How to configure Ubuntu 8.10 / 9.04 for 802.1x WPA TKIP environment

Sponsored Link

IIUM wireless environment implement WPA authentication and TKIP encryption. The overall using 802.1x authentication method which deploy protected EAP (PEAP) using EAP token. User database stored in a Radius server by using FreeRadius running on FreeBSD platform.

One of my user said, before upgrading his Ubuntu 8.10, he was using Ubuntu Hardy Heron 8.04. The previous Ubuntu is running well. Once he upgrade it to Ubuntu 8.10, he cannot get connected to our secure wireless environment anymore.

Hmmmmm... while other user with other stardard OS e.g Windows XP, Mac OS and Windows Vista doesn't have any problem, so I suspect, the WPA configuration in Ubuntu 8.10 something need to change drastically. It seems like doesn't works well in a secured wireless environment.

We have tried and yes, it does not work with IIUM wireless campus. I tried to switch to fedora 10, but the result is still the same. Then we tried to migrate to knoppix, my best linux distro ever, but still not working and become more worst when knoppix cannot detect Intel PRO/Wireless 3945ABG device. We dont want to use ndiswrapper since it finally could corrupt my entire OS. FYI, Suse linux will work smoothly with IIUM wireless.

When Ubuntu come out with new release, 9.04 and 9.10 alpha, my friend was exciting because the new relase might help student who really like ( dont know why, yet Ubuntu still look nothing for me) to have a great bonding with Ubuntu, but the result is still disappointing. The main issue is that since the release 8.10 version, Ubuntu has come with standard Network Manager with not support of PEAP/TKIP, the main authentication for IIUM wireless connection. So, the best solution for this is to swtich to Wicd, the open source Gnome-independency Network manager.

1. Get the Wicd either direct download by using command terminal sudo apt-get install wicd , or just download from Synaptic Package Manager for those who dont want to play around with command terminal.

using command

sudo apt -get install wicd

using synaptic package manager


2. Go to etc/wicd/encryption/templates/peap-tkip to customize the setting. Please take note that ubuntu has by default disable the root password. So you cannot just simple open form file browser. You can either open the file using command sudo ect/wicd/…../peap-tkip at terminal or just type on terminal “sudo passwd root” to enable you root password. Please also take not the file is located at the root folder, not home folder.

Change this:

name = PEAP with TKIP
author = Fralaltro
version = 1
require identity *Identity password *Password ca_cert *Path_to_CA_Cert
-----

ctrl_interface=/var/run/wpa_supplicant
network={

ssid="$_ESSID"
scan_ssid=$_SCAN
proto=WPA
key_mgmt=WPA-EAP
pairwise=TKIP
group=TKIP
eap=PEAP
identity="$_IDENTITY"
password="$_PASSWORD"
ca_cert="$_CA_CERT"
phase1="peaplabel=0"
phase2="auth=MSHAPV2"

}

to become this:

name = PEAP with TKIP
author = Fralaltro
version = 1
require identity *Identity password *Password
-----

ctrl_interface=/var/run/wpa_supplicant
network={

ssid="$_ESSID"
scan_ssid=$_SCAN
proto=WPA
key_mgmt=WPA-EAP
pairwise=TKIP
group=TKIP
eap=PEAP
identity="$_IDENTITY"
password="$_PASSWORD"
phase1="peaplabel=0"
phase2="auth=EAP Token"

}

3. After that, go to Application > Internet > Wicd Network Manager. select iium community and click on Advanced Setting. Tick Use Encryption and select PEAP with TKIP.


Then, just type your username and password….and thats it and it works…

Source: Solutions Architect

How to configure Ubuntu 8.10 / 9.04 for 802.1x WPA TKIP environment

Sponsored Link

IIUM wireless environment implement WPA authentication and TKIP encryption. The overall using 802.1x authentication method which deploy protected EAP (PEAP) using EAP token. User database stored in a Radius server by using FreeRadius running on FreeBSD platform.

One of my user said, before upgrading his Ubuntu 8.10, he was using Ubuntu Hardy Heron 8.04. The previous Ubuntu is running well. Once he upgrade it to Ubuntu 8.10, he cannot get connected to our secure wireless environment anymore.

