Debian WPA/WPA2 – PEAP + EAP TLS

Debian WPA/WPA2 – PEAP + EAP – TLS

This page explains configuration of connection to networks protected by IronWifi on debian..

List of resulting certificates/parameters needed to complete connection:

password – password to public client certifcate obtained from console together with certificate,
certification authority (CA) – ironwifi.crt, obtained from console from account section,
private certificate – exported from xca suit, *.pem,
public own exported client certificate – exported from xca suit, *.crt,
public client certficate – obtained from console, *.p12 file, used to import certificates to re-export

1. Download CA + CLIENT certificate from console, HERE MARKED AS CA/CLIENT CERTIFICATES

2. Install XCA certificate management gui tools.


apt-get install xca

3. Import public client certificate *.p12 into XCA via GUI (DONT FORGET BEFORE DOING THAT CREATE LOCAL XCA DB TO STORE CERTIFICATES), HERE MARKED AS PUBLIC CERTIFICATE

4. Export private key using XCA suite, parameters must be = NO PASSWORD CHANGE, PEM FORMAT (DEFAULT – unecrypted private key in text format)

5. Export own public client certificate using XVA suite, parameters must be = PULIC OWN, PEM – CRT FORMAT (DEFAULT – PEM Text format with headers)

6. Remove any default network manager inside linux (!BE SURE YOU HAVE STILL DOWNLOADED ALL CERTIFICATES + YOU HAVE ACCESS TO ETHERNET CONNECTION IN CASE OF PROBLEMS)


apt-get purge network-manager network-manager-gnome

7. Install WiCD network manager (handles both ethernet + wifi network devices)


apt-get install wicd wicd-cli wicd-curses wicd-daemon wicd-gtk

8. Make copy of default encryption templates && edit them to suitable example as defined lower && enable new templates in active config (TO APPLY IN WICD NEED RELAUNCH OF WICD!) & reboot linux device


cp /etc/wicd/encryption/templates/wpa-peap wpa-peap-nodomain
cp /etc/wicd/encryption/templates/wpa2-peap wpa2-peap-nodomain

nano /etc/wicd/encryption/templates/wpa-peap-nodomain
>
name = WPA1-PEAP with CCMP/MSCHAPV2 NO DOMAIN
author = atiketemola
version = 1
require identity *Username password *Password
protected password *Password
—–
ctrl_interface=/var/run/wpa_supplicant
network={
ssid=”$_ESSID”
proto=WPA
key_mgmt=WPA-EAP
pairwise=CCMP
eap=PEAP
identity=”$_IDENTITY”
password=”$_PASSWORD”
phase2=”auth=MSCHAPv2″
}

nano /etc/wicd/encryption/templates/wpa2-peap-nodomain

name = WPA2-PEAP with CCMP/MSCHAPV2 NO DOMAIN
author = atiketemola
version = 1
require identity *Username password *Password
protected password *Password
—–
ctrl_interface=/var/run/wpa_supplicant
network={
ssid=”$_ESSID”
proto=RSN
key_mgmt=WPA-EAP
pairwise=CCMP
eap=PEAP
identity=”$_IDENTITY”
password=”$_PASSWORD”
phase2=”auth=MSCHAPv2″
}

nano /etc/wicd/encryption/templates/active
>
wpa
wpa-peap
wpa-peap-nodomain
wpa-psk
wpa-psk-hex
wpa2-leap
wpa2-peap
wpa2-peap-nodomain
wep-hex
wep-passphrase
wep-shared
leap
ttls
eap
peap
peap-tkip
eap-tls
psu

reboot

9. Set in WiCD correct settings

> WPA/WPA2 PEAP >
profile WPA2-PEAP * NO DOMAIN
username: user – username
password: password

peap


> EAP TLS >
profile EAP-TLS
identity: user identity – username
private key: /path/testxx_key.pem
private key password: password
CA cert: /path/ironwifi.crt
Client cert: /path/testxx.crt

tls

At this moment, you should be able to access your access point network, and internet too, if not using any extra captive that will require extra browser action.