Difference between revisions of "Network/802.1X client settings"
< Network
Jump to navigation
Jump to search
(Add image for Android instructions) |
|||
| (11 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
== Android == | == Android == | ||
| + | === App === | ||
You can use our Android App to configure the correct WiFi settings on your Android device. Download it here: | You can use our Android App to configure the correct WiFi settings on your Android device. Download it here: | ||
* From Google Playstore: https://play.google.com/store/apps/details?id=nl.eventinfra.wifisetup | * From Google Playstore: https://play.google.com/store/apps/details?id=nl.eventinfra.wifisetup | ||
* Source-code: https://github.com/EventInfra/wifisetup | * Source-code: https://github.com/EventInfra/wifisetup | ||
| + | * APK download: https://eventinfra.org/emfcamp/app-release.apk | ||
| + | |||
| + | [[File:Connecting-to-emfcamp-on-android.png|right|thumb|frame|150px|Connecting on Android]] | ||
| + | === Manually === | ||
| + | If you don't want to use the app, download the [https://letsencrypt.org/certs/isrgrootx1.pem ISRG Root X1], and [https://support.google.com/pixelphone/answer/2844832 install it] into your device's '''Wi-Fi certificate''' store, giving it any name you like. Then connect to the '''emfcamp''' network using the following information: | ||
| + | |||
| + | {|padding | ||
| + | | EAP method || TTLS ''(not TLS)'' | ||
| + | |- | ||
| + | | style="padding-right: 1em" | Phase 2 authentication || PAP | ||
| + | |- | ||
| + | | CA certificate || ''(whatever name you gave the ISRG Root X1)'' | ||
| + | |- | ||
| + | | Domain || radius.emf.camp | ||
| + | |- | ||
| + | | Identity || emf | ||
| + | |- | ||
| + | | Password || emf | ||
| + | |} | ||
| + | |||
| + | It's fine to leave '''Online Certificate status''' as "Do not validate", and leave the '''Anonymous identity''' blank. | ||
== Linux, etc. == | == Linux, etc. == | ||
| Line 40: | Line 62: | ||
ca-cert=/etc/ssl/certs/ISRG_Root_X1.pem | ca-cert=/etc/ssl/certs/ISRG_Root_X1.pem | ||
eap=ttls; | eap=ttls; | ||
| − | identity= | + | identity=emf |
| − | password= | + | password=emf |
phase2-altsubject-matches= | phase2-altsubject-matches= | ||
phase2-auth=pap | phase2-auth=pap | ||
| Line 65: | Line 87: | ||
ssid="emfcamp" | ssid="emfcamp" | ||
scan_ssid=$_SCAN | scan_ssid=$_SCAN | ||
| − | identity=" | + | identity="emf" |
| − | password=" | + | password="emf" |
proto=WPA2 | proto=WPA2 | ||
key_mgmt=WPA-EAP | key_mgmt=WPA-EAP | ||
| Line 90: | Line 112: | ||
EAP=ttls | EAP=ttls | ||
Phase2=PAP | Phase2=PAP | ||
| − | Identity= | + | Identity=emf |
| − | Passphrase= | + | Passphrase=emf |
| − | + | </pre> | |
| − | /etc/wpa_supplicant/wpa_supplicant.conf : | + | |
| + | |||
| + | === wpa_supplicant === | ||
| + | This is the default option on Raspberry Pi OS. Edit /etc/wpa_supplicant/wpa_supplicant.conf and add the network: | ||
network={ | network={ | ||
| Line 99: | Line 124: | ||
key_mgmt=WPA-EAP | key_mgmt=WPA-EAP | ||
eap=TTLS | eap=TTLS | ||
| − | identity=" | + | identity="emf" |
| − | password=" | + | password="emf" |
| − | # ca path on debian 7.x, modify accordingly | + | # ca path on debian 7.x and raspberry pi OS, modify accordingly |
ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem" | ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem" | ||
