2016-10-19

merge #Supported clients with #Usage, rename to #Configuration

← Older revision

Revision as of 12:37, 19 October 2016

(8 intermediate revisions by the same user not shown)

Line 12:

Line 12:

The Enterprise mode enables users to log onto the Wi-Fi network with a username and password and/or a digital certificate. Since each user has a dynamic and unique encryption key, it also helps to prevent user-to-user snooping on the wireless network, and improves encryption strength.

The Enterprise mode enables users to log onto the Wi-Fi network with a username and password and/or a digital certificate. Since each user has a dynamic and unique encryption key, it also helps to prevent user-to-user snooping on the wireless network, and improves encryption strength.



==
Supported clients
==

+

==
Configuration
==



{{Note|[[NetworkManager]] can generate WPA2 Enterprise profiles with [[NetworkManager#Front-ends|graphical front ends]]. ''nmcli'' and ''nmtui'' do not support this, but may use existing profiles.}}

+

This section describes the configuration of
[[List of applications#Network managers|
network clients
]] to connect to a wireless access point with WPA2 Enterprise mode. See [[Software access point#RADIUS]] for information on setting up an access point itself.



+



See
[[List of applications#Network managers
]] for an overview.

+



+



=== wpa_supplicant ===

+



+



[[WPA supplicant#Advanced usage
|
WPA supplicant
]]
can be configured directly and used in combination with a dhcp client or with systemd. See the examples in {{ic|/etc/wpa_supplicant/wpa_supplicant.conf}} for configuring the connection details.

+



+



Once the connection configuration is complete, you can use the dhcp client to test them. For example:

+



+



# dhcpcd ''interface''

+



+



will automatically invoke WPA supplicant to establish the connection before proceeding to acquire an IP address.

+



+



== Usage ==

+



+



This section describes the configuration of the alternative available network clients
to connect to a wireless access point with WPA2 Enterprise mode. See [[Software access point#RADIUS]] for information on setting up an access point itself.

+

Enterprise mode requires a more complex client configuration, whereas Personal mode only requires entering a passphrase when prompted. Clients likely need to install the server’s CA certificate (plus per-user certificates if using EAP-TLS), and then manually configure the wireless security and 802.1X authentication settings.

Enterprise mode requires a more complex client configuration, whereas Personal mode only requires entering a passphrase when prompted. Clients likely need to install the server’s CA certificate (plus per-user certificates if using EAP-TLS), and then manually configure the wireless security and 802.1X authentication settings.

Line 46:

Line 30:

* When storing connection profiles unencrypted, restrict read access to the root account by specifying {{ic|chmod 600 ''profile''}} as root.

* When storing connection profiles unencrypted, restrict read access to the root account by specifying {{ic|chmod 600 ''profile''}} as root.

}}

}}

+

{{Tip|Configuration for [[NetworkManager]] and [[#wpa_supplicant]] can be generated with the [https://cat.eduroam.org/ eduroam Configuration Assistant Tool].}}

{{Tip|Configuration for [[NetworkManager]] and [[#wpa_supplicant]] can be generated with the [https://cat.eduroam.org/ eduroam Configuration Assistant Tool].}}



===
= connman =
===

+

===
wpa_supplicant
===



[[connman]] needs a separate configuration file before [[Connman#Wi-Fi|connecting]] to the network. For examples and explanations on different settings, see
the
{{man|5|connman-service.config|url=}}
[[man page]]
.

+

[[WPA supplicant#Advanced usage|WPA supplicant]] can be configured directly and used in combination with a dhcp client or with systemd. See the examples in {{ic|/etc/wpa_supplicant/wpa_supplicant.conf}} for configuring the connection details.

+

+

Once the connection configuration is complete, you can use the dhcp client to test them. For example:

+

+

# dhcpcd ''interface''

+

+

will automatically invoke WPA supplicant to establish the connection before proceeding to acquire an IP address.