Hmmmmm... while other user with other stardard OS e.g Windows XP, Mac OS and Windows Vista doesn't have any problem, so I suspect, the WPA configuration in Ubuntu 8.10 something need to change drastically. It seems like doesn't works well in a secured wireless environment.

We have tried and yes, it does not work with IIUM wireless campus. I tried to switch to fedora 10, but the result is still the same. Then we tried to migrate to knoppix, my best linux distro ever, but still not working and become more worst when knoppix cannot detect Intel PRO/Wireless 3945ABG device. We dont want to use ndiswrapper since it finally could corrupt my entire OS. FYI, Suse linux will work smoothly with IIUM wireless.

When Ubuntu come out with new release, 9.04 and 9.10 alpha, my friend was exciting because the new relase might help student who really like ( dont know why, yet Ubuntu still look nothing for me) to have a great bonding with Ubuntu, but the result is still disappointing. The main issue is that since the release 8.10 version, Ubuntu has come with standard Network Manager with not support of PEAP/TKIP, the main authentication for IIUM wireless connection. So, the best solution for this is to swtich to Wicd, the open source Gnome-independency Network manager.

1. Get the Wicd either direct download by using command terminal sudo apt-get install wicd , or just download from Synaptic Package Manager for those who dont want to play around with command terminal.

using command

sudo apt -get install wicd

using synaptic package manager


2. Go to etc/wicd/encryption/templates/peap-tkip to customize the setting. Please take note that ubuntu has by default disable the root password. So you cannot just simple open form file browser. You can either open the file using command sudo ect/wicd/…../peap-tkip at terminal or just type on terminal “sudo passwd root” to enable you root password. Please also take not the file is located at the root folder, not home folder.

Change this:

name = PEAP with TKIP
author = Fralaltro
version = 1
require identity *Identity password *Password ca_cert *Path_to_CA_Cert
-----

ctrl_interface=/var/run/wpa_supplicant
network={

ssid="$_ESSID"
scan_ssid=$_SCAN
proto=WPA
key_mgmt=WPA-EAP
pairwise=TKIP
group=TKIP
eap=PEAP
identity="$_IDENTITY"
password="$_PASSWORD"
ca_cert="$_CA_CERT"
phase1="peaplabel=0"
phase2="auth=MSHAPV2"

}

to become this:

name = PEAP with TKIP
author = Fralaltro
version = 1
require identity *Identity password *Password
-----

ctrl_interface=/var/run/wpa_supplicant
network={

ssid="$_ESSID"
scan_ssid=$_SCAN
proto=WPA
key_mgmt=WPA-EAP
pairwise=TKIP
group=TKIP
eap=PEAP
identity="$_IDENTITY"
password="$_PASSWORD"
phase1="peaplabel=0"
phase2="auth=EAP Token"

}

3. After that, go to Application > Internet > Wicd Network Manager. select iium community and click on Advanced Setting. Tick Use Encryption and select PEAP with TKIP.


Then, just type your username and password….and thats it and it works…

Source: Solutions Architect

How to configure Ubuntu 8.10 / 9.04 for 802.1x WPA TKIP environment

Sponsored Link

IIUM wireless environment implement WPA authentication and TKIP encryption. The overall using 802.1x authentication method which deploy protected EAP (PEAP) using EAP token. User database stored in a Radius server by using FreeRadius running on FreeBSD platform.

One of my user said, before upgrading his Ubuntu 8.10, he was using Ubuntu Hardy Heron 8.04. The previous Ubuntu is running well. Once he upgrade it to Ubuntu 8.10, he cannot get connected to our secure wireless environment anymore.

Hmmmmm... while other user with other stardard OS e.g Windows XP, Mac OS and Windows Vista doesn't have any problem, so I suspect, the WPA configuration in Ubuntu 8.10 something need to change drastically. It seems like doesn't works well in a secured wireless environment.

We have tried and yes, it does not work with IIUM wireless campus. I tried to switch to fedora 10, but the result is still the same. Then we tried to migrate to knoppix, my best linux distro ever, but still not working and become more worst when knoppix cannot detect Intel PRO/Wireless 3945ABG device. We dont want to use ndiswrapper since it finally could corrupt my entire OS. FYI, Suse linux will work smoothly with IIUM wireless.

