Network/802.1X client settings

From SHA2017 Wiki
Jump to: navigation, search

Android

You can use our Android App to configure the correct WiFi settings on your Android device. Download it here:

  • From Google Playstore: [1]

Network Manager

You can use the following config file:

Please note that some versions of NM are buggy and will only work with 802.1X using MSCHAPv2, or not at all. If that affects you, it may be easiest to use wpa_supplicant.

/etc/NetworkManager/system-connections/SHA2017: 

[connection]
id=SHA2017
uuid=c80101e2-7b99-4511-846b-2388eb86a5ad
type=wifi
permissions=
secondaries=

[wifi]
mac-address=42:23:42:23:42:23 <- !! Please change this !!
mac-address-blacklist=
mode=infrastructure
seen-bssids=
ssid=SHA2017

[wifi-security]
auth-alg=open
group=
key-mgmt=wpa-eap
pairwise=
proto=

[802-1x]
altsubject-matches=DNS:radius.sha2017.org
ca-cert=/etc/ssl/certs/DST_Root_CA_X3.pem
eap=ttls;
identity=SHA2017
password=SHA2017
phase2-altsubject-matches=
phase2-auth=pap

[ipv4]
dns-search=
method=auto

[ipv6]
dns-search=
method=auto

Network Manager (via command line)

first find the name of the wifi interface. here it is wlp2s0

command: 

nmcli dev status | grep wifi

output: 

wlp2s0  wifi      disconnected  --

copy the following command in the command line. Replace wlp2s0 with the name of your wifi interface

command: 

nmcli connection add \
 type wifi ifname wlp2s0 ssid "SHA2017-legacy" -- \
 wifi-sec.auth-alg open \
 wifi-sec.key-mgmt wpa-eap \
 802-1x.altsubject-matches "DNS:radius.sha2017.org" \
 802-1x.ca-cert /etc/ssl/certs/DST_Root_CA_X3.pem \
 802-1x.eap ttls \
 802-1x.identity "SHA2017" \
 802-1x.password "SHA2017" \
 802-1x.phase2-altsubject-matches "" \
 802-1x.phase2-auth pap

WICD

You need an additional crypto setting for WiCD. Put this file into /etc/wicd/encryption/templates/eap-ttls (debian systems, might be different with other *nix flavours): 

 name = EAP-TTLS SHA2017
 author = Felicitus
 require identity *Identity password *password
 -----
 ctrl_interface=/var/run/wpa_supplicant
 network={
  ssid="SHA2017"
  scan_ssid=$_SCAN
  identity="edward"
  password="snowden"
  proto=WPA2
  key_mgmt=WPA-EAP
  group=CCMP
  pairwise=CCMP
  eap=TTLS
  ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
  altsubject_match="DNS:radius.sha2017.org"
  anonymous_identity="$_ANONYMOUS_IDENTITY"
  phase2="auth=PAP"
  #priority=2
 }

Edit /etc/wicd/encryption/templates/active to include the eap-ttls config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS SHA2017) and enter a random username/password.

Jolla/connman

/var/lib/connman/SHA2017wifi.config : 

 [service_SHA2017]
 Type=wifi
 Name=SHA2017-legacy
 EAP=ttls
 Phase2=PAP
 Identity=edward
 Passphrase=snowden

Better connman config. (Requires connman 1.34 or newer, but verifies the CA & certificate domain to avoid rogue APs.)

/var/lib/connman/SHA2017wifi.config : 

 [service_SHA2017]
 Type=wifi
 Name=SHA2017
 EAP=ttls
 Phase2=PAP
 Identity=edward
 Passphrase=snowden
 CACertFile=/etc/ssl/certs/DST_Root_CA_X3.pem
 DomainMatch=radius.sha2017.org

wpa_supplicant.conf

/etc/wpa_supplicant/wpa_supplicant.conf : 

 network={
 	ssid="SHA2017"
 	key_mgmt=WPA-EAP
 	eap=TTLS
 	identity="edward"
 	password="snowden"
 	# ca path on debian 7.x, modify accordingly
 	ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
 	# ca path on FreeBSD (install ca_root-nss package)
 	#/usr/local/share/certs/ca-root-nss.crt
 	altsubject_match="DNS:radius.sha2017.org"
 	phase2="auth=PAP"
 }

interfaces

As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces: 

 iface wlan0 inet dhcp
 	wpa-ssid SHA2017
 	wpa-identity edward
 	wpa-password snowden
 	wpa-proto WPA2
 	wpa-key_mgmt WPA-EAP
 	wpa-group CCMP
 	wpa-pairwise CCMP
 	wpa-eap TTLS
 	wpa-phase2 "auth=PAP"
 	wpa-ca_cert "/etc/ssl/certs/DST_Root_CA_X3.pem"
 	wpa-altsubject_match DNS:radius.sha2017.org

netctl

Description='SHA2017 secure WPA2 802.1X config'
Interface=wls1
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=SHA2017
WPAConfigSection=(
    'ssid="SHA2017"'
    'proto=RSN WPA'
    'key_mgmt=WPA-EAP'
    'eap=TTLS'
    'identity="edward"'
    'password="snowden"'
    'ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"'
    'altsubject_match="DNS:radius.sha2017.org"'
    'phase2="auth=PAP"'
)

Apple MacOS / iOS

You can use one of these profiles for the correct WiFi-settings for Apple MacOS / iOS:

Windows

Import one of these profiles for the correct WiFi-settings for Windows

To import and connect follow these steps:

  1. Open a command prompt and execute: netsh wlan add profile filename=SHA2017.xml
  2. Connect to the SHA2017 or SHA2017-legacy network; use "sha2017/sha2017" as the username/password when prompted.
Retrieved from "https://wiki.sha2017.org/index.php?title=Network/802.1X_client_settings&oldid=10528"