Difference between revisions of "Network/802.1X client settings"

From Electromagnetic Field 2022
Jump to navigation Jump to search
(Created page with "TODO, import from: https://events.ccc.de/congress/2019/wiki/index.php/Static:Network/802.1X_client_settings")
 
Line 1: Line 1:
TODO, import from: https://events.ccc.de/congress/2019/wiki/index.php/Static:Network/802.1X_client_settings
+
== Android ==
 +
You can use our Android App to configure the correct WiFi settings on your Android device. Download it here:
 +
 
 +
* From Google Playstore: https://play.google.com/store/apps/details?id=nl.eventinfra.wifisetup
 +
* Source-code: https://github.com/EventInfra/wifisetup
 +
 
 +
== Linux, etc. ==
 +
=== Network Manager ===
 +
You can use the following config file:
 +
 
 +
Please note that some versions of NM are buggy and will only work with 802.1X using MSCHAPv2, or not at all. If that affects you, it may be easiest to use wpa_supplicant.
 +
 
 +
/etc/NetworkManager/system-connections/emfcamp:
 +
 
 +
Hint: chmod 600 this file to make the connection work.
 +
 
 +
<pre>[connection]
 +
id=emfcamp
 +
uuid=c80101e2-7b99-4511-846b-2388eb86a5ad
 +
type=wifi
 +
permissions=
 +
secondaries=
 +
 
 +
[wifi]
 +
mac-address=42:23:42:23:42:23 <- !! Please change this !!
 +
mac-address-blacklist=
 +
mode=infrastructure
 +
seen-bssids=
 +
ssid=emfcamp
 +
 
 +
[wifi-security]
 +
auth-alg=open
 +
group=
 +
key-mgmt=wpa-eap
 +
pairwise=
 +
proto=
 +
 
 +
[802-1x]
 +
altsubject-matches=DNS:radius.emf.camp
 +
ca-cert=/etc/ssl/certs/ISRG_Root_X1.pem
 +
eap=ttls;
 +
identity=emfcamp
 +
password=emfcamp
 +
phase2-altsubject-matches=
 +
phase2-auth=pap
 +
 
 +
[ipv4]
 +
dns-search=
 +
method=auto
 +
 
 +
[ipv6]
 +
dns-search=
 +
method=auto</pre>
 +
 
 +
=== WiCD ===
 +
You need an additional crypto setting for WiCD. Put this file into /etc/wicd/encryption/templates/eap-ttls (debian systems, might be different with other *nix flavours):
 +
 
 +
<pre>
 +
name = EAP-TTLS emfcamp
 +
author = Felicitus
 +
require identity *Identity password *password
 +
-----
 +
ctrl_interface=/var/run/wpa_supplicant
 +
network={
 +
  ssid="emfcamp"
 +
  scan_ssid=$_SCAN
 +
  identity="edward"
 +
  password="snowden"
 +
  proto=WPA2
 +
  key_mgmt=WPA-EAP
 +
  group=CCMP
 +
  pairwise=CCMP
 +
  eap=TTLS
 +
  ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
 +
  altsubject_match="DNS:radius.emf.camp"
 +
  anonymous_identity="$_ANONYMOUS_IDENTITY"
 +
  phase2="auth=PAP"
 +
  #priority=2
 +
}
 +
</pre>
 +
Edit /etc/wicd/encryption/templates/active to include the eap-ttls config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS emfcamp) and enter a random username/password.
 +
 
 +
=== Jolla/connman ===
 +
/var/lib/connman/emfcampwifi.config :
 +
 
 +
<pre>
 +
[service_emfcamp]
 +
Type=wifi
 +
Name=emfcamp-legacy
 +
EAP=ttls
 +
Phase2=PAP
 +
Identity=edward
 +
Passphrase=snowden
 +
WPA_SUPPLICANT.CONF
 +
/etc/wpa_supplicant/wpa_supplicant.conf :
 +
 
 +
network={
 +
ssid="emfcamp"
 +
key_mgmt=WPA-EAP
 +
eap=TTLS
 +
identity="edward"
 +
password="snowden"
 +
# ca path on debian 7.x, modify accordingly
 +
ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
 +
altsubject_match="DNS:radius.emf.camp"
 +
phase2="auth=PAP"
 +
}
 +
</pre>
 +
 
 +
=== Interfaces ===
 +
As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces:
 +
 
 +
<pre>
 +
iface wlan0 inet dhcp
 +
wpa-ssid emfcamp
 +
wpa-identity edward
 +
wpa-password snowden
 +
wpa-proto WPA2
 +
wpa-key_mgmt WPA-EAP
 +
wpa-group CCMP
 +
wpa-pairwise CCMP
 +
wpa-eap TTLS
 +
wpa-phase2 "auth=PAP"
 +
wpa-ca_cert "/etc/ssl/certs/ISRG_Root_X1.pem"
 +
wpa-altsubject_match DNS:radius.emf.camp
 +
</pre>
 +
 
