Linux

Network Manager

graphical configuration

In most desktop environments you can use a graphical configuration tool, that will most likely look like this:

manual

untestet

Save the following content to /etc/NetworkManager/system-connections/rommel. chmod u=rw,g=,o= this file to make the connection work and check the SELinux context (NetworkManager_etc_rw_t) if you use SELinux).

for wired connection

TODO config should look quite similar to the WLAN config.

for WLAN

[connection]
id=rommelwood
uuid=c80101e2-7b99-4511-846b-2388eb86a5ad <- use uuidgen to choose a random id
type=wifi
permissions=
secondaries=

[wifi]
mac-address=42:23:42:23:42:23 <- !! Please change this !!
mac-address-blacklist=
mode=infrastructure
seen-bssids=
ssid=rommelwood

[wifi-security]
auth-alg=open
group=
key-mgmt=wpa-eap
pairwise=
proto=

[802-1x]
altsubject-matches=DNS:radius.rommelwood.de
ca-cert=/etc/ssl/certs/DST_Root_CA_X3.pem <- change this
eap=ttls;
identity=username
password=password
phase2-altsubject-matches=
phase2-auth=pap

[ipv4]
dns-search=
method=auto

[ipv6]
dns-search=
method=auto

Wicd

untestet

You need an additional crypto setting for WiCD. Put this file into /etc/wicd/encryption/templates/eap-ttls (debian systems, might be different with other *nix flavours):

name = EAP-TTLS rommel
author = Felicitus
require identity *Identity password *password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
 ssid="rommelwood"
 scan_ssid=$_SCAN
 identity="changeme"
 password="changeme"
 proto=WPA2
 key_mgmt=WPA-EAP
 group=CCMP
 pairwise=CCMP
 eap=TTLS
 ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
 altsubject_match="DNS:radius.rommelwood.de"
 anonymous_identity="$_ANONYMOUS_IDENTITY"
 phase2="auth=PAP"
 #priority=2
}

Edit /etc/wicd/encryption/templates/active to include the eap-ttls config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS rommel) and enter your username and password.

wpa_supplicant.conf

/etc/wpa_supplicant/wpa_supplicant.conf:

for wired connection

ap_scan=0
network={
  key_mgmt=IEEE8021X
  eap=TTLS
  identity="username"
  password="password"
  # ca path on debian, modify accordingly
  ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
  altsubject_match="DNS:radius.rommelwood.de"
  phase1=""
  phase2="auth=PAP"
}

In /etc/network/interfaces change the section for your interface (e.g. eth0 / ethX / enp0s30f1, …):

auto eth0
iface eth0 inet dhcp
    wpa-driver wired
    wpa-conf /etc/wpa_supplicant.conf

for WLAN

untestet

network={
  ssid="rommelwood"
  key_mgmt=WPA-EAP
  eap=TTLS
  identity="username"
  password="password"
  # ca path on debian, modify accordingly
  ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
  altsubject_match="DNS:radius.rommelwood.de"
  phase1=""
  phase2="auth=PAP"
}

interfaces

untestet

As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces:

iface wlan0 inet dhcp
    wpa-ssid rommelwood
    wpa-identity changeme
    wpa-password changeme
    wpa-proto WPA2
    wpa-key_mgmt WPA-EAP
    wpa-group CCMP
    wpa-pairwise CCMP
    wpa-eap TTLS
    wpa-phase2 "auth=PAP"
    wpa-ca_cert "/etc/ssl/certs/DST_Root_CA_X3.pem"
    wpa-altsubject_match DNS:radius.rommelwood.de

Then you have to restart the networking service and (re-) connect to the network. If it does not work, try rebooting.

Similar instructions: