GPN22:NOC: Unterschied zwischen den Versionen

aus dem Wiki des Entropia e.V., CCC Karlsruhe
(add apple profiles)
(feat(collocation): added end-time)
 
(13 dazwischenliegende Versionen von 6 Benutzern werden nicht angezeigt)
Zeile 10: Zeile 10:
|'''Security'''
|'''Security'''
|-
|-
|GPN-open
|GPN-Open
|
|
|WPA3 OWE/WPA2 open
|WPA3 OWE/WPA2 open
|-
|GPN-PSK
|IoT-at-GPN22
|WPA3 SAE/WPA2 PSK
|-
|-
|GPN
|GPN
|gpn/gpn or see below
|gpn/gpn
|WPA3/WPA2 enterprise
|WPA3/WPA2 enterprise
|}
|}
Zeile 24: Zeile 28:


<div class="header-link">
<div class="header-link">
<div class="header-link__button">[tel:6620 📞 6620]</div>
<div class="header-link__button">[tel:6620 DECT: 6620]</div>
<div class="header-link__button">[[GPN22:Map|Übersichtskarte]]</div>
<div class="header-link__button">[[GPN22:Map|Map]]</div>
<div class="header-link__button">[https://social.gulas.ch/@noc Fediverse]</div>
<div class="header-link__button">[https://social.gulas.ch/@noc Fediverse]</div>
<div class="header-link__button">[mailto:noc@gulas.ch E-Mail]
<div class="header-link__button">[mailto:noc@gulas.ch E-mail]
</div>
</div>
</div>
</div>
Zeile 55: Zeile 59:


==== Configuration on Apple Devices ====
==== Configuration on Apple Devices ====
Of course you can configure the WiFi youself, but for the ease of use we offer signed profiles for the different modes:
You can configure the WiFi yourself, or use our provided signed profiles for the different modes:


* [https://cloud.entropia.de/s/s2K2DMf3N7jCzp9/download?path=%2F&files=GPN%20-%Isolated%20WiFi-Signed.mobileconfig Normal, protected]
* [https://cloud.entropia.de/s/s2K2DMf3N7jCzp9/download?path=%2F&files=GPN%20-%20Isolated%20WiFi-Signed.mobileconfig Normal, protected]
* [https://cloud.entropia.de/s/s2K2DMf3N7jCzp9/download?path=%2F&files=GPN%20-%20Event%20inbound%20only%20WiFi-Signed.mobileconfig Event inbound only]
* [https://cloud.entropia.de/s/s2K2DMf3N7jCzp9/download?path=%2F&files=GPN%20-%20Event%20inbound%20only%20WiFi-Signed.mobileconfig Event inbound only]
* [https://cloud.entropia.de/s/s2K2DMf3N7jCzp9/download?path=%2F&files=GPN%20-%20inbound%20open%20WiFi-Signed.mobileconfig Yolo-Mode]
* [https://cloud.entropia.de/s/s2K2DMf3N7jCzp9/download?path=%2F&files=GPN%20-%20inbound%20open%20WiFi-Signed.mobileconfig Yolo-Mode]
If you don't use the profiles, you must click trust on the certificate for <code>radius.noc.gulas.ch</code>.


==== Configuration on most systems ====
==== Configuration on most systems ====
*for PEAP/MSCHAPv2 and most others:
*Username/Identity: see above
**Username/Identity: see above
*Password: see above
**Password: see above
*(only on MacOS) Identity: none
**Domain: <code>radius.noc.gulas.ch</code>
*Domain: <code>radius.noc.gulas.ch</code>
**CA certificate: <code>Use system certificate</code> or <code>Use system certificate</code> (on modern Android Devices)
*CA certificate: <code>Use system certificate</code> or Trust on first use (on modern Android Devices)
***Otherwise use the [https://letsencrypt.org/certs/isrgrootx1.pem ISRG Root X1] from [https://letsencrypt.org/certificates/ Let's Encrypt].  
**Otherwise use the [https://letsencrypt.org/certs/isrgrootx1.pem ISRG Root X1] from [https://letsencrypt.org/certificates/ Let's Encrypt].
*for TTLS/PAP
 
**Domain: <code>radius.noc.gulas.ch</code>
 
**Everything else: <anything you like - we don't care>. If you don't use the above credentials, you will be put in the protected pool.
If you want to check that you really connect to the insecure network of ''your'' choice, please verify the certificate of CN <code>radius.noc.gulas.ch</code> is issued by [https://letsencrypt.org/certificates/ Let's Encrypt].
If you want to check that you really connect to the insecure network of ''your'' choice, please verify the certificate of CN <code>radius.noc.gulas.ch</code> is issued by [https://letsencrypt.org/certificates/ Let's Encrypt].<div class="home-card home-card--col2">
 
=== Colocation ===
You can find example configs on [[GPN22:NOC/Wireless]]
Like the years before we are, once more, providing a colocation at GPN22.
 
=== GPN-Open WPA3 OWE ===
WPA3 [https://en.wikipedia.org/wiki/Opportunistic_Wireless_Encryption Opportunistic Wireless Encryption] will use an individualized encryption after joining the GPN-Open network.
 