 +
=== Netctl ===
 +
 
 +
<pre>Description='emfcamp secure WPA2 802.1X config'
 +
Interface=wls1
 +
Connection=wireless
 +
Security=wpa-configsection
 +
IP=dhcp
 +
ESSID=emfcamp
 +
WPAConfigSection=(
 +
    'ssid="emfcamp"'
 +
    'proto=RSN WPA'
 +
    'key_mgmt=WPA-EAP'
 +
    'eap=TTLS'
 +
    'identity="edward"'
 +
    'password="snowden"'
 +
    'ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"'
 +
    'altsubject_match="DNS:radius.emf.camp"'
 +
    'phase2="auth=PAP"'
 +
)</pre>
 +
 
 +
=== IWD ===
 +
<pre>[Security]
 +
EAP-Method=PEAP
 +
EAP-Identity=anonymous@emfcamp
 +
EAP-PEAP-CACert=/etc/ssl/certs/ISRG_Root_X1.pem
 +
EAP-PEAP-ServerDomainMask=radius.emf.camp
 +
EAP-PEAP-Phase2-Method=MSCHAPV2
 +
EAP-PEAP-Phase2-Identity=emfcamp
 +
EAP-PEAP-Phase2-Password=emfcamp
 +
 
 +
[Settings]
 +
AutoConnect=true</pre>

Revision as of 09:06, 24 May 2022

Android

You can use our Android App to configure the correct WiFi settings on your Android device. Download it here:

Linux, etc.

Network Manager

You can use the following config file:

Please note that some versions of NM are buggy and will only work with 802.1X using MSCHAPv2, or not at all. If that affects you, it may be easiest to use wpa_supplicant.

/etc/NetworkManager/system-connections/emfcamp:

Hint: chmod 600 this file to make the connection work.

[connection]
id=emfcamp
uuid=c80101e2-7b99-4511-846b-2388eb86a5ad
type=wifi
permissions=
secondaries=

[wifi]
mac-address=42:23:42:23:42:23 <- !! Please change this !!
mac-address-blacklist=
mode=infrastructure
seen-bssids=
ssid=emfcamp

[wifi-security]
auth-alg=open
group=
key-mgmt=wpa-eap
pairwise=
proto=

[802-1x]
altsubject-matches=DNS:radius.emf.camp
ca-cert=/etc/ssl/certs/ISRG_Root_X1.pem
eap=ttls;
identity=emfcamp
password=emfcamp
phase2-altsubject-matches=
phase2-auth=pap

[ipv4]
dns-search=
method=auto

[ipv6]
dns-search=
method=auto

WiCD

You need an additional crypto setting for WiCD. Put this file into /etc/wicd/encryption/templates/eap-ttls (debian systems, might be different with other *nix flavours):

 name = EAP-TTLS emfcamp
 author = Felicitus
 require identity *Identity password *password
 -----
 ctrl_interface=/var/run/wpa_supplicant
 network={
  ssid="emfcamp"
  scan_ssid=$_SCAN
  identity="edward"
  password="snowden"
  proto=WPA2
  key_mgmt=WPA-EAP
  group=CCMP
  pairwise=CCMP
  eap=TTLS
  ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
  altsubject_match="DNS:radius.emf.camp"
  anonymous_identity="$_ANONYMOUS_IDENTITY"
  phase2="auth=PAP"
  #priority=2
 }

Edit /etc/wicd/encryption/templates/active to include the eap-ttls config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS emfcamp) and enter a random username/password.

Jolla/connman

/var/lib/connman/emfcampwifi.config :

 [service_emfcamp]
 Type=wifi
 Name=emfcamp-legacy
 EAP=ttls
 Phase2=PAP
 Identity=edward
 Passphrase=snowden
WPA_SUPPLICANT.CONF
/etc/wpa_supplicant/wpa_supplicant.conf :

 network={
 	ssid="emfcamp"
 	key_mgmt=WPA-EAP
 	eap=TTLS
 	identity="edward"
 	password="snowden"
 	# ca path on debian 7.x, modify accordingly
 	ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
 	altsubject_match="DNS:radius.emf.camp"
 	phase2="auth=PAP"
 }

Interfaces

As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces:

 iface wlan0 inet dhcp
 	wpa-ssid emfcamp
 	wpa-identity edward
 	wpa-password snowden
 	wpa-proto WPA2
 	wpa-key_mgmt WPA-EAP
 	wpa-group CCMP
 	wpa-pairwise CCMP
 	wpa-eap TTLS
 	wpa-phase2 "auth=PAP"
 	wpa-ca_cert "/etc/ssl/certs/ISRG_Root_X1.pem"
 	wpa-altsubject_match DNS:radius.emf.camp

Netctl

Description='emfcamp secure WPA2 802.1X config'
Interface=wls1
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=emfcamp
WPAConfigSection=(
    'ssid="emfcamp"'
    'proto=RSN WPA'
    'key_mgmt=WPA-EAP'
    'eap=TTLS'
    'identity="edward"'
    'password="snowden"'
    'ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"'
    'altsubject_match="DNS:radius.emf.camp"'
    'phase2="auth=PAP"'
)

IWD

[Security]
EAP-Method=PEAP
EAP-Identity=anonymous@emfcamp
EAP-PEAP-CACert=/etc/ssl/certs/ISRG_Root_X1.pem
EAP-PEAP-ServerDomainMask=radius.emf.camp
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=emfcamp
EAP-PEAP-Phase2-Password=emfcamp

[Settings]
AutoConnect=true