When Ubuntu come out with new release, 9.04 and 9.10 alpha, my friend was exciting because the new relase might help student who really like ( dont know why, yet Ubuntu still look nothing for me) to have a great bonding with Ubuntu, but the result is still disappointing. The main issue is that since the release 8.10 version, Ubuntu has come with standard Network Manager with not support of PEAP/TKIP, the main authentication for IIUM wireless connection. So, the best solution for this is to swtich to Wicd, the open source Gnome-independency Network manager.

1. Get the Wicd either direct download by using command terminal sudo apt-get install wicd , or just download from Synaptic Package Manager for those who dont want to play around with command terminal.

using command

sudo apt -get install wicd

using synaptic package manager


2. Go to etc/wicd/encryption/templates/peap-tkip to customize the setting. Please take note that ubuntu has by default disable the root password. So you cannot just simple open form file browser. You can either open the file using command sudo ect/wicd/…../peap-tkip at terminal or just type on terminal “sudo passwd root” to enable you root password. Please also take not the file is located at the root folder, not home folder.

Change this:

name = PEAP with TKIP
author = Fralaltro
version = 1
require identity *Identity password *Password ca_cert *Path_to_CA_Cert
-----

ctrl_interface=/var/run/wpa_supplicant
network={

ssid="$_ESSID"
scan_ssid=$_SCAN
proto=WPA
key_mgmt=WPA-EAP
pairwise=TKIP
group=TKIP
eap=PEAP
identity="$_IDENTITY"
password="$_PASSWORD"
ca_cert="$_CA_CERT"
phase1="peaplabel=0"
phase2="auth=MSHAPV2"

}

to become this:

name = PEAP with TKIP
author = Fralaltro
version = 1
require identity *Identity password *Password
-----

ctrl_interface=/var/run/wpa_supplicant
network={

ssid="$_ESSID"
scan_ssid=$_SCAN
proto=WPA
key_mgmt=WPA-EAP
pairwise=TKIP
group=TKIP
eap=PEAP
identity="$_IDENTITY"
password="$_PASSWORD"
phase1="peaplabel=0"
phase2="auth=EAP Token"

}

3. After that, go to Application > Internet > Wicd Network Manager. select iium community and click on Advanced Setting. Tick Use Encryption and select PEAP with TKIP.


Then, just type your username and password….and thats it and it works…

Source: Solutions Architect

Securing Wireless Network

The security of wireless local area network (WLAN) solution works better with Wi-Fi Protected Access (WPA) WLAN protection compared to Wired Equivalent Privacy (WEP). 

Currently, ITD have to admit there are some potential difficulties faced by IIUM user with using WPA, which include: 

• Manual configuration of WPA settings: The support for setting Windows XP client WPA settings using group policy is not available in the versions of Windows earlier than Windows Server™ 2003 Service Pack 1. Until Service Pack 1 is available and you have deployed it in your organization, you will have to configure your clients manually (there is no way to script WLAN settings for Windows XP). You need to install Service Pack 1 only on the server on which you are editing the WLAN settings Group Policy object (GPO); it is not required on the clients, domain controllers, or IAS servers.

• Restricted availability of WLAN clients: At the time of writing, Microsoft only provides WPA support for Windows XP Service Pack 2 and later. PDA and Smart Phone operating systen running on Windows Mobile and Symbion does not support WPA yet. The only operating system that really support secured wireless environment is MacOS for iPhone and iPod. For those who want to get connected through SSID iium-gadgetmust comply with WPA requirement.

• Availability of WPA compliant hardware: Although WPA support is now mandatory for all Wi-Fi certified hardware, existing network equipment may need to be upgraded to support WPA. You will need to obtain firmware updates for any access points or network adapters that do not currently support WPA. In some (rare) cases, you may need to replace equipment if the manufacturer does not produce WPA updates. Again, it is a common problem to the low-end Microsoft product.

Manually Configuring Windows XP WLAN Settings for WPA
Until GPO support becomes available in Windows Server 2003 Service Pack 1, you must configure WPA settings on the client manually. WPA is supported on Windows XP Service Pack 1 with the WPA client download installed (or on Windows XP Service Pack 2).

Note: When GPO support becomes available, you can also use the following procedure to create a Wireless Network Policy using the same settings.

To manually configure WPA WLAN settings:

1. Open the properties of the Wireless Network interface. If the WLAN is displayed in the Available Networks list, select it, and click Configure…, otherwise click Add (in the Preferred Networks section).

