Difference between revisions of "Network/802.1X client settings"
From SHA2017 Wiki
< Network
(→Android) |
Projectgus (talk | contribs) (→Jolla/connman: Add a more secure config for connman v1.34 or newer) |
||
| (8 intermediate revisions by 3 users not shown) | |||
| Line 2: | Line 2: | ||
You can use our Android App to configure the correct WiFi settings on your Android device. Download it here: | You can use our Android App to configure the correct WiFi settings on your Android device. Download it here: | ||
| − | |||
| − | |||
* From Google Playstore: [https://play.google.com/store/apps/details?id=nl.eventinfra.wifisetup] | * From Google Playstore: [https://play.google.com/store/apps/details?id=nl.eventinfra.wifisetup] | ||
| − | |||
== Network Manager == | == Network Manager == | ||
| Line 54: | Line 51: | ||
dns-search= | dns-search= | ||
method=auto | method=auto | ||
| + | |||
| + | == Network Manager (via command line)== | ||
| + | first find the name of the wifi interface. here it is wlp2s0 | ||
| + | |||
| + | command: | ||
| + | nmcli dev status | grep wifi | ||
| + | |||
| + | output: | ||
| + | wlp2s0 wifi disconnected -- | ||
| + | |||
| + | copy the following command in the command line. Replace wlp2s0 with the name of your wifi interface | ||
| + | |||
| + | command: | ||
| + | nmcli connection add \ | ||
| + | type wifi ifname wlp2s0 ssid "SHA2017-legacy" -- \ | ||
| + | wifi-sec.auth-alg open \ | ||
| + | wifi-sec.key-mgmt wpa-eap \ | ||
| + | 802-1x.altsubject-matches "DNS:radius.sha2017.org" \ | ||
| + | 802-1x.ca-cert /etc/ssl/certs/DST_Root_CA_X3.pem \ | ||
| + | 802-1x.eap ttls \ | ||
| + | 802-1x.identity "SHA2017" \ | ||
| + | 802-1x.password "SHA2017" \ | ||
| + | 802-1x.phase2-altsubject-matches "" \ | ||
| + | 802-1x.phase2-auth pap | ||
== WICD == | == WICD == | ||
| Line 92: | Line 113: | ||
Identity=edward | Identity=edward | ||
Passphrase=snowden | Passphrase=snowden | ||
| + | |||
| + | '''Better connman config'''. (Requires connman 1.34 or newer, but verifies the CA & certificate domain to avoid rogue APs.) | ||
| + | |||
| + | /var/lib/connman/SHA2017wifi.config : | ||
| + | |||
| + | [service_SHA2017] | ||
| + | Type=wifi | ||
| + | Name=SHA2017 | ||
| + | EAP=ttls | ||
| + | Phase2=PAP | ||
| + | Identity=edward | ||
| + | Passphrase=snowden | ||
| + | CACertFile=/etc/ssl/certs/DST_Root_CA_X3.pem | ||
| + | DomainMatch=radius.sha2017.org | ||
== wpa_supplicant.conf == | == wpa_supplicant.conf == | ||
| Line 104: | Line 139: | ||
# ca path on debian 7.x, modify accordingly | # ca path on debian 7.x, modify accordingly | ||
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem" | ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem" | ||
| + | # ca path on FreeBSD (install ca_root-nss package) | ||
| + | #/usr/local/share/certs/ca-root-nss.crt | ||
altsubject_match="DNS:radius.sha2017.org" | altsubject_match="DNS:radius.sha2017.org" | ||
phase2="auth=PAP" | phase2="auth=PAP" | ||
| Line 146: | Line 183: | ||
You can use one of these profiles for the correct WiFi-settings for Apple MacOS / iOS: | You can use one of these profiles for the correct WiFi-settings for Apple MacOS / iOS: | ||
| − | |||
* [[https://eventinfra.org/sha2017/sha2017.mobileconfig SHA2017]] (5GHz only) | * [[https://eventinfra.org/sha2017/sha2017.mobileconfig SHA2017]] (5GHz only) | ||
* [[https://eventinfra.org/sha2017/sha2017-legacy.mobileconfig SHA2017-legacy]] (2.4GHz only) | * [[https://eventinfra.org/sha2017/sha2017-legacy.mobileconfig SHA2017-legacy]] (2.4GHz only) | ||
| − | |||
| − | |||
| − | |||
== Windows == | == Windows == | ||
Import one of these profiles for the correct WiFi-settings for Windows | Import one of these profiles for the correct WiFi-settings for Windows | ||
| − | |||
* [[https://eventinfra.org/sha2017/SHA2017.xml SHA2017]] (5GHz only) | * [[https://eventinfra.org/sha2017/SHA2017.xml SHA2017]] (5GHz only) | ||
| − | * [[https://eventinfra.org/sha2017/SHA2017-legacy.xml SHA2017-legacy | + | * [[https://eventinfra.org/sha2017/SHA2017-legacy.xml SHA2017-legacy]] (2.4GHz only) |
| − | |||
| − | |||
| − | |||
To import and connect follow these steps: | To import and connect follow these steps: | ||
# Open a command prompt and execute: netsh wlan add profile filename=SHA2017.xml | # Open a command prompt and execute: netsh wlan add profile filename=SHA2017.xml | ||
| − | # Connect to the SHA2017 or SHA2017-legacy network; use " | + | # Connect to the SHA2017 or SHA2017-legacy network; use "sha2017/sha2017" as the username/password when prompted. |
Latest revision as of 12:02, 5 August 2017
Contents
Android
You can use our Android App to configure the correct WiFi settings on your Android device. Download it here:
- From Google Playstore: [1]
Network Manager
You can use the following config file:
Please note that some versions of NM are buggy and will only work with 802.1X using MSCHAPv2, or not at all. If that affects you, it may be easiest to use wpa_supplicant.
