merge #Supported clients with #Usage, rename to #Configuration
← Older revision
Revision as of 12:37, 19 October 2016
(8 intermediate revisions by the same user not shown)
Line 12:
Line 12:
The Enterprise mode enables users to log onto the Wi-Fi network with a username and password and/or a digital certificate. Since each user has a dynamic and unique encryption key, it also helps to prevent user-to-user snooping on the wireless network, and improves encryption strength.
The Enterprise mode enables users to log onto the Wi-Fi network with a username and password and/or a digital certificate. Since each user has a dynamic and unique encryption key, it also helps to prevent user-to-user snooping on the wireless network, and improves encryption strength.
−
==
Supported clients
==
+
==
Configuration
==
−
{{Note|[[NetworkManager]] can generate WPA2 Enterprise profiles with [[NetworkManager#Front-ends|graphical front ends]]. ''nmcli'' and ''nmtui'' do not support this, but may use existing profiles.}}
+
This section describes the configuration of
[[List of applications#Network managers|
network clients
]] to connect to a wireless access point with WPA2 Enterprise mode. See [[Software access point#RADIUS]] for information on setting up an access point itself.
−
+
−
See
[[List of applications#Network managers
]] for an overview.
+
−
+
−
=== wpa_supplicant ===
+
−
+
−
[[WPA supplicant#Advanced usage
|
WPA supplicant
]]
can be configured directly and used in combination with a dhcp client or with systemd. See the examples in {{ic|/etc/wpa_supplicant/wpa_supplicant.conf}} for configuring the connection details.
+
−
+
−
Once the connection configuration is complete, you can use the dhcp client to test them. For example:
+
−
+
−
# dhcpcd ''interface''
+
−
+
−
will automatically invoke WPA supplicant to establish the connection before proceeding to acquire an IP address.
+
−
+
−
== Usage ==
+
−
+
−
This section describes the configuration of the alternative available network clients
to connect to a wireless access point with WPA2 Enterprise mode. See [[Software access point#RADIUS]] for information on setting up an access point itself.
+
Enterprise mode requires a more complex client configuration, whereas Personal mode only requires entering a passphrase when prompted. Clients likely need to install the server’s CA certificate (plus per-user certificates if using EAP-TLS), and then manually configure the wireless security and 802.1X authentication settings.
Enterprise mode requires a more complex client configuration, whereas Personal mode only requires entering a passphrase when prompted. Clients likely need to install the server’s CA certificate (plus per-user certificates if using EAP-TLS), and then manually configure the wireless security and 802.1X authentication settings.
Line 46:
Line 30:
* When storing connection profiles unencrypted, restrict read access to the root account by specifying {{ic|chmod 600 ''profile''}} as root.
* When storing connection profiles unencrypted, restrict read access to the root account by specifying {{ic|chmod 600 ''profile''}} as root.
}}
}}
+
{{Tip|Configuration for [[NetworkManager]] and [[#wpa_supplicant]] can be generated with the [https://cat.eduroam.org/ eduroam Configuration Assistant Tool].}}
{{Tip|Configuration for [[NetworkManager]] and [[#wpa_supplicant]] can be generated with the [https://cat.eduroam.org/ eduroam Configuration Assistant Tool].}}
−
===
= connman =
===
+
===
wpa_supplicant
===
−
[[connman]] needs a separate configuration file before [[Connman#Wi-Fi|connecting]] to the network. For examples and explanations on different settings, see
the
{{man|5|connman-service.config|url=}}
[[man page]]
.
+
[[WPA supplicant#Advanced usage|WPA supplicant]] can be configured directly and used in combination with a dhcp client or with systemd. See the examples in {{ic|/etc/wpa_supplicant/wpa_supplicant.conf}} for configuring the connection details.
+
+
Once the connection configuration is complete, you can use the dhcp client to test them. For example:
+
+
# dhcpcd ''interface''
+
+
will automatically invoke WPA supplicant to establish the connection before proceeding to acquire an IP address.
