GPN22:NOC/Wireless: Unterschied zwischen den Versionen

aus dem Wiki des Entropia e.V., CCC Karlsruhe
(Typo)
(fix networkmanager config)
 
(Eine dazwischenliegende Version von einem anderen Benutzer wird nicht angezeigt)
Zeile 1: Zeile 1:
== Wi-Fi (simple) ==
for general infos see [[GPN22:NOC]]
 
Connect to: GPN
 
No password needed!
 
We offer WPA3 based opportunistic encryption on this SSID.
 
== Wi-Fi (advanced) ==
 
 
=== Credentials (Default: Protected from outside connections) ===
* SSID: GPN
* Mode: WPA2-Enterprise / WPA3-Enterprise
** TTLS/PAP or PEAP/MSCHAPv2
*** ''(But not TTLS/MASCHAPv2)''
* Username and Passwort
** for PEAP/MSCHAPv2:
*** Username/Identity: <code>gpn</code>
*** Password: <code>gpn</code>
*** Domain: <code>radius.noc.gulas.ch</code>
*** CA certificate: <code>Use system certificate</code> ''Note: For Google Pixel 6 (Pro) with Android 12''
** for TTLS/PAP
*** Domain: radius.noc.gulas.ch
*** Everything else: <anything you like - we don't care>
 
If you want to check that you really connect to the insecure network of ''your'' choice, please verify the certificate of CN <code>radius.noc.gulas.ch</code> is issued by [https://letsencrypt.org/certificates/ Let's Encrypt].
 
=== Credentials (Incoming connections from the event only) ===
* SSID: GPN
* Mode: WPA2-Enterprise / WPA3-Enterprise
** TTLS/PAP or PEAP/MSCHAPv2
*** ''(But not TTLS/MASCHAPv2)''
* Username and Passwort
** for PEAP/MSCHAPv2:
*** Username/Identity: <code>tbd.</code>
*** Password: <code>tbd.</code>
*** Domain: <code>radius.noc.gulas.ch</code>
*** CA certificate: <code>Use system certificate</code> ''Note: For Google Pixel 6 (Pro) with Android 12''
** for TTLS/PAP
*** Domain: radius.noc.gulas.ch
*** Everything else: <anything you like - we don't care>
 
If you want to check that you really connect to the insecure network of ''your'' choice, please verify the certificate of CN <code>radius.noc.gulas.ch</code> is issued by [https://letsencrypt.org/certificates/ Let's Encrypt].
 
=== Credentials (not firewalled) ===
* SSID: GPN
* Mode: WPA2-Enterprise / WPA3-Enterprise
** TTLS/PAP or PEAP/MSCHAPv2
*** ''(But not TTLS/MASCHAPv2)''
* Username and Passwort
** for PEAP/MSCHAPv2:
*** Username/Identity: <code>tbd.</code>
*** Password: <code>tbd.</code>
*** Domain: <code>radius.noc.gulas.ch</code>
*** CA certificate: <code>Use system certificate</code> ''Note: For Google Pixel 6 (Pro) with Android 12''
** for TTLS/PAP
*** Domain: radius.noc.gulas.ch
*** Everything else: <anything you like - we don't care>
 
If you want to check that you really connect to the insecure network of ''your'' choice, please verify the certificate of CN <code>radius.noc.gulas.ch</code> is issued by [https://letsencrypt.org/certificates/ Let's Encrypt].


== Configuration examples ==
=== wpa_supplicant.conf ===
=== wpa_supplicant.conf ===
  network={
  network={
Zeile 66: Zeile 7:
     key_mgmt=WPA-EAP
     key_mgmt=WPA-EAP
     eap=TTLS
     eap=TTLS
     identity="wiki"
     identity="gpn"
     password="binzufauldaspwzuaendern"
     password="gpn"
     # ca path on debian 11.x, modify accordingly
     # ca path on debian 11.x, modify accordingly
     ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
     ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
Zeile 75: Zeile 16:
=== iwd ===
=== iwd ===
Create a file under <code>/var/lib/iwd/GPN.8021x</code> with the following:
Create a file under <code>/var/lib/iwd/GPN.8021x</code> with the following:
  <nowiki>
   
