GPN20:NOC: Unterschied zwischen den Versionen

aus dem Wiki des Entropia e.V., CCC Karlsruhe
(Die Seite wurde neu angelegt: „= Network <copied from GPN19>= Ja, wir haben Internet. Alle bereitgestellten Netze sind '''ungefiltert''' und auf '''öffentlichem IP-Space''', stelle sicher,…“)
 
 
(30 dazwischenliegende Versionen von 8 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
= Network <copied from GPN19>=
= Buildup / Teardown =
Ja, wir haben Internet. Alle bereitgestellten Netze sind '''ungefiltert''' und auf '''öffentlichem IP-Space''', stelle sicher, dass deine Geräte up-to-date und Dienste ordentlich konfiguriert sind.
The GPN20 build up takes place on Wednesday, May, 18th and tear down starts on Sunday afternoon, May, 22nd.


Please understand that we're quite a busy folk during that time and we have a lot of stuff getting set up.
This means, we're not angry with anybody, but have a tight schedule we have to follow in order get everything done in time - especially during build up on Wednesday.
If we're very busy or too exhausted and don't find the time to answer your questions or requests, please give us some time and come back later when there is less business at the GPN NOC Desk.
= Network =
Yes, we've got internet. All provided networks are '''unfiltered''', e.g. no firewall, no NAT and use '''public IP adresses'''. Please make sure, all your devices are up-to-date and services running on your devices are configured securely. We recommend to activate a firewall.
Please bring your own network cable (3m - 5m) with you. When connecting your device to the switch, please make sure the cable does not form a tripping hazard or spans between tables.


== Wi-Fi (encrypted) ==
== Wi-Fi (encrypted) ==
Um mehr Bandbreite nutzen zu können, überlege ob du dich nicht einfach per Kabel einstecken kannst, wir haben nur begrenzte Mengen an Äther im Haus.
Please consider using a wired connecting in order to save air time. Due to a lot of (new) access points located GPN, HfG and ZKM, air time is really tight.
 
We'll also have a test stage with 6Ghz Wi-Fi somewhere in the hack center.


* SSID: GPN20
* SSID: GPN20
* Modus: WPA2-Enterprise
* Mode: WPA2-Enterprise
** TTLS/PAP or PEAP/MSCHAPv2
** TTLS/PAP or PEAP/MSCHAPv2
* Username und Passwort
*** ''(But not TTLS/MASCHAPv2)''
** bei PEAP/MSCHAPv2:
* Username and Passwort
*** Username: <code>gpn</code>
** for PEAP/MSCHAPv2:
*** Username/Identity: <code>gpn</code>
*** Password: <code>gpn</code>
*** Password: <code>gpn</code>
** auf TTLS/PAP
*** Domain: <code>gpn-noc.de</code>
*** egal
*** CA certificate: <code>Use system certificate</code> ''Note: For Google Pixel 6 (Pro) with Android 12''
** for TTLS/PAP
*** Domain: radius.gpn-noc.de
*** Everything else: <anything you like - we don't care>


Wenn du sicherstellen willst, dass du dich mit dem unsicheren Netzwerk ''deiner'' Wahl verbindest,
You can also use the following credentials:
prüfe das Zertfikat auf CN <code>radius1.gpn-noc.de</code>, ausgestellt von [https://letsencrypt.org/certificates/ Let's Encrypt].
* SSID: GPN20
* Username: <code>protect-me</code>
* Password: <code>protect-me</code>
to have a firewall in place blocking incoming requests, only.
 
If you want to check that you really connect to the insecure network of ''your'' choice, please verify the certificate of CN <code>radius.gpn-noc.de</code> is issued by [https://letsencrypt.org/certificates/ Let's Encrypt].


=== wpa_supplicant.conf ===
=== wpa_supplicant.conf ===
Zeile 24: Zeile 44:
     key_mgmt=WPA-EAP
     key_mgmt=WPA-EAP
     eap=TTLS
     eap=TTLS
     identity="23"
     identity="wiki"
     password="hunter"
     password="binzufauldaspwzuaendern"
     # ca path on debian 7.x, modify accordingly
     # ca path on debian 11.x, modify accordingly
     ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
     ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
     altsubject_match="DNS:radius1.gpn-noc.de"
     altsubject_match="DNS:radius.gpn-noc.de"
     phase2="auth=PAP"
     phase2="auth=PAP"
  }
  }
Zeile 43: Zeile 63:
     'key_mgmt=WPA-EAP'
     'key_mgmt=WPA-EAP'
     'eap=TTLS'
     'eap=TTLS'
     'identity="foo"'
     'identity="wiki"'
     'password="bar"'
     'password="binzufauldaspwzuaendern"'
     'ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"'
     'ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"'
     'altsubject_match="DNS:radius1.gpn-noc.de"'
     'altsubject_match="DNS:radius.gpn-noc.de"'
     'phase2="auth=PAP"'
     'phase2="auth=PAP"'
  )
  )


== Colocation <tbd> ==
=== Network manager (text file) ===
// Ja, es wird wieder eine Yolo-Colo geben.
 
