User Tools

Site Tools


networkconfigurationsettings

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
networkconfigurationsettings [2021/01/26 10:26]
Andrew Zaborowski [802.1x (WPA/WPA2 Enterprise) settings]
networkconfigurationsettings [2021/05/25 23:45] (current)
Andrew Zaborowski Warn about anonymous vs. secure identity in TTLS/PEAP.
Line 48: Line 48:
 | ''​EAP-Password-Hash'' ​                                | //16-byte hexstring// ​                                                                                                    | An alternative way to specify the MsCHAPv2 password as an MD4 hash, see RFC 2433                                                                                                                                                                                                                  | | ''​EAP-Password-Hash'' ​                                | //16-byte hexstring// ​                                                                                                    | An alternative way to specify the MsCHAPv2 password as an MD4 hash, see RFC 2433                                                                                                                                                                                                                  |
 |  Applies to: **EAP-TLS**,​ **EAP-TTLS**,​ **EAP-PEAP** ​                                                                                                                                                                                                                                                                                                                                                                                                                               ||| |  Applies to: **EAP-TLS**,​ **EAP-TTLS**,​ **EAP-PEAP** ​                                                                                                                                                                                                                                                                                                                                                                                                                               |||
-| ''​EAP-Identity'' ​                                     | //​text// ​                                                                                                                 | EAP identity/​username string transmitted in plaintext. ​ No default, if not provided IWD will request a username at connection time.  See [[https://​tools.ietf.org/​html/​rfc5216#​section-5.2|RFC 5216 Section 5.2]] for requirements on peer identity with regards to client certificate contents. ​ |+| ''​EAP-Identity'' ​                                     | //​text// ​                                                                                                                 | EAP identity/​username string transmitted in plaintext. ​ No default, if not provided IWD will request a username at connection time.  See [[https://​tools.ietf.org/​html/​rfc5216#​section-5.2|RFC 5216 Section 5.2]] for requirements on peer identity with regards to client certificate contents. //Note:// when adapting wpa_supplicant configurations,​ you may need to explicitly copy the value of the //secure// identity here if required by a poorly configured WPA-Enterprise network -- wpa_supplicant silently falls back to the value of ''​identity''​ for ''​anonymous_identity'',​ an undocumented feature/bug.  ​IWD doesn'​t do that to avoid exposing the value in plaintext, the user needs to explicitly set it. |
 | ''​EAP-TLS-CACert'',​\\ ''​EAP-TTLS-CACert'',​\\ ''​EAP-PEAP-CACert''​ | //file path// or //embedded pem// | Path to a PEM-formatted X.509 root certificate list to use for trust verification,​ both for the server'​s certificate chain and the chain specified with ''​ClientCert''​ (if any).  IWD will require that the root in the verified certificate chains is trusted by at least one CA in the list.  If not provided IWD will have no way to authenticate the server -- discouraged. (optional) | | ''​EAP-TLS-CACert'',​\\ ''​EAP-TTLS-CACert'',​\\ ''​EAP-PEAP-CACert''​ | //file path// or //embedded pem// | Path to a PEM-formatted X.509 root certificate list to use for trust verification,​ both for the server'​s certificate chain and the chain specified with ''​ClientCert''​ (if any).  IWD will require that the root in the verified certificate chains is trusted by at least one CA in the list.  If not provided IWD will have no way to authenticate the server -- discouraged. (optional) |
 | ''​EAP-TLS-ClientCert'',​ | //file path// or //embedded pem// | Path to the client X.509 certificate or certificate chain to send on server request. ​ For some networks this is mandatory, for others optional. ​ Supported formats include PEM, DER and PKCS#12. | | ''​EAP-TLS-ClientCert'',​ | //file path// or //embedded pem// | Path to the client X.509 certificate or certificate chain to send on server request. ​ For some networks this is mandatory, for others optional. ​ Supported formats include PEM, DER and PKCS#12. |
networkconfigurationsettings.txt ยท Last modified: 2021/05/25 23:45 by Andrew Zaborowski