue for selecting the appropriate certificate is
                      shown. In this example we use a certificate signed by the CA Cert Signing Authority:

                 — PEAP. This authentication method also offers the possibility for entering the outer identity:

RECREATE 1st SCREENSHOT p 100 HERE

     7. Select the AirPort tab and use the plus (+) icon to add the eduroam network using the previously
         created 802.1x profile. The following dialogue appears:

RECREATE 2nd SCREENSHOT p 100 HERE

     8. Click on the Security box to display the following:

     9. In most cases select either WPA Enterprise or WPA2 Enterprise.

         Note: By selecting the 802.1x profile created in previously (field 802.1X), fields containing user
         credentials are automatically populated with the values previously entered.

    10. Activate the Airport interface.
    11. Apply the changes made in the previous steps and activate the network, either from the Network
          Preferences panel or the menu bar.

Assuming the configuration was successful, you will see something like the following:

While connecting to the server, it's possible that a certificate warning could appear. This happens when:

  • The certificate presented by the RADIUS server being contacted is valid but not signed by any of the
    Certification Authorities recognised by your computer. To prevent this, any new Certification Authority
    should be added using the KeyChain Access tool. If you are confident that you are talking to the right
    server, and that the certificate presented by the server contains all the certification path, you can trust
    this certificate (any additional checks can be carried out by expanding the certificate information if
    necessary).
  • The certificate presented by the RADIUS server is invalid or self-signed. In this case do not trust the
    certificate.

C.3 iPhone

The preferred way to generate configuration profiles for iPhone, iPad and Mac OS X is eduroam CAT. The remainder of this section is only interesting for you if you do not want to make use of eduroam CAT for this purpose.

The iPhone Configuration Utility allows you to set up your iPhone to access eduroam. This tool helps you
create a wireless configuration profile (.mobileprofile file extension). There are versions for Windows and Mac
OS X.

You can also download profiles sent to your iPhone.

C.3.1 Using the configuration utility

To configure your iPhone for eduroam:

     1. Start the iPhone Configuration utility.
     2. Select the Passcode tab and select Allow simple value:

RECREATE 1st SCREENSHOT p 102 HERE

     3. Select the General tab and enter Identity details for this profile:
         Name: Enter eduroam.
         Identifier: Enter eduroam.
         Organisation: Enter the name of your organisation.
         ○ Description: Enter a description for this profile.

RECREATE 2nd SCREENSHOT p 100 HERE

     4. Click the Wi-Fi tab

RECREATE 1st SCREENSHOT p 103 HERE

     5. Click Configure to enter connection and authorisation information as follows:
         Service Set Identifier (SSID): Enter eduroam.
         ○ Security Type: Select WPA/WPA2 Enterprise.
     6. Under Enterprise Settings click Protocols and under Accepted EAP Types select TTLS:

RECREATE 2nd SCREENSHOT p 102 HERE

     7. Under Enterprise Settings click Authentication and enter authentication details:
         Username: Enter your email address.
         Inner Authentication: Select PAP.
         Outer Identity: Enter the identity to be used for external identification (e.g.
                anonymous@myuniversity.eu).

RECREATE 1st SCREENSHOT p 104 HERE

     8. Click the Credentials tab and enter the Credential Name to be used.

RECREATE 2nd SCREENSHOT p 103 HERE

     9. Click the Wi-Fi tab and under Enterprise Settings click Trust to enter trust details:
         ○ Trusted Server Certificate Names: Enter the names expected from the Authentication server.

RECREATE 1st SCREENSHOT p 105 HERE

C.3.2 Downloading a profile

You can receive a profile on your iPhone. An example is shown below:

Opening the attachment to the message displays a dialogue such as:

Note: In this example the profile has not been signed. However the profile contains a valid TTLS+PAP
configuration and the right certificates for recognising the organisation radius server certificate.

If you decide to install this profile, you will be connected to eduroam:

C.2 wpa_supplicant

wpa_supplicant (http://hostap.epitest.fi/wpa_supplicant/) is an open source 802.1x supplicant for Linux, BSD
and MS Windows. This section describes its use on the Linux platform. wpa_supplicant is available for most
modern Linux distributions and seems to be the focal point of 802.1X development on the *nix platform.

The eduroam CAT Linux installers configure wpa_supplicant; and if it is front-ended with NetworkManager then even in comfortable UI-friendly way. The remainder of this section is only interesting for you if you do not want to make use of eduroam CAT for this purpose.

It is out of scope of this cookbook to describe how wpa_supplicant can be compiled form source or what
options need to be enabled in the Linux kernel to make eduroam authentication work. Modern Linux
distributions with standard kernel, wireless tools and wpa_supplicant should work "out of the box".

Using the technical information below it is possible to implement eduroam support so that it will be seamlessly
integrated with the OS. This is, however, very distribution specific and therefore out-of-scope for this document.

It is assumed that the user has a working wireless card (this can be verified by using the iwconfig command).

wpa_supplicant is responsible for the (layer 2) authentication of the user, and must be followed by some means
of setting up the (layer 3) IP connection by using a DHCP-client. Wpa_supplicant typically runs in the
background to control the connection, take care of re-authentications, manage roaming between access points,
and so on. It is started with the command:

wpa_supplicant -i interface -c configuration_file -D driver --B

Where:

  • interface is the system name for the wireless interface (like eth1, ath0, wlan0, etc.).
  • configuration_file is the location of the file (described later on).
  • driver is one of: wext, ipw, madwifi and ndiswrapper (described below).
  • -B option means 'run in the background'.

The driver setting depends on the particular card used.
The wext diver currently supports most existing cards (Atheros chipset based cards being an exception,
madwifi should be used there). Hence, the wext setting should be tested first.

The configuration file depends on the EAP type of choice. Example configurations (which can be downloaded
from http://www.eduroam.org/downloads/docs/eduroam-cookbook-scripts.zip) are provided for EAP-TTLS,
EAP-PEAP and EAP-TLS. Each of the examples contains two, nearly identical, network blocks; the only
difference is that one is for WPA and the second for dynamic WEP.

Note: In principle, one block with 'key_mgmt=WPA-EAP IEEE8021X' should be sufficient, but under certain
conditions this may fail. Using two separate blocks always seems to work correctly.

Also, The ca_cert points to the certificate file of the CA which has provided the certificate for the RADIUS
server. This file should contain certificates for the whole certification chain, up to the root. All certificates and
keys should be in PEM format.

The EAP-TTLS file is shown below for reference:

# EAP-TTLS configuration
ctrl_interface=/var/run/wpa_supplicant

network={
           ssid="eduroam"
           key_mgmt=WPA-EAP
           ca_cert="/etc/eduroam/ca.cer"
           identity="user@your.domain"
           eap=TTLS
           password="xxxx"
           phase2="auth=PAP"
}
network={
           ssid="eduroam"
           key_mgmt=IEEE8021X
           ca_cert="/etc/eduroam/ca.cer"
           identity="user@your.domain"
           eap=TTLS
           password="xxxx"
           phase2="auth=PAP"
}

Note: this example will set the outer identity to be the same as the real, inner identity of the user. It is possible
to set the outer identity to a different name (for instance to an opaque id), but for simplicity this is not shown
here.

Also, most wpa_supplicant compilations will accept user key/certificate in one PFX (p12) file. If that is used, this
file should be pointed to by private_key and client_cert should be commented out.

Download the script (contained in http://www.eduroam.org/downloads/docs/eduroam-cookbook-scripts.zip) to
enable you to start and stop the eduroam connection. Note that this script needs to be configured by assigning
correct values to the variables in the configuration section. The script kills possible wpa_supplicant processes
and DHCP clients for the particular interface. Then it starts wpa_supplicant and monitors its state with
wpa_cli. If no authentication takes place during the REAUTH_TIMEOUT period, wpa_supplicant is restarted.
After authentication, the DHCP client is started.

Note: This script has to be run with administrator's rights. This can be avoided by creating wrappers, which can
then be connected to panel buttons so the network can be started and stopped by a mouse click and providing
the administrator's password. To enable this, the following package can be downloaded and used:

http://eduroam.pl/Files/prepare_eduroam_config.tgz.

This utility allows campus administrators to create a configuration script that can be distributed to the users.
The script contains all necessary certificates, scans the system for the needed tools and creates configuration
files, certificate files, sets up the main starting script and wrappers. A full description is beyond the scope of this
document, but can be found in the documentation of the package.

C.3 Intel PROSet/Wireless supplicant

This supplicant (shipped with Intel Centrino chipsets) makes it very easy for an administrator to prepare and
distribute a pre-configured supplicant configuration.

C.3.1 Preparing the profile as an administrator

As an IdP administrator, first create a configuration for yourself in the supplicant. It is suggested that you use a
proper anonymous outer identity of "@realm" (your realm, with nothing left of the @ sign) as the "Roaming
Identity". Now, verify that the settings are correct by connecting to eduroam.

Then, in the main window of the supplicant, click on "Profiles...". In the Profiles window, select the newly
created eduroam entry and then press the "Export" button. You will be prompted for the destination folder of the
profile. The filename in this folder will be the name of the profile as it is shown in the Profiles window.

Note that the exported profile will be exported without your username and password, but with the anonymous
identity preserved, i.e. your own credentials are automatically safe from inadvertent leakage.

Distribute the generated file to your users.

C.3.2 Installing the profile as a user

A simple double-click will install the profile on the user's supplicant. When the user tries to connect for the first
time, he will be prompted for his own username and password.

Note that there will be no visual feedback at all after double-clicking on the profile file. A user might be tempted
to think that nothing happened and try to import the profile twice. In this case, an error message about the
duplicate profile will be displayed. We suggest to educate the users accordingly.

  • No labels