// 10GbE SFP+ Ports sind verfügbar. Wir verleihen keine Transceiver, ohne Ausnahme.
Create a file <code>/etc/NetworkManager/system-connections/GPN20.nmconnection</code> with the following:
// 1GbE (1GBase-T) ist ebenfalls verfügbar.
 
// LACP kann bei bedarf und kapazität konfiguriert werden.
[connection]
//  
id=GPN20
// Wir werden dieses Jahr "klassisches Wäscheklammern DHCP" betreiben.
uuid=a60a535f-57cb-4fe8-9688-7ff9bd315311
// Das heist, du kommst zu uns ans NOC und holst dir eine Wäscheklammer mit einer IPv4 Adresse bei uns ab. Diese IP Adresse konfigurierst du statisch auf deinen Server. Die Wäscheklammer kommt mit samt dem Server in die Colo. Baust du deinen Server wieder ab, bringst du uns die Wäscheklammer zurück, damit wir wissen, dass das "lease" wieder frei ist.
type=wifi
//
autoconnect=false
// Kennzeichne deinen Server mit deinem '''Namen''', deiner '''DECT-Nummer''' und deiner '''E-Mail-Adresse''', ansonsten müssen wir ihn abstecken.
//
[wifi]
// === Standort ===
mode=infrastructure
// Die Colo wird sich dieses Jahr in einem Abgeschlossenen Raum befinden. Daher gibt es keinen 24/4 Zugang zu deinem Server, sondern nur mit jemand aus dem NOC.
ssid=GPN20
[wifi-security]
key-mgmt=wpa-eap
[802-1x]
ca-cert=/etc/ssl/certs/ISRG_Root_X1.pem
domain-suffix-match=radius.gpn-noc.de
eap=ttls;
identity=gpn
password=gpn
phase2-auth=pap
[ipv4]
method=auto
[ipv6]
addr-gen-mode=stable-privacy
method=auto
[proxy]
 
Then, start the service:
 
nmcli c up GPN20
 
=== NetworkManager (GUI nm-connection-editor) ===
 
[[Datei:GPN-NM.png]]
 
Certificate path: /etc/ssl/certs/ISRG_Root_X1.pem
 
== Colocation ==
YES, we'll have a colocation again and we can provide you with:
 
* 10GbE SFP+ ports. We do not lend transceivers. (we never have and never will - ever!!!)
* 1000Base-T (1GBE) ports / 10GBase-T is available as well.
 
Please mark your server with
* your '''nickname'''
* and your '''DECT-''' or '''cellphone-number'''
* and your '''e-mail adress''' to get in contact with you
 
Otherwise we have to disconnect your server.
 
Please see the local signs for more information.
 
In case of problems, find us at the NOC desk or call DECT 1209 or 662.
 
=== Colocation-Location ===
The colocation can be found on the 1. OG (2nd floor) between the two glass ceiling sections of the hackcenter, towards the handrail on the southern side.
 
== Pixelflut ==
* You have built your own fancy Pixelflut and want to bring it along to GPN?
* But you don't know where to place it or connect it with enough uplink?
=> Please come to the NOC Desk and ask our staff. We'll be there for you starting Thursday afternoon, e.g. after the Opening (if build up is already finished).
 
 
== Android 11 Config Screenshots ==
 
[[Datei:Gpn20-wlan-Android-11-1.png|240px|link=Datei:Gpn20-wlan-Android-11-1.png]]
 
[[Datei:Android-11-2.png|240px|link=Datei:Android-11-2.png]]
 
(Sorry, german language OS)
 
{{Navigationsleiste GPN20}}
 
[[Kategorie: GPN20]]

Aktuelle Version vom 20. Mai 2022, 11:15 Uhr

Buildup / Teardown

The GPN20 build up takes place on Wednesday, May, 18th and tear down starts on Sunday afternoon, May, 22nd.

