mjhjmtu

For a long time, I have been able to use NetworkManager + wpa_supplicant as configured in Debian 7 to connect to a secure wireless at work (which is WPA2 Enterprise, with PEAP + MSCHAPv2 authentication).

Recently I want to increase the security of the connection by incorporating the server's certificate into my Network Manager connection setting. I received two PEM keys from the network administrator:

• radius1.pem -- the RADIUS certificate


• globalsign_intermediary.pem -- the intermediary certificate

The RADIUS cert depends on the intermediary cert for its authenticity; and the intermediary cert depends on the ultimate root CA from GlobalSign.

Here's my goal: I want to have my laptop check the authenticity of the wifi access point whenever I connect to the wifi network. How do I put these certs in the connection setting (/etc/NetworkManager/system-connections/THE-AP-NAME file) so that I can accomplish this goal? To be specific: which file should be listed where (e.g., what config file), and what additional steps are needed to get the server certificate(s) verified? I am asking this here since all that I found elsewhere are 1-step certificate check, in which the certificate probably depends on a well-established root CA rather than an intermediary CA like in my case.

Currently this is the content of my connection setting file (XXXX and YYYY denoted obscured info):

[ipv6]
method=ignore

[connection]
id=XXXXXXXXX
uuid=XXXXXXXXX
type=802-11-wireless
timestamp=1436377448

[802-11-wireless-security]
key-mgmt=wpa-eap

[802-11-wireless]
ssid=XXXXXXXXX
mode=infrastructure
seen-bssids=XXXXXXXXX
security=802-11-wireless-security

[802-1x]
eap=peap;
identity=XXXXXXXXX
password=YYYYYYYYY
ca-cert=/etc/NetworkManager/certs/work/globalsign_intermediary.pem
phase2-auth=mschapv2

[ipv4]
method=auto

As you see, I was using the intermediary cert file. But this was not right. Neither was it right to use only the RADIUS cert file. In either case, I got the following error in syslog:

Jul 8 12:02:37 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
Jul 8 12:02:37 wirawan1 kernel: [3880972.051159] wlan0: Limiting TX power to 20 (20 - 0) dBm as advertised by xx:xx:xx:xx:xx
Jul 8 12:02:37 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Jul 8 12:02:37 wirawan1 wpa_supplicant[3638]: OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0)
Jul 8 12:02:37 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Jul 8 12:02:37 wirawan1 wpa_supplicant[3638]: TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 1 for '/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2'
Jul 8 12:02:37 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1 subject='/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2' err='unable to get local issuer certificate'
Jul 8 12:02:37 wirawan1 wpa_supplicant[3638]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
Jul 8 12:02:37 wirawan1 wpa_supplicant[3638]: OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Jul 8 12:02:38 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Jul 8 12:02:40 wirawan1 wpa_supplicant[3638]: wlan0: Authentication with xx:xx:xx:xx:xx timed out.

Apparently the trust chain cannot be established.

The hardware is (lspci):

03:00.0 Network controller: Intel Corporation PRO/Wireless 5100 AGN [Shiloh] Network Connection

It uses iwlwifi+iwldvm driver. Kernel version 3.12.9-1~bpo70+1 (2014-02-07), from debian backport package linux-image-3.12-0.bpo.1-amd64.

I am not new to Linux, but really don't know how to deal with x509 and/or SSL/TLS security in Linux, so please answer with step-by-step instruction. Googling around to find the answer to this problem has left me frustrated. The WPA supplicant documentation is very terse in discussing the use certificates in the conjunction with WPA2 Enterprise. And the NetworkManager has even poorer documentation.

I ended up talking to the organization's IT and resolved the issue easily.
My mistake consists of several missteps:

• including the wrong certificate


• not including the right root certificate


• not ordering the certificates in the right order

The "CA certificate" file needs to be a single text file (PEM format)
containing a list of certificates, chained in order of trust (the least
trusted first, the most trusted last).
The RADIUS certificate does not need to be included (and should not be).
The RADIUS certificate also has the shortest valid lifetime.
We have to include the upstream certificates until the root
certificate in order for this approach to work.
In my case, the order of trust is like this (from least to most trusted):

RADIUS cert -> intermediary cert -> root cert

Warning: Your case may be very different.
The IT guy told me that my root certificate is "GlobalSign
Root R1", which has the following serial number:

04:00:00:00:00:01:15:4b:5a:c3:94

I would not have been able to locate this without his help.
I downloaded the root certificate from the GlobalSign website (see below),
then converted the binary certificate to PEM format:

$ openssl x509 -inform der -in Root-R1.crt -out Root-R1.pem

then chained the certificates as root

# cat globalsign_intermediary.pem Root-R1.pem > /etc/NetworkManager/certs/work/all-certs.pem

and included the full path of all-certs.pem in the NetworkManager's
connection setting (via the GUI or editing the text file that I listed in
the question).
Now, restart NetworkManager -- in my debian box it means issuing:

# service networkmanager restart

Once restarted, I was able to verify the AP's authenticity as indicated in syslog:

Jul 8 16:03:32 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Jul 8 16:03:32 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Jul 8 16:03:32 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA'
Jul 8 16:03:32 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2'
Jul 8 16:03:32 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/XXXXXX (details removed)'
Jul 8 16:03:33 wirawan1 wpa_supplicant[3638]: EAP-MSCHAPV2: Authentication succeeded
Jul 8 16:03:33 wirawan1 wpa_supplicant[3638]: EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
Jul 8 16:03:33 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully

There you go. Hope this answer can help some else. It took me much sweat
to figure this out.

Wirawan

More gory details

For the interested ones, the intermediate certificate has the following subject:

subject= /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2

This "organization" CA should use the R1 key, as shown here:

https://support.globalsign.com/customer/portal/articles/1426602-globalsign-root-certificates