Wi-Fi (simple)
Connect to: GPN
No password needed!
We offer WPA3 based opportunistic encryption on this SSID.
Wi-Fi (advanced)
Credentials (Default: Protected from outside connections)
- SSID: GPN
- Mode: WPA2-Enterprise / WPA3-Enterprise
- TTLS/PAP or PEAP/MSCHAPv2
- (But not TTLS/MASCHAPv2)
- TTLS/PAP or PEAP/MSCHAPv2
- Username and Passwort
- for PEAP/MSCHAPv2:
- Username/Identity:
gpn - Password:
gpn - Domain:
radius.noc.gulas.ch - CA certificate:
Use system certificateNote: For Google Pixel 6 (Pro) with Android 12
- Username/Identity:
- for TTLS/PAP
- Domain: radius.noc.gulas.ch
- Everything else: <anything you like - we don't care>
- for PEAP/MSCHAPv2:
If you want to check that you really connect to the insecure network of your choice, please verify the certificate of CN radius.noc.gulas.ch is issued by Let's Encrypt.
Credentials (Incoming connections from the event only)
- SSID: GPN
- Mode: WPA2-Enterprise / WPA3-Enterprise
- TTLS/PAP or PEAP/MSCHAPv2
- (But not TTLS/MASCHAPv2)
- TTLS/PAP or PEAP/MSCHAPv2
- Username and Passwort
- for PEAP/MSCHAPv2:
- Username/Identity:
tbd. - Password:
tbd. - Domain:
radius.noc.gulas.ch - CA certificate:
Use system certificateNote: For Google Pixel 6 (Pro) with Android 12
- Username/Identity:
- for TTLS/PAP
- Domain: radius.noc.gulas.ch
- Everything else: <anything you like - we don't care>
- for PEAP/MSCHAPv2:
If you want to check that you really connect to the insecure network of your choice, please verify the certificate of CN radius.noc.gulas.ch is issued by Let's Encrypt.
Credentials (not firewalled)
- SSID: GPN
- Mode: WPA2-Enterprise / WPA3-Enterprise
- TTLS/PAP or PEAP/MSCHAPv2
- (But not TTLS/MASCHAPv2)
- TTLS/PAP or PEAP/MSCHAPv2
- Username and Passwort
- for PEAP/MSCHAPv2:
- Username/Identity:
tbd. - Password:
tbd. - Domain:
radius.noc.gulas.ch - CA certificate:
Use system certificateNote: For Google Pixel 6 (Pro) with Android 12
- Username/Identity:
- for TTLS/PAP
- Domain: radius.noc.gulas.ch
- Everything else: <anything you like - we don't care>
- for PEAP/MSCHAPv2:
If you want to check that you really connect to the insecure network of your choice, please verify the certificate of CN radius.noc.gulas.ch is issued by Let's Encrypt.
wpa_supplicant.conf
network={
ssid="GPN"
key_mgmt=WPA-EAP
eap=TTLS
identity="wiki"
password="binzufauldaspwzuaendern"
# ca path on debian 11.x, modify accordingly
ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
altsubject_match="DNS:radius.noc.gulas.ch"
phase2="auth=PAP"
}
iwd
Create a file under /var/lib/iwd/GPN.8021x with the following:
[Security] EAP-Method=TTLS EAP-Identity=open@identity.com #EAP-TTLS-CACert=/certs/ca-cert.pem EAP-TTLS-Phase2-Method=Tunneled-PAP EAP-TTLS-Phase2-Identity=wiki EAP-TTLS-Phase2-Password=binzufauldaspwzuaendern #EAP-TTLS-ServerDomainMask=*.domain.com [Settings] AutoConnect=true
netctl
Description='GPN secure WPA2 802.1X config'
Interface=wlp4s0
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=GPN
WPAConfigSection=(
'ssid="GPN"'
'proto=RSN WPA'
'key_mgmt=WPA-EAP'
'eap=TTLS'
'identity="wiki"'
'password="binzufauldaspwzuaendern"'
'ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"'
'altsubject_match="DNS:radius.noc.gulas.ch"'
'phase2="auth=PAP"'
)
Network manager (text file)
Create a file /etc/NetworkManager/system-connections/GPN21.nmconnection with the following:
[connection] id=GPN uuid=7aeae233-1a07-440a-aaf2-e9a4720bb4b6 type=wifi autoconnect=false [wifi] mode=infrastructure ssid=GPN [wifi-security] key-mgmt=wpa-eap [802-1x] ca-cert=/etc/ssl/certs/ISRG_Root_X1.pem domain-suffix-match=radius.noc.gulas.ch eap=ttls; identity=gpn password=gpn phase2-auth=pap [ipv4] method=auto [ipv6] addr-gen-mode=stable-privacy method=auto [proxy]
Make sure non-root users do not have read/write permissions for this file - Network Manager will ignore configuration files with incorrect permissions set. Then, reload the connections and start the service:
sudo nmcli connection reload nmcli c up GPN
NetworkManager (GUI nm-connection-editor)
Certificate path: /etc/ssl/certs/ISRG_Root_X1.pem