==== Android ====
After connecting you will see "enhanced open" as connection type.
 
==== Linux NetworkManger (nm) ====
GUI on some systems has issues connecting. Connecting via CLI works: <code>nmcli device wifi connect GPN-Open</code>


In case of problems, find us at the NOC desk or call DECT 6620.  
=== Wireless FAQ ===
 
==== iwd does not configure the default route ====
iwd together with <code>EnableNetworkConfiguration=true</code> has been reported to not configure the routes received via DHCP. Workaround: Use an other DHCP Client.


==== Location ====
===Colocation===
This year it is in the Pförtnerhäuschen, which is the locked space that housed the yolocolo back at GPN19.
Like the years before we are providing a colocation at GPN22.


This location has limited cooling and power budget and cannot accommodate for power hungry devices.
In case of problems, find us at the NOC desk or call DECT 6620.  


We will try to provide the colocation as best effort. Normal GPN-Network has priority.
We will try to provide the colocation as best effort. Normal GPN-Network has priority.
Zeile 86: Zeile 102:
You should be able to use the colocation starting Thursday afternoon.
You should be able to use the colocation starting Thursday afternoon.


We close the colocation on Sunday (Timestamp will be added soon), please fetch your devices before then!
We close the colocation on Sunday 12:00 PM , please fetch your devices before then!
 
==== Location====
This year it is in the Pförtnerhäuschen, which is the locked space that housed the YoloColo back at GPN19.
 
This location has limited cooling and power budget and cannot accommodate for power hungry devices.


==== Basic Rules and policy ====
====Basic Rules and Policy ====


* be excellent to each other!
*Be excellent to each other!
* we reserve the right to disconnect your server
* we reserve the right to disconnect your server
* access is only allowed in the presence of NOC staff
* access is only allowed in the presence of NOC staff
* devices must be labeled with an email-address and a DECT-Number (if you have one). Any other information is voluntary
*devices must be labeled with an e-mail-address and a DECT-Number (if you have one)
* prepare your server before placing it in colocation. We can only grant access to the colocation in exceptional cases outside of placing and picking up
* prepare your server before placing it in colocation. Outside of placing and picking up, we can only grant access to the colocation in exceptional cases


==== How to connect ====
==== How to connect====


* bring you own SFP(+) transceivers and cables (we do not have any cables or transceivers for the colocation)
*bring you own SFP(+) transceivers and cables (we do not have any cables or transceivers for the colocation)
* add a label with your email(must) / dect(should) on any devices in the colocation
* add a label with your e-mail(must) / DECT(should) on any devices in the colocation
* talk to noc
*talk to NOC
** you will receive a clothespin with an ip-address (v4 and v6)
**you will receive a clothespin with an IP-address (v4 and v6)
** noc will provide access to the colocation
**NOC will provide access to the colocation
** noc will verify the label with the dect-number on the server
**NOC will verify the label with the DECT-number on the server
** exchange PSK with noc (you will need your dect or PSK to retrieve your server)
** exchange PSK with NOC (you will need your DECT or PSK to retrieve your server)


==== How to retrieve your server ====
==== How to retrieve your server====


* shutdown your server remotely (minimize time spent in colocation)
*shutdown your server remotely (minimize time spent in colocation)
* talk to noc
* talk to NOC
** is your server powered off?
** is your server powered off?
** noc will provide access to the colocation
** NOC will provide access to the colocation
** verify yourself with DECT or PSK
**verify yourself with DECT or PSK
** collect your server
**collect your server
 
==== Pixelflut ====
Pixelflut is not hosted by NOC. Some people create a completely separated and isolated network with no access to the GPN-Network.
 
You will find a dedicated switch for Pixelflut on the YoloColo. Having two network-cards is recommended.
You can find more information here: [[GPN22:Pixelflut]]


==== Connection/Uplink ====
====Connection/Uplink====
YoloColo is connected with 100G to our core.
YoloColo is connected with 100G to our core.


Your server can connect with 10G to our YoloColo-Switch.  
Your server can connect with 10G to our YoloColo-Switch.  


==== Addressing ====
====Addressing====
IP addressing is static only. We use "Laundry Clip DHCP": Get your laundry clip at the NOC Desk and attach it to your network cable. Please bring back the laundry clips after the event.
IP addressing is static only. We use "Laundry Clip DHCP": Get your laundry clip at the NOC Desk and attach it to your network cable. Please bring back the laundry clips after the event.


Configure your network interfaces like this (X is your laundry clip number):
Configure your network interfaces like shown below (X is your laundry clip number).
 
====== IPv4======
Address: 151.216.65.X/24
 
Gateway: 151.216.65.1
 
======IPv6======
Address: 2a0e:c5c1:0:10c9::X/64


===== IPv4 =====
Gateway: 2a0e:c5c1:0:10c9::1
Address: (will be added soon)


Gateway: (will be added soon)
=== Metrics ===
If you're interested in some metrics about the NOC operations, visit our [https://grafana.noc.gulas.ch/public-dashboards/c6c9dd754f4e455196faeae9b9a3039d?orgId=1&refresh=1m publish dashboard].