altsubject_match="DNS:radius.emf.camp" | altsubject_match="DNS:radius.emf.camp" | ||
| Line 114: | Line 139: | ||
iface wlan0 inet dhcp | iface wlan0 inet dhcp | ||
wpa-ssid emfcamp | wpa-ssid emfcamp | ||
| − | wpa-identity | + | wpa-identity emf |
| − | wpa-password | + | wpa-password emf |
wpa-proto WPA2 | wpa-proto WPA2 | ||
wpa-key_mgmt WPA-EAP | wpa-key_mgmt WPA-EAP | ||
| Line 139: | Line 164: | ||
'key_mgmt=WPA-EAP' | 'key_mgmt=WPA-EAP' | ||
'eap=TTLS' | 'eap=TTLS' | ||
| − | 'identity=" | + | 'identity="emf"' |
| − | 'password=" | + | 'password="emf"' |
'ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"' | 'ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"' | ||
'altsubject_match="DNS:radius.emf.camp"' | 'altsubject_match="DNS:radius.emf.camp"' | ||
| Line 153: | Line 178: | ||
EAP-PEAP-ServerDomainMask=radius.emf.camp | EAP-PEAP-ServerDomainMask=radius.emf.camp | ||
EAP-PEAP-Phase2-Method=MSCHAPV2 | EAP-PEAP-Phase2-Method=MSCHAPV2 | ||
| − | EAP-PEAP-Phase2-Identity= | + | EAP-PEAP-Phase2-Identity=emf |
| − | EAP-PEAP-Phase2-Password= | + | EAP-PEAP-Phase2-Password=emf |
[Settings] | [Settings] | ||
AutoConnect=true</pre> | AutoConnect=true</pre> | ||
| + | |||
| + | == Apple MacOS/iOS == | ||
| + | You can use one of these profiles for the correct WiFi-settings for Apple MacOS / iOS: | ||
| + | |||
| + | * [https://eventinfra.org/emfcamp/emfcamp-2022.mobileconfig emfcamp] (2.4GHz+5GHz, emf user) | ||
| + | |||
| + | == Windows == | ||
| + | Import one of these profiles for the correct WiFi-settings for Windows: | ||
| + | |||
| + | * [https://eventinfra.org/emfcamp/emfcamp-2022.xml emfcamp] (2.4GHz+5GHz) | ||
| + | |||
| + | To import and connect follow these steps: | ||
| + | |||
| + | # Open a command prompt and execute: netsh wlan add profile filename=emfcamp-2022.xml | ||
| + | # Connect to the emfcamp network; use "emf/emf" as the username/password when prompted. Alternatively, use "outboundonly/outboundonly" as the username/password to enable inbound traffic firewalling. | ||
Latest revision as of 09:29, 1 June 2022
Android
App
You can use our Android App to configure the correct WiFi settings on your Android device. Download it here:
- From Google Playstore: https://play.google.com/store/apps/details?id=nl.eventinfra.wifisetup
- Source-code: https://github.com/EventInfra/wifisetup
- APK download: https://eventinfra.org/emfcamp/app-release.apk
Manually
If you don't want to use the app, download the ISRG Root X1, and install it into your device's Wi-Fi certificate store, giving it any name you like. Then connect to the emfcamp network using the following information:
| EAP method | TTLS (not TLS) |
| Phase 2 authentication | PAP |
| CA certificate | (whatever name you gave the ISRG Root X1) |
| Domain | radius.emf.camp |
| Identity | emf |
| Password | emf |
It's fine to leave Online Certificate status as "Do not validate", and leave the Anonymous identity blank.
Linux, etc.
Network Manager
You can use the following config file:
Please note that some versions of NM are buggy and will only work with 802.1X using MSCHAPv2, or not at all. If that affects you, it may be easiest to use wpa_supplicant.
/etc/NetworkManager/system-connections/emfcamp:
Hint: chmod 600 this file to make the connection work.