2. Type the WLAN name into the Network Name (SSID) field (if it is not already displayed there) and, in the Description field, enter a description of the network.

Note: If you have an existing WLAN and you intend to run this side–by–side with the 802.1X–based WLAN of this solution, you must use a different Service Set Identifier (SSID) for the new WLAN. This new SSID should then be used here.

3. In the Wireless Network Key section, select WPA (not WPA PSK) as the Network Authentication type and TKIP as the Data Encryption type. (If your hardware supports it, you can choose the higher strength Advanced Encryption Standard (AES) in place of TKIP).

4. Click the IEEE 802.1x tab, and select Protected EAP (PEAP) from the EAP Type drop–down list. 

5. Click the Settings… button to modify the PEAP settings. From the Trusted Root Certificate Authorities list, select the root CA certificate for the CA. 

Important: If you ever need to re–install your CA from scratch (not just restore from backup), you will need to edit the client settings and select the root CA certificate for the new CA. 

6. Ensure that Secured Password (EAP-MS-CHAP v2) is selected in the Select Authentication Method and check the Enable Fast Reconnect option.

7. Close each properties window by clicking OK.

Configuring Pocket PC 2003/PDA/Smart Phone for WPA
WPA was not supported natively in Pocket PC 2003 using Windows Mobile and Symbion at the time of writing; however, this may be implemented in the future. Support for WPA on other type of Pocket PC available from other vendors such Mac OS (iPhone and iPod),

Original Post : ERM Blog

Securing Wireless Network

The security of wireless local area network (WLAN) solution works better with Wi-Fi Protected Access (WPA) WLAN protection compared to Wired Equivalent Privacy (WEP). 

Currently, ITD have to admit there are some potential difficulties faced by IIUM user with using WPA, which include: 

• Manual configuration of WPA settings: The support for setting Windows XP client WPA settings using group policy is not available in the versions of Windows earlier than Windows Server™ 2003 Service Pack 1. Until Service Pack 1 is available and you have deployed it in your organization, you will have to configure your clients manually (there is no way to script WLAN settings for Windows XP). You need to install Service Pack 1 only on the server on which you are editing the WLAN settings Group Policy object (GPO); it is not required on the clients, domain controllers, or IAS servers.

• Restricted availability of WLAN clients: At the time of writing, Microsoft only provides WPA support for Windows XP Service Pack 2 and later. PDA and Smart Phone operating systen running on Windows Mobile and Symbion does not support WPA yet. The only operating system that really support secured wireless environment is MacOS for iPhone and iPod. For those who want to get connected through SSID iium-gadgetmust comply with WPA requirement.

• Availability of WPA compliant hardware: Although WPA support is now mandatory for all Wi-Fi certified hardware, existing network equipment may need to be upgraded to support WPA. You will need to obtain firmware updates for any access points or network adapters that do not currently support WPA. In some (rare) cases, you may need to replace equipment if the manufacturer does not produce WPA updates. Again, it is a common problem to the low-end Microsoft product.

Manually Configuring Windows XP WLAN Settings for WPA
Until GPO support becomes available in Windows Server 2003 Service Pack 1, you must configure WPA settings on the client manually. WPA is supported on Windows XP Service Pack 1 with the WPA client download installed (or on Windows XP Service Pack 2).

Note: When GPO support becomes available, you can also use the following procedure to create a Wireless Network Policy using the same settings.

To manually configure WPA WLAN settings:

1. Open the properties of the Wireless Network interface. If the WLAN is displayed in the Available Networks list, select it, and click Configure…, otherwise click Add (in the Preferred Networks section).

2. Type the WLAN name into the Network Name (SSID) field (if it is not already displayed there) and, in the Description field, enter a description of the network.

Note: If you have an existing WLAN and you intend to run this side–by–side with the 802.1X–based WLAN of this solution, you must use a different Service Set Identifier (SSID) for the new WLAN. This new SSID should then be used here.

3. In the Wireless Network Key section, select WPA (not WPA PSK) as the Network Authentication type and TKIP as the Data Encryption type. (If your hardware supports it, you can choose the higher strength Advanced Encryption Standard (AES) in place of TKIP).

4. Click the IEEE 802.1x tab, and select Protected EAP (PEAP) from the EAP Type drop–down list. 

5. Click the Settings… button to modify the PEAP settings. From the Trusted Root Certificate Authorities list, select the root CA certificate for the CA. 