===== IPv6 =====
=== Pixelflut ===
Address: (will be added soon)/64
Pixelflut is not hosted by NOC. Some people create a completely separated and isolated network with no access to the GPN-Network.


Gateway: (will be added soon)
You will find a dedicated switch for Pixelflut in the YoloColo. Having two network-cards is recommended.
</div>
You can find more information here: [[GPN22:Pixelflut]]


<templatestyles src="Vorlage:Main_Page/header/styles.css" /><noinclude><templatestyles src="Vorlage:Main_Page/shared/styles.css" /></noinclude>
<templatestyles src="Vorlage:Main_Page/header/styles.css" /><noinclude><templatestyles src="Vorlage:Main_Page/shared/styles.css" /></noinclude>

Aktuelle Version vom 1. Juni 2024, 12:16 Uhr

Wireless

You can find the WiFi credentials below

SSID Authentication Security
GPN-Open WPA3 OWE/WPA2 open
GPN-PSK IoT-at-GPN22 WPA3 SAE/WPA2 PSK
GPN gpn/gpn WPA3/WPA2 enterprise

WPA-Enterprise

WiFi-Credentials

Username Password Mode
gpn gpn Default. Protected; no inbound connections allowed
event-inbound-only event-inbound-only Inbound connections only allowed from the Event Network
yolo yolo Yolo-Mode; Inbound allowed from anywhere

Configuration on Apple Devices

You can configure the WiFi yourself, or use our provided signed profiles for the different modes:

If you don't use the profiles, you must click trust on the certificate for radius.noc.gulas.ch.

Configuration on most systems

  • Username/Identity: see above
  • Password: see above
  • (only on MacOS) Identity: none
  • Domain: radius.noc.gulas.ch
  • CA certificate: Use system certificate or Trust on first use (on modern Android Devices)


If you want to check that you really connect to the insecure network of your choice, please verify the certificate of CN radius.noc.gulas.ch is issued by Let's Encrypt.

You can find example configs on GPN22:NOC/Wireless

GPN-Open WPA3 OWE

WPA3 Opportunistic Wireless Encryption will use an individualized encryption after joining the GPN-Open network.

Android

After connecting you will see "enhanced open" as connection type.

Linux NetworkManger (nm)

GUI on some systems has issues connecting. Connecting via CLI works: nmcli device wifi connect GPN-Open

Wireless FAQ

iwd does not configure the default route

iwd together with EnableNetworkConfiguration=true has been reported to not configure the routes received via DHCP. Workaround: Use an other DHCP Client.

Colocation

Like the years before we are providing a colocation at GPN22.

In case of problems, find us at the NOC desk or call DECT 6620.

We will try to provide the colocation as best effort. Normal GPN-Network has priority.

You should be able to use the colocation starting Thursday afternoon.

We close the colocation on Sunday 12:00 PM , please fetch your devices before then!

Location

This year it is in the Pförtnerhäuschen, which is the locked space that housed the YoloColo back at GPN19.

This location has limited cooling and power budget and cannot accommodate for power hungry devices.

Basic Rules and Policy

  • Be excellent to each other!
  • we reserve the right to disconnect your server
  • access is only allowed in the presence of NOC staff
  • devices must be labeled with an e-mail-address and a DECT-Number (if you have one)
  • prepare your server before placing it in colocation. Outside of placing and picking up, we can only grant access to the colocation in exceptional cases

How to connect

  • bring you own SFP(+) transceivers and cables (we do not have any cables or transceivers for the colocation)
  • add a label with your e-mail(must) / DECT(should) on any devices in the colocation
  • talk to NOC
    • you will receive a clothespin with an IP-address (v4 and v6)
    • NOC will provide access to the colocation
    • NOC will verify the label with the DECT-number on the server
    • exchange PSK with NOC (you will need your DECT or PSK to retrieve your server)

How to retrieve your server

  • shutdown your server remotely (minimize time spent in colocation)
  • talk to NOC
    • is your server powered off?
    • NOC will provide access to the colocation
    • verify yourself with DECT or PSK
    • collect your server

Connection/Uplink

YoloColo is connected with 100G to our core.

Your server can connect with 10G to our YoloColo-Switch.

Addressing

IP addressing is static only. We use "Laundry Clip DHCP": Get your laundry clip at the NOC Desk and attach it to your network cable. Please bring back the laundry clips after the event.

Configure your network interfaces like shown below (X is your laundry clip number).

IPv4

Address: 151.216.65.X/24

Gateway: 151.216.65.1

IPv6

Address: 2a0e:c5c1:0:10c9::X/64

Gateway: 2a0e:c5c1:0:10c9::1

Metrics

If you're interested in some metrics about the NOC operations, visit our publish dashboard.

Pixelflut

Pixelflut is not hosted by NOC. Some people create a completely separated and isolated network with no access to the GPN-Network.

You will find a dedicated switch for Pixelflut in the YoloColo. Having two network-cards is recommended. You can find more information here: GPN22:Pixelflut