/etc/NetworkManager/system-connections/SHA2017:
[connection] id=SHA2017 uuid=c80101e2-7b99-4511-846b-2388eb86a5ad type=wifi permissions= secondaries= [wifi] mac-address=42:23:42:23:42:23 <- !! Please change this !! mac-address-blacklist= mode=infrastructure seen-bssids= ssid=SHA2017 [wifi-security] auth-alg=open group= key-mgmt=wpa-eap pairwise= proto= [802-1x] altsubject-matches=DNS:radius.sha2017.org ca-cert=/etc/ssl/certs/DST_Root_CA_X3.pem eap=ttls; identity=SHA2017 password=SHA2017 phase2-altsubject-matches= phase2-auth=pap [ipv4] dns-search= method=auto [ipv6] dns-search= method=auto
Network Manager (via command line)
first find the name of the wifi interface. here it is wlp2s0
command:
nmcli dev status | grep wifi
output:
wlp2s0 wifi disconnected --
copy the following command in the command line. Replace wlp2s0 with the name of your wifi interface
command:
nmcli connection add \ type wifi ifname wlp2s0 ssid "SHA2017-legacy" -- \ wifi-sec.auth-alg open \ wifi-sec.key-mgmt wpa-eap \ 802-1x.altsubject-matches "DNS:radius.sha2017.org" \ 802-1x.ca-cert /etc/ssl/certs/DST_Root_CA_X3.pem \ 802-1x.eap ttls \ 802-1x.identity "SHA2017" \ 802-1x.password "SHA2017" \ 802-1x.phase2-altsubject-matches "" \ 802-1x.phase2-auth pap
WICD
You need an additional crypto setting for WiCD. Put this file into /etc/wicd/encryption/templates/eap-ttls (debian systems, might be different with other *nix flavours):
name = EAP-TTLS SHA2017
author = Felicitus
require identity *Identity password *password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="SHA2017"
scan_ssid=$_SCAN
identity="edward"
password="snowden"
proto=WPA2
key_mgmt=WPA-EAP
group=CCMP
pairwise=CCMP
eap=TTLS
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.sha2017.org"
anonymous_identity="$_ANONYMOUS_IDENTITY"
phase2="auth=PAP"
#priority=2
}
Edit /etc/wicd/encryption/templates/active to include the eap-ttls config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS SHA2017) and enter a random username/password.
Jolla/connman
/var/lib/connman/SHA2017wifi.config :
[service_SHA2017] Type=wifi Name=SHA2017-legacy EAP=ttls Phase2=PAP Identity=edward Passphrase=snowden
Better connman config. (Requires connman 1.34 or newer, but verifies the CA & certificate domain to avoid rogue APs.)
/var/lib/connman/SHA2017wifi.config :
[service_SHA2017] Type=wifi Name=SHA2017 EAP=ttls Phase2=PAP Identity=edward Passphrase=snowden CACertFile=/etc/ssl/certs/DST_Root_CA_X3.pem DomainMatch=radius.sha2017.org
wpa_supplicant.conf
/etc/wpa_supplicant/wpa_supplicant.conf :
network={
ssid="SHA2017"
key_mgmt=WPA-EAP
eap=TTLS
identity="edward"
password="snowden"
# ca path on debian 7.x, modify accordingly
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
# ca path on FreeBSD (install ca_root-nss package)
#/usr/local/share/certs/ca-root-nss.crt
altsubject_match="DNS:radius.sha2017.org"
phase2="auth=PAP"
}
interfaces
As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces:
iface wlan0 inet dhcp wpa-ssid SHA2017 wpa-identity edward wpa-password snowden wpa-proto WPA2 wpa-key_mgmt WPA-EAP wpa-group CCMP wpa-pairwise CCMP wpa-eap TTLS wpa-phase2 "auth=PAP" wpa-ca_cert "/etc/ssl/certs/DST_Root_CA_X3.pem" wpa-altsubject_match DNS:radius.sha2017.org
netctl
Description='SHA2017 secure WPA2 802.1X config'
Interface=wls1
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=SHA2017
WPAConfigSection=(
'ssid="SHA2017"'
'proto=RSN WPA'
'key_mgmt=WPA-EAP'
'eap=TTLS'
'identity="edward"'
'password="snowden"'
'ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"'
'altsubject_match="DNS:radius.sha2017.org"'
'phase2="auth=PAP"'
)
Apple MacOS / iOS
You can use one of these profiles for the correct WiFi-settings for Apple MacOS / iOS:
- [SHA2017] (5GHz only)
- [SHA2017-legacy] (2.4GHz only)
Windows
Import one of these profiles for the correct WiFi-settings for Windows
- [SHA2017] (5GHz only)
- [SHA2017-legacy] (2.4GHz only)
To import and connect follow these steps:
- Open a command prompt and execute: netsh wlan add profile filename=SHA2017.xml
- Connect to the SHA2017 or SHA2017-legacy network; use "sha2017/sha2017" as the username/password when prompted.