Important: If you ever need to re–install your CA from scratch (not just restore from backup), you will need to edit the client settings and select the root CA certificate for the new CA. 

6. Ensure that Secured Password (EAP-MS-CHAP v2) is selected in the Select Authentication Method and check the Enable Fast Reconnect option.

7. Close each properties window by clicking OK.

Configuring Pocket PC 2003/PDA/Smart Phone for WPA
WPA was not supported natively in Pocket PC 2003 using Windows Mobile and Symbion at the time of writing; however, this may be implemented in the future. Support for WPA on other type of Pocket PC available from other vendors such Mac OS (iPhone and iPod),

Original Post : ERM Blog

Securing Wireless Network

The security of wireless local area network (WLAN) solution works better with Wi-Fi Protected Access (WPA) WLAN protection compared to Wired Equivalent Privacy (WEP). 

Currently, ITD have to admit there are some potential difficulties faced by IIUM user with using WPA, which include: 

• Manual configuration of WPA settings: The support for setting Windows XP client WPA settings using group policy is not available in the versions of Windows earlier than Windows Server™ 2003 Service Pack 1. Until Service Pack 1 is available and you have deployed it in your organization, you will have to configure your clients manually (there is no way to script WLAN settings for Windows XP). You need to install Service Pack 1 only on the server on which you are editing the WLAN settings Group Policy object (GPO); it is not required on the clients, domain controllers, or IAS servers.

• Restricted availability of WLAN clients: At the time of writing, Microsoft only provides WPA support for Windows XP Service Pack 2 and later. PDA and Smart Phone operating systen running on Windows Mobile and Symbion does not support WPA yet. The only operating system that really support secured wireless environment is MacOS for iPhone and iPod. For those who want to get connected through SSID iium-gadgetmust comply with WPA requirement.

• Availability of WPA compliant hardware: Although WPA support is now mandatory for all Wi-Fi certified hardware, existing network equipment may need to be upgraded to support WPA. You will need to obtain firmware updates for any access points or network adapters that do not currently support WPA. In some (rare) cases, you may need to replace equipment if the manufacturer does not produce WPA updates. Again, it is a common problem to the low-end Microsoft product.

Manually Configuring Windows XP WLAN Settings for WPA
Until GPO support becomes available in Windows Server 2003 Service Pack 1, you must configure WPA settings on the client manually. WPA is supported on Windows XP Service Pack 1 with the WPA client download installed (or on Windows XP Service Pack 2).

Note: When GPO support becomes available, you can also use the following procedure to create a Wireless Network Policy using the same settings.

To manually configure WPA WLAN settings:

1. Open the properties of the Wireless Network interface. If the WLAN is displayed in the Available Networks list, select it, and click Configure…, otherwise click Add (in the Preferred Networks section).

2. Type the WLAN name into the Network Name (SSID) field (if it is not already displayed there) and, in the Description field, enter a description of the network.

Note: If you have an existing WLAN and you intend to run this side–by–side with the 802.1X–based WLAN of this solution, you must use a different Service Set Identifier (SSID) for the new WLAN. This new SSID should then be used here.

3. In the Wireless Network Key section, select WPA (not WPA PSK) as the Network Authentication type and TKIP as the Data Encryption type. (If your hardware supports it, you can choose the higher strength Advanced Encryption Standard (AES) in place of TKIP).

4. Click the IEEE 802.1x tab, and select Protected EAP (PEAP) from the EAP Type drop–down list. 

5. Click the Settings… button to modify the PEAP settings. From the Trusted Root Certificate Authorities list, select the root CA certificate for the CA. 

Important: If you ever need to re–install your CA from scratch (not just restore from backup), you will need to edit the client settings and select the root CA certificate for the new CA. 

6. Ensure that Secured Password (EAP-MS-CHAP v2) is selected in the Select Authentication Method and check the Enable Fast Reconnect option.

7. Close each properties window by clicking OK.

Configuring Pocket PC 2003/PDA/Smart Phone for WPA
WPA was not supported natively in Pocket PC 2003 using Windows Mobile and Symbion at the time of writing; however, this may be implemented in the future. Support for WPA on other type of Pocket PC available from other vendors such Mac OS (iPhone and iPod),

Original Post : ERM Blog