Wi-Fi (simple)
Connect to: GPN
No password needed!
We offer WPA3 based opportunistic encryption on this SSID.
Wi-Fi (advanced)
Credentials (Default: Protected from outside connections)
- SSID: GPN
- Mode: WPA2-Enterprise / WPA3-Enterprise
- TTLS/PAP or PEAP/MSCHAPv2
- (But not TTLS/MASCHAPv2)
- TTLS/PAP or PEAP/MSCHAPv2
- Username and Passwort
- for PEAP/MSCHAPv2:
- Username/Identity:
gpn
- Password:
gpn
- Domain:
radius.noc.gulas.ch
- CA certificate:
Use system certificate
Note: For Google Pixel 6 (Pro) with Android 12
- Username/Identity:
- for TTLS/PAP
- Domain: radius.noc.gulas.ch
- Everything else: <anything you like - we don't care>
- for PEAP/MSCHAPv2:
If you want to check that you really connect to the insecure network of your choice, please verify the certificate of CN radius.noc.gulas.ch
is issued by Let's Encrypt.
Credentials (Incoming connections from the event only)
- SSID: GPN
- Mode: WPA2-Enterprise / WPA3-Enterprise
- TTLS/PAP or PEAP/MSCHAPv2
- (But not TTLS/MASCHAPv2)
- TTLS/PAP or PEAP/MSCHAPv2
- Username and Passwort
- for PEAP/MSCHAPv2:
- Username/Identity:
tbd.
- Password:
tbd.
- Domain:
radius.noc.gulas.ch
- CA certificate:
Use system certificate
Note: For Google Pixel 6 (Pro) with Android 12
- Username/Identity:
- for TTLS/PAP
- Domain: radius.noc.gulas.ch
- Everything else: <anything you like - we don't care>
- for PEAP/MSCHAPv2:
If you want to check that you really connect to the insecure network of your choice, please verify the certificate of CN radius.noc.gulas.ch
is issued by Let's Encrypt.
Credentials (not firewalled)
- SSID: GPN
- Mode: WPA2-Enterprise / WPA3-Enterprise
- TTLS/PAP or PEAP/MSCHAPv2
- (But not TTLS/MASCHAPv2)
- TTLS/PAP or PEAP/MSCHAPv2
- Username and Passwort
- for PEAP/MSCHAPv2:
- Username/Identity:
tbd.
- Password:
tbd.
- Domain:
radius.noc.gulas.ch
- CA certificate:
Use system certificate
Note: For Google Pixel 6 (Pro) with Android 12
- Username/Identity:
- for TTLS/PAP
- Domain: radius.noc.gulas.ch
- Everything else: <anything you like - we don't care>
- for PEAP/MSCHAPv2:
If you want to check that you really connect to the insecure network of your choice, please verify the certificate of CN radius.noc.gulas.ch
is issued by Let's Encrypt.
wpa_supplicant.conf
network={ ssid="GPN" key_mgmt=WPA-EAP eap=TTLS identity="wiki" password="binzufauldaspwzuaendern" # ca path on debian 11.x, modify accordingly ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem" altsubject_match="DNS:radius.noc.gulas.ch" phase2="auth=PAP" }
iwd
Create a file under /var/lib/iwd/GPN.8021x
with the following:
[Security] EAP-Method=TTLS EAP-Identity=open@identity.com #EAP-TTLS-CACert=/certs/ca-cert.pem EAP-TTLS-Phase2-Method=Tunneled-PAP EAP-TTLS-Phase2-Identity=wiki EAP-TTLS-Phase2-Password=binzufauldaspwzuaendern #EAP-TTLS-ServerDomainMask=*.domain.com [Settings] AutoConnect=true
netctl
Description='GPN secure WPA2 802.1X config' Interface=wlp4s0 Connection=wireless Security=wpa-configsection IP=dhcp ESSID=GPN WPAConfigSection=( 'ssid="GPN"' 'proto=RSN WPA' 'key_mgmt=WPA-EAP' 'eap=TTLS' 'identity="wiki"' 'password="binzufauldaspwzuaendern"' 'ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"' 'altsubject_match="DNS:radius.noc.gulas.ch"' 'phase2="auth=PAP"' )
Network manager (text file)
Create a file /etc/NetworkManager/system-connections/GPN.nmconnection
with the following:
[connection] id=GPN uuid=7aeae233-1a07-440a-aaf2-e9a4720bb4b6 type=wifi autoconnect=false [wifi] mode=infrastructure ssid=GPN [wifi-security] key-mgmt=wpa-eap [802-1x] ca-cert=/etc/ssl/certs/ISRG_Root_X1.pem domain-suffix-match=radius.noc.gulas.ch eap=ttls; identity=gpn password=gpn phase2-auth=pap [ipv4] method=auto [ipv6] addr-gen-mode=stable-privacy method=auto [proxy]
Make sure non-root users do not have read/write permissions for this file - Network Manager will ignore configuration files with incorrect permissions set. Then, reload the connections and start the service:
sudo nmcli connection reload nmcli c up GPN
NetworkManager (GUI nm-connection-editor)
Certificate path: /etc/ssl/certs/ISRG_Root_X1.pem