+

+

=== NetworkManager ===

+

+

[[NetworkManager]] can generate WPA2 Enterprise profiles with [[NetworkManager#Front-ends|graphical front ends]]. ''nmcli'' and ''nmtui'' do not support this, but may use existing profiles.

+

+

=== connman ===

+

+

[[connman]] needs a separate configuration file before [[Connman#Wi-Fi|connecting]] to the network. For examples and explanations on different settings, see {{man|5|connman-service.config|url=}}.

{{Note|

{{Note|

Line 59:

Line 58:

[[Restart]] {{ic|wpa_supplicant.service}} and {{ic|connman.service}} to connect to the new network.

[[Restart]] {{ic|wpa_supplicant.service}} and {{ic|connman.service}} to connect to the new network.



===
= Wicd =
===

+

===
netctl
===



See
[
https://gist.githubusercontent.com/anonymous/0fa3b2c2b2a34c68a6f1/raw/9b8fdb7301182d18b6cd5068a7dbdfc57e5ba430/gistfile1.txt
]
for an example of a
''
'TTLS'
'' profile.
To activate the profile, run:

+

[
[netctl]
]
supports
''
wpa_supplicant
''
configuration through blocks included with {{ic|1=WPAConfigSection=}}. See {{man|5|netctl.
profile
|url=}} for details
.



# echo ttls-80211 >> /etc/wicd/encryption/templates/active

+

{{Warning|Special quoting rules apply: see the {{ic|''SPECIAL QUOTING RULES''}} section in {{man|5|netctl.profile|url=}}.}}



Open ''wicd'', choose ''TTLS for Wireless'' and enter the appropriate settings. The format of the subject match should
be
similar to
{{ic|1=
/CN
=
server.example
.
com
}}.

+

{{Tip|Custom certificates can
be
specified by adding the line
{{ic|1=
'ca_cert
=
"/path/to/special/certificate
.
cer"'}} in {{ic|WPAConfigSection
}}.
}}



===
= netctl =
===

+

===
Wicd
===



The {{AUR|netctl-eduroam}} package provides a template for easy configuration. Once installed, copy the template from {{ic|
/
etc
/
netctl
/
examples
/
eduroam}} to {{ic|
/
etc
/
netctl
/
eduroam}} and modify it according to your credentials
.

+

See [https:
//
gist.githubusercontent.com
/
anonymous
/
0fa3b2c2b2a34c68a6f1
/
raw
/
9b8fdb7301182d18b6cd5068a7dbdfc57e5ba430
/
gistfile1
.
txt] for an example of a '''TTLS''' profile. To activate the profile, run:



Alternatively, adapt an example configuration from [https://gist.githubusercontent.com/anonymous/ed16e3b191cf627814b3/raw/d476e0dddbc8920b855702737ff69c287e620c7b/eduroam
-
netctl] (plain) or [https:
//
gist.githubusercontent.com
/
anonymous
/
3fd8f8808a22b3a96feb
/
raw/d9537016a8c9852561630e676c4cbf98553a1a48/eduroam-ttls-netctl] (TTLS and certified universities).

+

# echo ttls
-
80211 >>
/
etc
/
wicd
/
encryption
/
templates
/
active



{{Tip|

+

Open
''
wicd
''
, choose
''
TTLS for Wireless
''
and enter the appropriate settings
.
The format of the subject match should
be
similar to
{{ic|1=
/CN
=
server.example
.
com
}}.



* To prevent storing your password as plaintext, you can generate a password hash with {{ic|$ echo -n
''
yourpassword
''
<nowiki>| iconv -t utf16le | openssl md4</nowiki>}}. Store the hashed password as {{ic|1=
'
password=hash:
''
yourhash
'
''}}
.
This password hash is only available for MSCHAPV2 or MSCHAP, when using PAP use a plaintext password.

+



* Custom certificates can
be
specified by adding the line
{{ic|1=
'ca_cert
=
"/path/to/special/certificate
.
cer"'}} in {{ic|WPAConfigSection
}}.

+



}}

+

== Troubleshooting ==

== Troubleshooting ==

Show more