Please understand that we're quite a busy folk during that time and we have a lot of stuff getting set up. This means, we're not angry with anybody, but have a tight schedule we have to follow in order get everything done in time - especially during build up on Wednesday.

If we're very busy or too exhausted and don't find the time to answer your questions or requests, please give us some time and come back later when there is less business at the GPN NOC Desk.

Network

Yes, we've got internet. All provided networks are unfiltered, e.g. no firewall, no NAT and use public IP adresses. Please make sure, all your devices are up-to-date and services running on your devices are configured securely. We recommend to activate a firewall.

Please bring your own network cable (3m - 5m) with you. When connecting your device to the switch, please make sure the cable does not form a tripping hazard or spans between tables.

Wi-Fi (encrypted)

Please consider using a wired connecting in order to save air time. Due to a lot of (new) access points located GPN, HfG and ZKM, air time is really tight.

We'll also have a test stage with 6Ghz Wi-Fi somewhere in the hack center.

  • SSID: GPN20
  • Mode: WPA2-Enterprise
    • TTLS/PAP or PEAP/MSCHAPv2
      • (But not TTLS/MASCHAPv2)
  • Username and Passwort
    • for PEAP/MSCHAPv2:
      • Username/Identity: gpn
      • Password: gpn
      • Domain: gpn-noc.de
      • CA certificate: Use system certificate Note: For Google Pixel 6 (Pro) with Android 12
    • for TTLS/PAP
      • Domain: radius.gpn-noc.de
      • Everything else: <anything you like - we don't care>

You can also use the following credentials:

  • SSID: GPN20
  • Username: protect-me
  • Password: protect-me

to have a firewall in place blocking incoming requests, only.

If you want to check that you really connect to the insecure network of your choice, please verify the certificate of CN radius.gpn-noc.de is issued by Let's Encrypt.

wpa_supplicant.conf

network={
    ssid="GPN20"
    key_mgmt=WPA-EAP
    eap=TTLS
    identity="wiki"
    password="binzufauldaspwzuaendern"
    # ca path on debian 11.x, modify accordingly
    ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
    altsubject_match="DNS:radius.gpn-noc.de"
    phase2="auth=PAP"
}

netctl

Description='GPN20 secure WPA2 802.1X config'
Interface=wlp4s0
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=GPN20
WPAConfigSection=(
    'ssid="GPN20"'
    'proto=RSN WPA'
    'key_mgmt=WPA-EAP'
    'eap=TTLS'
    'identity="wiki"'
    'password="binzufauldaspwzuaendern"'
    'ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"'
    'altsubject_match="DNS:radius.gpn-noc.de"'
    'phase2="auth=PAP"'
)

Network manager (text file)

Create a file /etc/NetworkManager/system-connections/GPN20.nmconnection with the following:

[connection]
id=GPN20
uuid=a60a535f-57cb-4fe8-9688-7ff9bd315311
type=wifi
autoconnect=false

[wifi]
mode=infrastructure
ssid=GPN20

[wifi-security]
key-mgmt=wpa-eap

[802-1x]
ca-cert=/etc/ssl/certs/ISRG_Root_X1.pem
domain-suffix-match=radius.gpn-noc.de
eap=ttls;
identity=gpn
password=gpn
phase2-auth=pap

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=auto

[proxy]

Then, start the service:

nmcli c up GPN20

NetworkManager (GUI nm-connection-editor)

GPN-NM.png

Certificate path: /etc/ssl/certs/ISRG_Root_X1.pem

Colocation

YES, we'll have a colocation again and we can provide you with:

  • 10GbE SFP+ ports. We do not lend transceivers. (we never have and never will - ever!!!)
  • 1000Base-T (1GBE) ports / 10GBase-T is available as well.

Please mark your server with

  • your nickname
  • and your DECT- or cellphone-number
  • and your e-mail adress to get in contact with you

Otherwise we have to disconnect your server.

Please see the local signs for more information.

In case of problems, find us at the NOC desk or call DECT 1209 or 662.

Colocation-Location

The colocation can be found on the 1. OG (2nd floor) between the two glass ceiling sections of the hackcenter, towards the handrail on the southern side.

Pixelflut

  • You have built your own fancy Pixelflut and want to bring it along to GPN?
  • But you don't know where to place it or connect it with enough uplink?

=> Please come to the NOC Desk and ask our staff. We'll be there for you starting Thursday afternoon, e.g. after the Opening (if build up is already finished).


Android 11 Config Screenshots

Gpn20-wlan-Android-11-1.png

Android-11-2.png

(Sorry, german language OS)