+
+
=== NetworkManager ===
+
+
[[NetworkManager]] can generate WPA2 Enterprise profiles with [[NetworkManager#Front-ends|graphical front ends]]. ''nmcli'' and ''nmtui'' do not support this, but may use existing profiles.
+
+
=== connman ===
+
+
[[connman]] needs a separate configuration file before [[Connman#Wi-Fi|connecting]] to the network. For examples and explanations on different settings, see {{man|5|connman-service.config|url=}}.
{{Note|
{{Note|
Line 59:
Line 58:
[[Restart]] {{ic|wpa_supplicant.service}} and {{ic|connman.service}} to connect to the new network.
[[Restart]] {{ic|wpa_supplicant.service}} and {{ic|connman.service}} to connect to the new network.
−
===
= Wicd =
===
+
===
netctl
===
−
See
[
https://gist.githubusercontent.com/anonymous/0fa3b2c2b2a34c68a6f1/raw/9b8fdb7301182d18b6cd5068a7dbdfc57e5ba430/gistfile1.txt
]
for an example of a
''
'TTLS'
'' profile.
To activate the profile, run:
+
[
[netctl]
]
supports
''
wpa_supplicant
''
configuration through blocks included with {{ic|1=WPAConfigSection=}}. See {{man|5|netctl.
profile
|url=}} for details
.
−
# echo ttls-80211 >> /etc/wicd/encryption/templates/active
+
{{Warning|Special quoting rules apply: see the {{ic|''SPECIAL QUOTING RULES''}} section in {{man|5|netctl.profile|url=}}.}}
−
Open ''wicd'', choose ''TTLS for Wireless'' and enter the appropriate settings. The format of the subject match should
be
similar to
{{ic|1=
/CN
=
server.example
.
com
}}.
+
{{Tip|Custom certificates can
be
specified by adding the line
{{ic|1=
'ca_cert
=
"/path/to/special/certificate
.
cer"'}} in {{ic|WPAConfigSection
}}.
}}
−
===
= netctl =
===
+
===
Wicd
===
−
The {{AUR|netctl-eduroam}} package provides a template for easy configuration. Once installed, copy the template from {{ic|
/
etc
/
netctl
/
examples
/
eduroam}} to {{ic|
/
etc
/
netctl
/
eduroam}} and modify it according to your credentials
.
+
See [https:
//
gist.githubusercontent.com
/
anonymous
/
0fa3b2c2b2a34c68a6f1
/
raw
/
9b8fdb7301182d18b6cd5068a7dbdfc57e5ba430
/
gistfile1
.
txt] for an example of a '''TTLS''' profile. To activate the profile, run:
−
Alternatively, adapt an example configuration from [https://gist.githubusercontent.com/anonymous/ed16e3b191cf627814b3/raw/d476e0dddbc8920b855702737ff69c287e620c7b/eduroam
-
netctl] (plain) or [https:
//
gist.githubusercontent.com
/
anonymous
/
3fd8f8808a22b3a96feb
/
raw/d9537016a8c9852561630e676c4cbf98553a1a48/eduroam-ttls-netctl] (TTLS and certified universities).
+
# echo ttls
-
80211 >>
/
etc
/
wicd
/
encryption
/
templates
/
active
−
{{Tip|
+
Open
''
wicd
''
, choose
''
TTLS for Wireless
''
and enter the appropriate settings
.
The format of the subject match should
be
similar to
{{ic|1=
/CN
=
server.example
.
com
}}.
−
* To prevent storing your password as plaintext, you can generate a password hash with {{ic|$ echo -n
''
yourpassword
''
<nowiki>| iconv -t utf16le | openssl md4</nowiki>}}. Store the hashed password as {{ic|1=
'
password=hash:
''
yourhash
'
''}}
.
This password hash is only available for MSCHAPV2 or MSCHAP, when using PAP use a plaintext password.
+
−
* Custom certificates can
be
specified by adding the line
{{ic|1=
'ca_cert
=
"/path/to/special/certificate
.
cer"'}} in {{ic|WPAConfigSection
}}.
+
−
}}
+
== Troubleshooting ==
== Troubleshooting ==