[connection] id=emfcamp uuid=c80101e2-7b99-4511-846b-2388eb86a5ad type=wifi permissions= secondaries= [wifi] mac-address=42:23:42:23:42:23 <- !! Please change this !! mac-address-blacklist= mode=infrastructure seen-bssids= ssid=emfcamp [wifi-security] auth-alg=open group= key-mgmt=wpa-eap pairwise= proto= [802-1x] altsubject-matches=DNS:radius.emf.camp ca-cert=/etc/ssl/certs/ISRG_Root_X1.pem eap=ttls; identity=emf password=emf phase2-altsubject-matches= phase2-auth=pap [ipv4] dns-search= method=auto [ipv6] dns-search= method=auto
WiCD
You need an additional crypto setting for WiCD. Put this file into /etc/wicd/encryption/templates/eap-ttls (debian systems, might be different with other *nix flavours):
name = EAP-TTLS emfcamp
author = Felicitus
require identity *Identity password *password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="emfcamp"
scan_ssid=$_SCAN
identity="emf"
password="emf"
proto=WPA2
key_mgmt=WPA-EAP
group=CCMP
pairwise=CCMP
eap=TTLS
ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
altsubject_match="DNS:radius.emf.camp"
anonymous_identity="$_ANONYMOUS_IDENTITY"
phase2="auth=PAP"
#priority=2
}
Edit /etc/wicd/encryption/templates/active to include the eap-ttls config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS emfcamp) and enter a random username/password.
Jolla/connman
/var/lib/connman/emfcampwifi.config :
[service_emfcamp] Type=wifi Name=emfcamp-legacy EAP=ttls Phase2=PAP Identity=emf Passphrase=emf
wpa_supplicant
This is the default option on Raspberry Pi OS. Edit /etc/wpa_supplicant/wpa_supplicant.conf and add the network:
network={
ssid="emfcamp"
key_mgmt=WPA-EAP
eap=TTLS
identity="emf"
password="emf"
# ca path on debian 7.x and raspberry pi OS, modify accordingly
ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
altsubject_match="DNS:radius.emf.camp"
phase2="auth=PAP"
}
Interfaces
As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces:
iface wlan0 inet dhcp wpa-ssid emfcamp wpa-identity emf wpa-password emf wpa-proto WPA2 wpa-key_mgmt WPA-EAP wpa-group CCMP wpa-pairwise CCMP wpa-eap TTLS wpa-phase2 "auth=PAP" wpa-ca_cert "/etc/ssl/certs/ISRG_Root_X1.pem" wpa-altsubject_match DNS:radius.emf.camp
Netctl
Description='emfcamp secure WPA2 802.1X config'
Interface=wls1
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=emfcamp
WPAConfigSection=(
'ssid="emfcamp"'
'proto=RSN WPA'
'key_mgmt=WPA-EAP'
'eap=TTLS'
'identity="emf"'
'password="emf"'
'ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"'
'altsubject_match="DNS:radius.emf.camp"'
'phase2="auth=PAP"'
)
IWD
[Security] EAP-Method=PEAP EAP-Identity=anonymous@emfcamp EAP-PEAP-CACert=/etc/ssl/certs/ISRG_Root_X1.pem EAP-PEAP-ServerDomainMask=radius.emf.camp EAP-PEAP-Phase2-Method=MSCHAPV2 EAP-PEAP-Phase2-Identity=emf EAP-PEAP-Phase2-Password=emf [Settings] AutoConnect=true
Apple MacOS/iOS
You can use one of these profiles for the correct WiFi-settings for Apple MacOS / iOS:
- emfcamp (2.4GHz+5GHz, emf user)
Windows
Import one of these profiles for the correct WiFi-settings for Windows:
- emfcamp (2.4GHz+5GHz)
To import and connect follow these steps:
- Open a command prompt and execute: netsh wlan add profile filename=emfcamp-2022.xml
- Connect to the emfcamp network; use "emf/emf" as the username/password when prompted. Alternatively, use "outboundonly/outboundonly" as the username/password to enable inbound traffic firewalling.