jump to navigation

Post-it: PROXIMUS_AUTO_FON and TelenetWifree (Belgium) from GNU/Linux (or Windows 7) 2015-04-14

Posted by claudio in Uncategorized.
Tags: , , , , , ,


Update 20160818: added Proximus RADIUS server.

The Belgian ISPs Proximus and Telenet both provide access to a network of hotspots. A nice recent addition is the use of alternative ssids for “automatic” connections instead of a captive portal where you login through a webpage. Sadly, their support pages provide next to no information to make a safe connection to these hotspots.

Proximus is a terrible offender. According to their support page on a PC only Windows 8.1 is supported. Linux, OSX *and* Windows 8 (!) or 7 users are kindly encouraged to use the open wifi connection and login through the captive portal. Oh, and no certification information is given for Windows 8.1 either. That’s pretty silly, as they use EAP-TTLS. Here is the setup to connect from whatever OS you use (terminology from gnome-network-manager):

Security: WPA2 Enterprise
Authentication: Tunneled TLS (TTLS)
Anonymous identity: what_ever_you_wish_here@proximusfon.be
Certificate: GlobalSign Root CA (in Debian/Ubuntu in /usr/share/ca-certificates/mozilla/)
Inner Authentication: MSCHAPv2
Usename: your_fon_username_here@proximusfon.be
Password: your_password_here
RADIUS server certificate (optional): radius.isp.belgacom.be

Telenet’s support page is slightly better (not a fake Windows 8.1 restriction), but pretty useless as well with no certificate information whatsoever. Here is the information needed to use TelenetWifree using PEAP:

SSID: TelenetWifree
Security: WPA2 Enterprise
Authentication: Protected EAP (PEAP)
Anonymous identity:what_ever_you_wish_here@telenet.be
Certificate: GlobalSign Root CA (in Debian/Ubuntu in /usr/share/ca-certificates/mozilla/)
Inner Authentication: MSCHAPv2
Usename: your_fon_username_here@telenet.be
Password: your_password_here
RADIUS server certificate (optional): authentic.telenet.be

If you’re interested, screenshots of the relevant parts of the wireshark trace are attached here:

proximus_rootca telenet_rootca