Linux
- You just have to use
802.1Xwith(EAP-)TTLS-PAP,(EAP-)TTLS-MSCHAPv2orPEAP-MSCHAPv2 TTLSis short for “TunneledTLS” (de: GetunneltesTLS) andTLSis short for Transport Layer Security- If you use
MSCHAPv2you have to be sure, that the tick, to generate a (insecure)MSCHAPv2hash, was set when you changed your password. Otherwise just change you password again (you can enter the same password again) and set the tick. -NetworkManagershould work in the most cases. If it does not work for you, you can usewpa_supplicantinstead - you should choose the
DST Root CA X3(Let’s encrypt) as server certificate. It should be included in the system certificate bundle in most Linux distributions. Otherwise you can download it here: https://rommelwood.de/media/uploads/documents/identrust_dst_root_ca_x3.crt.pem (store it e.g. in/etc/ssl/certs/and check theSELinuxcontext (cert_t), if you useSELinux)
Network Manager
graphical configuration
In most desktop environments you can use a graphical configuration tool, that will most likely look like this:
manual
untestet
Save the following content to /etc/NetworkManager/system-connections/rommel. chmod u=rw,g=,o= this file to make the connection work and check the SELinux context (NetworkManager_etc_rw_t) if you use SELinux).
for wired connection
TODO config should look quite similar to the WLAN config.
for WLAN
[connection]
id=rommelwood
uuid=c80101e2-7b99-4511-846b-2388eb86a5ad <- use uuidgen to choose a random id
type=wifi
permissions=
secondaries=
[wifi]
mac-address=42:23:42:23:42:23 <- !! Please change this !!
mac-address-blacklist=
mode=infrastructure
seen-bssids=
ssid=rommelwood
[wifi-security]
auth-alg=open
group=
key-mgmt=wpa-eap
pairwise=
proto=
[802-1x]
altsubject-matches=DNS:radius.rommelwood.de
ca-cert=/etc/ssl/certs/DST_Root_CA_X3.pem <- change this
eap=ttls;
identity=username
password=password
phase2-altsubject-matches=
phase2-auth=pap
[ipv4]
dns-search=
method=auto
[ipv6]
dns-search=
method=auto
Wicd
untestet
You need an additional crypto setting for WiCD. Put this file into /etc/wicd/encryption/templates/eap-ttls (debian systems, might be different with other *nix flavours):
name = EAP-TTLS rommel
author = Felicitus
require identity *Identity password *password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="rommelwood"
scan_ssid=$_SCAN
identity="changeme"
password="changeme"
proto=WPA2
key_mgmt=WPA-EAP
group=CCMP
pairwise=CCMP
eap=TTLS
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.rommelwood.de"
anonymous_identity="$_ANONYMOUS_IDENTITY"
phase2="auth=PAP"
#priority=2
}
Edit /etc/wicd/encryption/templates/active to include the eap-ttls config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS rommel) and enter your username and password.
wpa_supplicant.conf
/etc/wpa_supplicant/wpa_supplicant.conf:
for wired connection
ap_scan=0
network={
key_mgmt=IEEE8021X
eap=TTLS
identity="username"
password="password"
# ca path on debian, modify accordingly
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.rommelwood.de"
phase1=""
phase2="auth=PAP"
}
In /etc/network/interfaces change the section for your interface (e.g. eth0 / ethX / enp0s30f1, …):
auto eth0
iface eth0 inet dhcp
wpa-driver wired
wpa-conf /etc/wpa_supplicant.conf
for WLAN
untestet
network={
ssid="rommelwood"
key_mgmt=WPA-EAP
eap=TTLS
identity="username"
password="password"
# ca path on debian, modify accordingly
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.rommelwood.de"
phase1=""
phase2="auth=PAP"
}
interfaces
untestet
As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces:
iface wlan0 inet dhcp
wpa-ssid rommelwood
wpa-identity changeme
wpa-password changeme
wpa-proto WPA2
wpa-key_mgmt WPA-EAP
wpa-group CCMP
wpa-pairwise CCMP
wpa-eap TTLS
wpa-phase2 "auth=PAP"
wpa-ca_cert "/etc/ssl/certs/DST_Root_CA_X3.pem"
wpa-altsubject_match DNS:radius.rommelwood.de
Then you have to restart the networking service and (re-) connect to the network. If it does not work, try rebooting.