BUG: Saved SSID's dosent accept ca_cert, auth and anonymous_identity

akaiser · 2019-11-01T13:50:13.613Z

Hello,

i added to my /etc/config/ssids to a network
option ca_cert ‘/etc/luci-uploads/cbid.wireless.sta.ca_cert’
option auth ‘EAP-MSCHAPV2’
option anonymous_identity ‘PRIVAT’
but when i click connect its not loading this into the /etc/config/wireless
Someone got a fix or can this be fixed pls? Its very important for networks like eduroam or in generall wpa2 enterprise

I use the GL Mifi 4g Smart Router

robotluo · 2019-11-04T07:27:10.602Z

Repeater’s support for EAP is not yet complete. You can configure EAP in luci.

akaiser · 2019-11-04T07:45:50.213Z

i know, i’m already connected to the network, but i have to change it everytime… to fix this would be a job of 10 minutes, thats why i just reported it as bug

robotluo · 2019-11-04T07:47:40.635Z

Thanks for sharing, we will support this feature in the future.

sfx2000 · 2019-11-05T06:33:36.904Z

akaiser:

to fix this would be a job of 10 minutes, thats why i just reported it as bug

Not a 10 minute job actually…

Need to consider the security impact of authenticating on the one side as a trusted client to a WPA2-Enterprise network and not having control of the other side - the SSID there could be open, or another SSID with their own credentials.

akaiser · 2019-11-05T08:14:52.016Z

I talk about connecting to a wpa 2 enterprise network, not creating to one and for this we just need the Anonymous identity, ca cert check and auth type selection

sfx2000 · 2019-11-09T04:34:40.631Z

That’s my point…

If one is on a WPA2-Enterprise network, they’re likely also using 802.1x for port based security on the LAN side.

So connecting to a network like this, there are going to be counter-measures to ensure that devices attached maintain the line of trust.

Without sounding arrogant - are you trying to do something with Eduroam in a campus dorm?

It’s an honest question, as there are devices out there that do not support WPA2-Enterprise properly, nor do they support 802.1x port based access, so folks try hard to work around a platform that is designed to enforce rules for access.

That’s why I said - it’s not a 10-minute fix

akaiser · 2019-11-09T09:43:35.351Z

I just wanna try to connect more then one device via my eduroam account, because normally it just allow one active session. With the NAT from the Mifi it would work. But i have to set the cert, anonymous identity all the time new, then it works.
Then the mifi is doing directly vpn to my home and i have everywhere on the campus my „home wifi“

sfx2000 · 2019-11-09T23:52:16.255Z

Hehe - Eduroam is what it is - just know that it’s constantly evolving over time, and there’s a lot of switches that the campus admin can do - some are more aggressive than others.

Consider the challenge here…

< campus network > — eduroam 802.1x — < client station >

Trust is established here for campus resources and all is good here, as there is end-to-end security from the network to the authenticated device

now consider the following

< campus network> — eduroam 802.1x — < client repeater with not 802.1x > — < other devices either on WPA(2) or open >

See the problem - the chain of trust is now broken, as the repeater can and will allow access to resources that should be protected, and the campus network admin cannot control the WLAN access for the repeater, so it’s treated as a rogue AP.

Rogue AP’s are never a good thing on a campus or enterprise network, and I’ve seen some that will aggressively de-auth the rogue AP if they see it’s attached to the secure network (yes, it’s easy to tell actually based on the framing).

With the MiFi - if you’re attached only to the 3G/4G network from your wireless carrier, you shouldn’t have a problem, other than cost/performance associated with the wireless service provider.

I’ve seen some campuses that deploy Guest WLAN access, some via a Captive Portal, and attaching there shouldn’t be a problem, other than timed access (many are 60 mins, some up to once a day, some don’t care - all depends on the network admin and the access profiles they create)

Hope this helps.

Johnex · 2019-11-10T12:26:46.979Z

Just do add, my university did packet sniffing too, and would instantly ban your account if you for example downloaded a torrent file on the network, even if it was a “legal” one from say downloading Ubuntu.

They also blocked some services.