For a long time, I have been able to use NetworkManager + wpa_supplicant as configured in Debian 7 to connect to a secure wireless at work (which is WPA2 Enterprise, with PEAP + MSCHAPv2 authentication).
Recently I want to increase the security of the connection by incorporating the server's certificate into my Network Manager connection setting. I received two PEM keys from the network administrator:
- radius1.pem — the RADIUS certificate
- globalsign_intermediary.pem — the intermediary certificate
The RADIUS cert depends on the intermediary cert for its authenticity; and the intermediary cert depends on the ultimate root CA from GlobalSign.
Here's my goal: I want to have my laptop check the authenticity of the wifi access point whenever I connect to the wifi network. How do I put these certs in the connection setting (/etc/NetworkManager/system-connections/THE-AP-NAME file) so that I can accomplish this goal? To be specific: which file should be listed where (e.g., what config file), and what additional steps are needed to get the server certificate(s) verified? I am asking this here since all that I found elsewhere are 1-step certificate check, in which the certificate probably depends on a well-established root CA rather than an intermediary CA like in my case.
Currently this is the content of my connection setting file (XXXX and YYYY denoted obscured info):
[ipv6]
method=ignore
[connection]
id=XXXXXXXXX
uuid=XXXXXXXXX
type=802-11-wireless
timestamp=1436377448
[802-11-wireless-security]
key-mgmt=wpa-eap
[802-11-wireless]
ssid=XXXXXXXXX
mode=infrastructure
seen-bssids=XXXXXXXXX
security=802-11-wireless-security
[802-1x]
eap=peap;
identity=XXXXXXXXX
password=YYYYYYYYY
ca-cert=/etc/NetworkManager/certs/work/globalsign_intermediary.pem
phase2-auth=mschapv2
[ipv4]
method=auto
As you see, I was using the intermediary cert file. But this was not right. Neither was it right to use only the RADIUS cert file. In either case, I got the following error in syslog:
Jul 8 12:02:37 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
Jul 8 12:02:37 wirawan1 kernel: [3880972.051159] wlan0: Limiting TX power to 20 (20 - 0) dBm as advertised by xx:xx:xx:xx:xx
Jul 8 12:02:37 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Jul 8 12:02:37 wirawan1 wpa_supplicant[3638]: OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0)
Jul 8 12:02:37 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Jul 8 12:02:37 wirawan1 wpa_supplicant[3638]: TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 1 for '/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2'
Jul 8 12:02:37 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1 subject='/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2' err='unable to get local issuer certificate'
Jul 8 12:02:37 wirawan1 wpa_supplicant[3638]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
Jul 8 12:02:37 wirawan1 wpa_supplicant[3638]: OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Jul 8 12:02:38 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Jul 8 12:02:40 wirawan1 wpa_supplicant[3638]: wlan0: Authentication with xx:xx:xx:xx:xx timed out.
Apparently the trust chain cannot be established.
The hardware is (lspci):
03:00.0 Network controller: Intel Corporation PRO/Wireless 5100 AGN [Shiloh] Network Connection
It uses iwlwifi+iwldvm driver. Kernel version 3.12.9-1~bpo70+1 (2014-02-07), from debian backport package linux-image-3.12-0.bpo.1-amd64.
I am not new to Linux, but really don't know how to deal with x509 and/or SSL/TLS security in Linux, so please answer with step-by-step instruction. Googling around to find the answer to this problem has left me frustrated. The WPA supplicant documentation is very terse in discussing the use certificates in the conjunction with WPA2 Enterprise. And the NetworkManager has even poorer documentation.
Best Answer
I ended up talking to the organization's IT and resolved the issue easily. My mistake consists of several missteps:
The "CA certificate" file needs to be a single text file (PEM format) containing a list of certificates, chained in order of trust (the least trusted first, the most trusted last). The RADIUS certificate does not need to be included (and should not be). The RADIUS certificate also has the shortest valid lifetime. We have to include the upstream certificates until the root certificate in order for this approach to work. In my case, the order of trust is like this (from least to most trusted):
Warning: Your case may be very different. The IT guy told me that my root certificate is "GlobalSign Root R1", which has the following serial number:
I would not have been able to locate this without his help. I downloaded the root certificate from the GlobalSign website (see below), then converted the binary certificate to PEM format:
then chained the certificates as root
and included the full path of
all-certs.pemin the NetworkManager's connection setting (via the GUI or editing the text file that I listed in the question). Now, restart NetworkManager -- in my debian box it means issuing:Once restarted, I was able to verify the AP's authenticity as indicated in syslog:
More gory details
For the interested ones, the intermediate certificate has the following subject:
This "organization" CA should use the R1 key, as shown here: