You can check what the access point is broadcasting in its beacons by doing this (you'll need the wireless-tools package):
$ sudo iwlist wlan0 scanning
The output varies by device, and will display every SSID the interface can see. My WPA2 access point gives this (from iwlist's very verbose output):
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : CCMP TKIP
Authentication Suites (1) : PSK
You can also interrogate wpa_supplicant directly, which might be more what you're after:
$ sudo wpa_cli status
Selected interface 'wlan0'
bssid=c8:d7:19:01:02:03
ssid=whatever-SSID-you-are-using
id=0
mode=station
pairwise_cipher=CCMP
group_cipher=TKIP <-- cipher
key_mgmt=WPA2-PSK <-- key mode
wpa_state=COMPLETED
ip_address=10.20.30.4
address=88:53:2e:01:02:03
I ended up talking to the organization's IT and resolved the issue easily.
My mistake consists of several missteps:
- including the wrong certificate
- not including the right root certificate
- not ordering the certificates in the right order
The "CA certificate" file needs to be a single text file (PEM format)
containing a list of certificates, chained in order of trust (the least
trusted first, the most trusted last).
The RADIUS certificate does not need to be included (and should not be).
The RADIUS certificate also has the shortest valid lifetime.
We have to include the upstream certificates until the root
certificate in order for this approach to work.
In my case, the order of trust is like this (from least to most trusted):
RADIUS cert -> intermediary cert -> root cert
Warning: Your case may be very different.
The IT guy told me that my root certificate is "GlobalSign
Root R1", which has the following serial number:
04:00:00:00:00:01:15:4b:5a:c3:94
I would not have been able to locate this without his help.
I downloaded the root certificate from the GlobalSign website (see below),
then converted the binary certificate to PEM format:
$ openssl x509 -inform der -in Root-R1.crt -out Root-R1.pem
then chained the certificates as root
# cat globalsign_intermediary.pem Root-R1.pem > /etc/NetworkManager/certs/work/all-certs.pem
and included the full path of all-certs.pem in the NetworkManager's
connection setting (via the GUI or editing the text file that I listed in
the question).
Now, restart NetworkManager -- in my debian box it means issuing:
# service networkmanager restart
Once restarted, I was able to verify the AP's authenticity as indicated in syslog:
Jul 8 16:03:32 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Jul 8 16:03:32 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Jul 8 16:03:32 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA'
Jul 8 16:03:32 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2'
Jul 8 16:03:32 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/XXXXXX (details removed)'
Jul 8 16:03:33 wirawan1 wpa_supplicant[3638]: EAP-MSCHAPV2: Authentication succeeded
Jul 8 16:03:33 wirawan1 wpa_supplicant[3638]: EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
Jul 8 16:03:33 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
More gory details
For the interested ones, the intermediate certificate has the following subject:
subject= /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2
This "organization" CA should use the R1 key, as shown here:
https://support.globalsign.com/customer/portal/articles/1426602-globalsign-root-certificates
Best Answer
You could use Wireshark to dump the handshake, then convert the binary data to PEM with openssl, as suggested by @grawity in a similar question at superuser: