PEAP? WPA2 enterprise?

Can somebody tell me how can I get the network manager to use *.crt certificates? My school has a network that uses only *.crt.

 

I have the same problem.. You can try converting them, but it didn't work for me.
viewtopic.php?f=5&t=2518&p=21056#p21056

 

Hi,

I have the strange problem, that I can see all the settings and pricipially know what to choose, but my OK Button is greyed out. I use WPA-EAP with TLS, and I need to enter *.der as user key and cert and a *.pem as CA. No problem so far, everything is filled out and I can't press OK. What's wrong?

I made the upgrade to the new nm-applet. Homeconnection to WPA-Personal works.

Any ideas? What could be wrong?

TIA
Alex

 

Hi,

for all TLS EAP people around: I found not the solution but an explanation. TLS-EAP won't work with the provided applet, it's a known bug and a future version will fix it. Now we need a wizard who makes us a new fc8 compatible rpm with a new version.

cu
Dros

 

My University of Leeuwarden does also only support WPA2 enterprise. I am a Linux-newbie, and found IMSancho´s script particularly helpful. Thanks for all the work!

 

What version is needed? Can you also provide a link to the post or thread that discusses this, please. I'll have no way of testing the EAP-TLS, but do have an interest in making a rpm for the new version if it supports PEAP-GTC. Of course I'd make the rpm available for download.

 

Hi,

it's a bit difficult to dig into this bug. Have a look hiere:

http://ubuntuforums.org/archive/index.php/t-797059.html

More recent that one:

http://www.asoftsite.org/s9y/archives/145-NetworkManager-0.7-is-back-New-PPA.html

and the bug:

https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/245184

You can easily check, if this bug is gone. It's a gui problem, if you enter a few valid certs you should be able to click "ok", the button shouldn't be greyed out. After my research the newer versions of NM will do the job.

cu
Alex

 

Dros, I think I've figured it out for your situation. If you can stop nm-applet and then run it again from the terminal then you would probably see, right after picking a certificate file, an error like:

Code:

** (nm-applet:3991): WARNING **: Error: couldn't verify certificate: 3 Couldn't decode certificate: -12285

I hesitate to ask you to stop and restart nm-applet because I'm not sure if it would cause some of the gnome-keyring issues others have reported. However, I can tell you what happened with my tests and how I "fixed" it and you might be able to do something similar.

Before we get too into it, are you using separate files for "User Certificate" and "Private Key"? It is expecting the user public certificate file for "User Certificate" and the user private key file for "Private Key". If that is all sorted and you are still having an issue, then continue onward.

For testing what I did was setup a quick Certificate Authority (CA) using openssl. I needed a public root certificate, a user public certificate, and a user private key in order to test with approximately the same items you have. I won't go into the details here as it doesn't really apply. Long story short the user public .pem file I generated couldn't even be selected, for the "User Certificate". However I could select the public root certificate for "CA Certificate" and the private user certificate for "Private Key". Yet when I did so I received the above error.

Not being a genius for making certificates and not finding a specific answer to what format nm-applet actually wanted I finally found this page:
https://wiki.thayer.dartmouth.edu/display/linux/Connecting to Dartmouth Secure
If you are able to get the certificate for your wireless as a PKCS12 (it will have a .p12 extension) certificate then just follow their steps for "Convert PKI certificates to PEM format" under the Fedora section. The first and third "openssl" command in their steps will ask for a "PEM pass phrase" and I set them both the same. Then I used that same password in the "Private Key Password" box. Once it was typed in correctly the "Connect" button was then clickable.

If you can't get your wireless certificate in a PKCS12 format, let me know and I'll try to help you make one out of the files you have. Combining my non-working files into PKCS12 format and then following their steps worked for me.

 

**WORKING** PEAP? WPA2 enterprise?

Hi yodersj,

thanks for your help. Because I use TinyCA for our university CA-structure, I can create almost any kind of certs, so I reproduced your tests and it works!

You have to use PEMs for cert, key and CA. The key PEM must have a password (I normally use PEMs without a password, because we use a per machine authentification, not per user). I tested with DER and P12, as another users have suggested, but it didn't work. You need 3 PEMs, and the personal-key-PEM must have a password to make it work. Then you get the Connect Button ungreyed. The password of the PEM is stored in the keymanager and was still there after reboot.

Thanks yodersj you made my day and I owe you a beer.

I furthermore found out, that the wizard of the VPN connections has the same problem. Normally we use for OpenVPN Roadwarriors a P12 cert, which doesn't work in this case. The P12 has to be split in different PEMs and then even OpenVPN works.

It's a bit tricky and buggy with nm-applet. I normally use Debian and had never such problems.

cu
Dros

 

i followed this and it keeps telling me that it can not find that folder

 

Does it say which folder? Are you getting that error at the first or second step? What directory did you download the archive to? Can you change to that directory and do an 'ls -al' to check the file size and permissions?

 

i followed the steps one by one, it couldnt download one folder (couldnt find it) then couldnt install the other things
i lost my manager then (no more internet)

using a diff. computer i downloaded the folders, USBsticked it to downloads, and tried to follow your steps, could not find the folder for tar gvf command

i then tried to extract it myself and run the script manually, that resulted in 'permission not granted'

 

Hello,

First off, thanks for the script. I was able to update my Network Manager.

I have a couple of problems though:
First, I was able to connect to my home wireless network just fine, but it will not save the key. Every time that I start up my computer, I have to reenter the key. I even tried to Edit the connection, and it will not remember the key. Is this normal?

Second, I am attempting to connect to my TTU (Texas Tech University) wireless. It requires IEEE 802.1x. This updated version of Network Manager has Dynamic WEP (802.1x) but not IEEE 802.1x. Any idea on how to add that wireless security protocol?

Lastly, whenever my aspire goes to standby, the Network Manager icon disappears. When I go into my Setting tab and click on Network Center, nothing comes up. I have to restart the computer to get the icon to come back (yay for flashbacks to Windows!)

Thanks for any help that can be given.

Edit: I noticed earlier that you could choose WPA Enterprise as the Wireless Security protocol. I do not have that listed as an option (even after updating the software via the script given here). These are my Wireless Security options: WEP 128-bit Passphrase, WEP 40/128-bit Hexadecimal, WEP 40/128-bit ASCII, LEAP, Dynamic WEP (802.1x). Any idea on how to get WPA on there?

Second Edit: Alright, I was about to WPA and WPA2 Enterprise to pop up by selecting Connect to Other Wireless Network. Long story, I'm trying to follow the directions here: http://narnia.cs.ttu.edu/drupal/node/147/ and I'm not having much success, as the two Network Managers don't seem to be exactly the same.

 

I'm not sure what you mean by 'downloaded folders'. There is just 1 file to download, here, which is then unpacked and the install script ran. Make sure you are saving the file to a folder you have permissions for, like /home/user/Downloads as well as you shouldn't get any permission problems. You don't need to specify the path to the tar command, /bin is already in your 'PATH' environment variable.

JaegerWulf, try reading through this thread to fix up your disappearing WPA key.

For your universities settings I would suggest WPA Enterprise, PEAP, no anon identity, no CA cert, PEAP version 0 and MSCHAPv2 (as well as your user credentials of course). Try to connect a few times with that and if it doesn't work try PEAP version 1. As for not coming back up after suspend, I haven't come across that myself so I'm not sure on that one, try searching around the forums a bit though as I think it was mentioned on here at some time.

 

it is not finding the last file

 

So you extracted the archive, ran the script, and it can't find the vpnc package? Did that file extract from the archive properly? It should be around 111KB in size. It would be alot easier to figure out whats going wrong if you could copy and paste the results of running the script into a post here

Oh and JaegerWulf, I just had a better read of the guides on your Uni's site and it seems they are actually using WEP :shock: So your security type should actually be Dynamic WEP (802.1x), not WPA/WPA2 Enterprise.

 

IMSancho, that's fine. I've tried to connect to it via every possible combination and it just isn't working. I tried Dynamic WEP with every possible combination of options (even tried every possible combination of security protocols with every possible combination of options), just doesn't work. I even tried to install Wicd over the network manager (both old and this recently updated one). Doesn't work. Hell! To punch the nail in the coffin, I took to my friend who uses Linux frequently and has been for years (grad student, works in the university EE department). We spent hours on it, and could not get it to work.

I've followed guides, gone through these forums, had your help (and that got me the closest to success, thanks ), but it won't work. I'm going to see if I can't exchange this computer in for the XP version. The computer and the system are perfect. But if the software or OS (Linux based) don't work (or takes too much effort, i.e. 10 hours of dedicated work over the last four days, to work), then there is no point. I'm not a technotard by any means (neither is my Electrical Engineer friend for that matter), so it shouldn't be this difficult. I'm also not out to prove myself or use this system beyond what a UMPC / netbook is good for (i.e. word processing and wifi internet), so I'll deal with spyware and a bulky OS that is usable.

Not dogging Linux or the people that use it. You guys have been great and I'm sure its a great OS for its purposes, I just had to write out my capitulation (I'm about as angry as can be. It's going to cost me about 40 dollars to ship and replace this thing... I'm also angry at having to live where I do... I'm more angry at myself for not just spending 20 dollars extra at the time to get XP and thinking that I could take on the challenge of using Linux).

Alright, thanks again for your help. This update got me so close. The Acer Aspire One is the perfect machine for me, just gotta get XP.

Cheers all.

 

'
I was talking about your origional post with the wget# and all of that

as for the package, none of them were found once extracted... i am no longer trying as 14 hours of this and i am tired of restoring, just going to call and bug the shit out of acer

 

i applied the script and now no wifi icon and no network center and i cannot connect to wifi :cry: :cry: :cry: :cry:

 

Good luck. More and more, one is getting the feeling that Acer could care less. They seem to have pretty much ignored all the primary complaints about the machine save for the short battery life--though, with their as yet to be released (save, apparently, for one Canadian distributor) 6 cell, it seems as if they're ignoring that too.