[Security]
[Security]
  EAP-Method=TTLS
  EAP-Method=TTLS
  EAP-Identity=open@identity.com
  EAP-Identity=open@identity.com
  #EAP-TTLS-CACert=/certs/ca-cert.pem
  #EAP-TTLS-CACert=/certs/ca-cert.pem
  EAP-TTLS-Phase2-Method=Tunneled-PAP
  EAP-TTLS-Phase2-Method=Tunneled-PAP
  EAP-TTLS-Phase2-Identity=wiki
  EAP-TTLS-Phase2-Identity=gpn
  EAP-TTLS-Phase2-Password=binzufauldaspwzuaendern
  EAP-TTLS-Phase2-Password=gpn
  #EAP-TTLS-ServerDomainMask=*.domain.com
  #EAP-TTLS-ServerDomainMask=*.domain.com
 
[Settings]
[Settings]
  AutoConnect=true
  AutoConnect=true
</nowiki>
 


=== netctl ===
=== netctl ===
Zeile 101: Zeile 42:
     'key_mgmt=WPA-EAP'
     'key_mgmt=WPA-EAP'
     'eap=TTLS'
     'eap=TTLS'
     'identity="wiki"'
     'identity="gpn"'
     'password="binzufauldaspwzuaendern"'
     'password="gpn"'
     'ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"'
     'ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"'
     'altsubject_match="DNS:radius.noc.gulas.ch"'
     'altsubject_match="DNS:radius.noc.gulas.ch"'
Zeile 128: Zeile 69:
  ca-cert=/etc/ssl/certs/ISRG_Root_X1.pem
  ca-cert=/etc/ssl/certs/ISRG_Root_X1.pem
  domain-suffix-match=radius.noc.gulas.ch
  domain-suffix-match=radius.noc.gulas.ch
  eap=ttls;
  eap=peap;
  identity=gpn
  identity=gpn
  password=gpn
  password=gpn
  phase2-auth=pap
  phase2-auth=mschapv2
   
   
  [ipv4]
  [ipv4]

Aktuelle Version vom 30. Mai 2024, 19:55 Uhr

for general infos see GPN22:NOC

Configuration examples

wpa_supplicant.conf

network={
    ssid="GPN"
    key_mgmt=WPA-EAP
    eap=TTLS
    identity="gpn"
    password="gpn"
    # ca path on debian 11.x, modify accordingly
    ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
    altsubject_match="DNS:radius.noc.gulas.ch"
    phase2="auth=PAP"
}

iwd

Create a file under /var/lib/iwd/GPN.8021x with the following:

[Security]
  EAP-Method=TTLS
  EAP-Identity=open@identity.com
  #EAP-TTLS-CACert=/certs/ca-cert.pem
  EAP-TTLS-Phase2-Method=Tunneled-PAP
  EAP-TTLS-Phase2-Identity=gpn
  EAP-TTLS-Phase2-Password=gpn
  #EAP-TTLS-ServerDomainMask=*.domain.com

[Settings]
  AutoConnect=true
 

netctl

Description='GPN secure WPA2 802.1X config'
Interface=wlp4s0
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=GPN
WPAConfigSection=(
    'ssid="GPN"'
    'proto=RSN WPA'
    'key_mgmt=WPA-EAP'
    'eap=TTLS'
    'identity="gpn"'
    'password="gpn"'
    'ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"'
    'altsubject_match="DNS:radius.noc.gulas.ch"'
    'phase2="auth=PAP"'
)

Network manager (text file)

Create a file /etc/NetworkManager/system-connections/GPN.nmconnection with the following:

[connection]
id=GPN
uuid=7aeae233-1a07-440a-aaf2-e9a4720bb4b6
type=wifi
autoconnect=false

[wifi]
mode=infrastructure
ssid=GPN

[wifi-security]
key-mgmt=wpa-eap

[802-1x]
ca-cert=/etc/ssl/certs/ISRG_Root_X1.pem
domain-suffix-match=radius.noc.gulas.ch
eap=peap;
identity=gpn
password=gpn
phase2-auth=mschapv2

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=auto

[proxy]

Make sure non-root users do not have read/write permissions for this file - Network Manager will ignore configuration files with incorrect permissions set. Then, reload the connections and start the service:

sudo nmcli connection reload
nmcli c up GPN

NetworkManager (GUI nm-connection-editor)

Certificate path: /etc/ssl/certs/ISRG_Root_X1.pem