Network

From 31C3_Public_Wiki
Jump to: navigation, search

Must the username for encrypted wifi be unique? What happens when e.g. 'guest/guest' is beeing used by several people at the same time? Eri! (talk) 05:56, 25 November 2014 (CET)

No, it doesn't have to be unique. The username/password is not used for encryption. Each association will have its own session-key which is derived within the 802.1X authentication-process. AK47 (talk) 17:43, 30 November 2014 (CET)

netctl

Please add netctl copy-pasta config, follow example on https://wiki.archlinux.org/index.php/WPA2_Enterprise#netctl

Did all the work for you, just use https://gist.github.com/yuvadm/be36026d1b684cbd32f7 Yuvadm (talk) 01:16, 23 December 2014 (CET)
Please add certificate-checking to your config! You should check for both the CA and the subject! --AK47 (talk) 19:53, 23 December 2014 (CET)
AFAIU netctl will check the certs using the installed CA certs in the given path. Of course, I can't test this until I reach CCH ;) If anyone on the NOC team can provide an updated config I'll gladly update it! Yuvadm (talk) 20:38, 23 December 2014 (CET)
OK I updated the expected config. AK47, could you test this please at the venue? Yuvadm (talk) 20:43, 23 December 2014 (CET)
I have added the config to the wiki, but I haven't found anyone yet using netctl, I will keep looking/asking :-) --AK47 (talk) 02:13, 24 December 2014 (CET)

wicd / wpa_supplicant

Looks like newer versions of wpa_supplicant won't work with the provided wicd configuration, as it expects the scan_ssid option without quotes.

/etc/wicd/encryption/templates/eap-ttls-31c3:

name = EAP-TTLS 31c3
require identity *Identity password *password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
 ssid="$_ESSID"
 scan_ssid=$_SCAN
 identity="$_IDENTITY"
 password="$_PASSWORD"
 proto=WPA2
 key_mgmt=WPA-EAP
 group=CCMP
 pairwise=CCMP
 eap=TTLS
 phase2="auth=PAP"
 ca_cert="hash://server/sha256/7bebf5b3c81287546adb1be6a0cae9c6b8b80c03b26a92de41a61c44e88cd5ff"
}

Also, the SHA-256 hash of the RADIUS certificate is included for stricter certificate verification, it is computed using:

openssl x509 -in radius.c3noc.net.pem -outform der | sha256sum
I can confirm that removing the double quotes around `$_SCAN` results in a working configuration while authentication failed with the original one.
Also the line `anonymous_identity=[…]` is ignored by a current wicd (according to its log). Changing the variable name from `$_ANONYMOUS_IDENTITY` to `$_IDENTITY` works, though, because the former isn't defined.
Last but not least, the configuration file content is presented in the wiki with leading spaces which, when copy-pasted, results in an invalid config file. Please adjust the page source to a single leading space instead of two to avoid this effect.
Please update the actual page with this information so other people don't have to waste precious hours. TIA.
--Y0Gi (talk) 22:44, 27 December 2014 (CET)

certificate file extension

If you have trouble connecting with the certificate set up try changing the file extension to ".pem". Works for NetworkManager.

Where to find the CA?

Can't edit the page so adding this here (someone please move it to the page)

  • Under Debian, you will find the CA files NetworkManager is asking about in /etc/ssl/certs/StartCom_Certification_Authority.pem
  • Or save the certificate here from Network/RADIUS certificate as ".pem" to use it in NetworkManager