GPN22:NOC/Wireless

aus dem Wiki des Entropia e.V., CCC Karlsruhe

Wi-Fi (simple)

Connect to: GPN

No password needed!

We offer WPA3 based opportunistic encryption on this SSID.

Wi-Fi (advanced)

Credentials (Default: Protected from outside connections)

  • SSID: GPN
  • Mode: WPA2-Enterprise / WPA3-Enterprise
    • TTLS/PAP or PEAP/MSCHAPv2
      • (But not TTLS/MASCHAPv2)
  • Username and Passwort
    • for PEAP/MSCHAPv2:
      • Username/Identity: gpn
      • Password: gpn
      • Domain: radius.noc.gulas.ch
      • CA certificate: Use system certificate Note: For Google Pixel 6 (Pro) with Android 12
    • for TTLS/PAP
      • Domain: radius.noc.gulas.ch
      • Everything else: <anything you like - we don't care>

If you want to check that you really connect to the insecure network of your choice, please verify the certificate of CN radius.noc.gulas.ch is issued by Let's Encrypt.

Credentials (Incoming connections from the event only)

  • SSID: GPN
  • Mode: WPA2-Enterprise / WPA3-Enterprise
    • TTLS/PAP or PEAP/MSCHAPv2
      • (But not TTLS/MASCHAPv2)
  • Username and Passwort
    • for PEAP/MSCHAPv2:
      • Username/Identity: tbd.
      • Password: tbd.
      • Domain: radius.noc.gulas.ch
      • CA certificate: Use system certificate Note: For Google Pixel 6 (Pro) with Android 12
    • for TTLS/PAP
      • Domain: radius.noc.gulas.ch
      • Everything else: <anything you like - we don't care>

If you want to check that you really connect to the insecure network of your choice, please verify the certificate of CN radius.noc.gulas.ch is issued by Let's Encrypt.

Credentials (not firewalled)

  • SSID: GPN
  • Mode: WPA2-Enterprise / WPA3-Enterprise
    • TTLS/PAP or PEAP/MSCHAPv2
      • (But not TTLS/MASCHAPv2)
  • Username and Passwort
    • for PEAP/MSCHAPv2:
      • Username/Identity: tbd.
      • Password: tbd.
      • Domain: radius.noc.gulas.ch
      • CA certificate: Use system certificate Note: For Google Pixel 6 (Pro) with Android 12
    • for TTLS/PAP
      • Domain: radius.noc.gulas.ch
      • Everything else: <anything you like - we don't care>

If you want to check that you really connect to the insecure network of your choice, please verify the certificate of CN radius.noc.gulas.ch is issued by Let's Encrypt.

wpa_supplicant.conf

network={
    ssid="GPN"
    key_mgmt=WPA-EAP
    eap=TTLS
    identity="wiki"
    password="binzufauldaspwzuaendern"
    # ca path on debian 11.x, modify accordingly
    ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
    altsubject_match="DNS:radius.noc.gulas.ch"
    phase2="auth=PAP"
}

iwd

Create a file under /var/lib/iwd/GPN.8021x with the following:

[Security]
  EAP-Method=TTLS
  EAP-Identity=open@identity.com
  #EAP-TTLS-CACert=/certs/ca-cert.pem
  EAP-TTLS-Phase2-Method=Tunneled-PAP
  EAP-TTLS-Phase2-Identity=wiki
  EAP-TTLS-Phase2-Password=binzufauldaspwzuaendern
  #EAP-TTLS-ServerDomainMask=*.domain.com

[Settings]
  AutoConnect=true
 

netctl

Description='GPN secure WPA2 802.1X config'
Interface=wlp4s0
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=GPN
WPAConfigSection=(
    'ssid="GPN"'
    'proto=RSN WPA'
    'key_mgmt=WPA-EAP'
    'eap=TTLS'
    'identity="wiki"'
    'password="binzufauldaspwzuaendern"'
    'ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"'
    'altsubject_match="DNS:radius.noc.gulas.ch"'
    'phase2="auth=PAP"'
)

Network manager (text file)

Create a file /etc/NetworkManager/system-connections/GPN.nmconnection with the following:

[connection]
id=GPN
uuid=7aeae233-1a07-440a-aaf2-e9a4720bb4b6
type=wifi
autoconnect=false

[wifi]
mode=infrastructure
ssid=GPN

[wifi-security]
key-mgmt=wpa-eap

[802-1x]
ca-cert=/etc/ssl/certs/ISRG_Root_X1.pem
domain-suffix-match=radius.noc.gulas.ch
eap=ttls;
identity=gpn
password=gpn
phase2-auth=pap

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=auto

[proxy]

Make sure non-root users do not have read/write permissions for this file - Network Manager will ignore configuration files with incorrect permissions set. Then, reload the connections and start the service:

sudo nmcli connection reload
nmcli c up GPN

NetworkManager (GUI nm-connection-editor)

Certificate path: /etc/ssl/certs/ISRG_Root_X1.pem